Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO#001498.exe

Overview

General Information

Sample name:PO#001498.exe
Analysis ID:1559467
MD5:c9d5aeb62d2a1523bdd0a02825d37b3c
SHA1:53b8687154bd9960bb4c2a970d13649fd05b92e9
SHA256:dfca89417813396e9d060f2f40daac56a35f967a51be67db122c328dc4968973
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PO#001498.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\PO#001498.exe" MD5: C9D5AEB62D2A1523BDD0A02825D37B3C)
    • svchost.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\PO#001498.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2053810289.0000000002F60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.2053520113.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO#001498.exe", CommandLine: "C:\Users\user\Desktop\PO#001498.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#001498.exe", ParentImage: C:\Users\user\Desktop\PO#001498.exe, ParentProcessId: 7332, ParentProcessName: PO#001498.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO#001498.exe", ProcessId: 7360, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PO#001498.exe", CommandLine: "C:\Users\user\Desktop\PO#001498.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#001498.exe", ParentImage: C:\Users\user\Desktop\PO#001498.exe, ParentProcessId: 7332, ParentProcessName: PO#001498.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO#001498.exe", ProcessId: 7360, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: PO#001498.exeReversingLabs: Detection: 34%
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2053810289.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2053520113.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: PO#001498.exeJoe Sandbox ML: detected
          Source: PO#001498.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: PO#001498.exe, 00000000.00000003.1708980953.0000000003E10000.00000004.00001000.00020000.00000000.sdmp, PO#001498.exe, 00000000.00000003.1709235228.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1714586639.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711465201.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2053844274.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2053844274.0000000003100000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: PO#001498.exe, 00000000.00000003.1708980953.0000000003E10000.00000004.00001000.00020000.00000000.sdmp, PO#001498.exe, 00000000.00000003.1709235228.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1714586639.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711465201.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2053844274.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2053844274.0000000003100000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00FB6CA9
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00FB60DD
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00FB63F9
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FBEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FBEB60
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FBF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00FBF5FA
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FBF56F FindFirstFileW,FindClose,0_2_00FBF56F
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FC1B2F
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FC1C8A
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FC1F94
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00FC4EB5
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00FC6B0C
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00FC6D07
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00FC6B0C
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00FB2B37
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FDF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00FDF7FF

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2053810289.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2053520113.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: This is a third-party compiled AutoIt script.0_2_00F73D19
          Source: PO#001498.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: PO#001498.exe, 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_173e8adb-d
          Source: PO#001498.exe, 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_66a7b08d-e
          Source: PO#001498.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e25d9a9f-8
          Source: PO#001498.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_238ddb88-5
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: PO#001498.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C893 NtClose,1_2_0042C893
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172B60 NtClose,LdrInitializeThunk,1_2_03172B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03172DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031735C0 NtCreateMutant,LdrInitializeThunk,1_2_031735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03174340 NtSetContextThread,1_2_03174340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03174650 NtSuspendThread,1_2_03174650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172B80 NtQueryInformationFile,1_2_03172B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BA0 NtEnumerateValueKey,1_2_03172BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BF0 NtAllocateVirtualMemory,1_2_03172BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BE0 NtQueryValueKey,1_2_03172BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AB0 NtWaitForSingleObject,1_2_03172AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AD0 NtReadFile,1_2_03172AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AF0 NtWriteFile,1_2_03172AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F30 NtCreateSection,1_2_03172F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F60 NtCreateProcessEx,1_2_03172F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F90 NtProtectVirtualMemory,1_2_03172F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FB0 NtResumeThread,1_2_03172FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FA0 NtQuerySection,1_2_03172FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FE0 NtCreateFile,1_2_03172FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172E30 NtWriteVirtualMemory,1_2_03172E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172E80 NtReadVirtualMemory,1_2_03172E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172EA0 NtAdjustPrivilegesToken,1_2_03172EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172EE0 NtQueueApcThread,1_2_03172EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D10 NtMapViewOfSection,1_2_03172D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D00 NtSetInformationFile,1_2_03172D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D30 NtUnmapViewOfSection,1_2_03172D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DB0 NtEnumerateKey,1_2_03172DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DD0 NtDelayExecution,1_2_03172DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C00 NtQueryInformationProcess,1_2_03172C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C70 NtFreeVirtualMemory,1_2_03172C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C60 NtCreateKey,1_2_03172C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CA0 NtQueryInformationToken,1_2_03172CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CC0 NtQueryVirtualMemory,1_2_03172CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CF0 NtOpenProcess,1_2_03172CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173010 NtOpenDirectoryObject,1_2_03173010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173090 NtSetValueKey,1_2_03173090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031739B0 NtGetContextThread,1_2_031739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173D10 NtOpenProcessToken,1_2_03173D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173D70 NtOpenThread,1_2_03173D70
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB6685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00FB6685
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FAACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00FAACC5
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00FB79D3
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F9B0430_2_00F9B043
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F832000_2_00F83200
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F83B700_2_00F83B70
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FA410F0_2_00FA410F
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F902A40_2_00F902A4
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F7E3B00_2_00F7E3B0
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FA038E0_2_00FA038E
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F906D90_2_00F906D9
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FA467F0_2_00FA467F
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FDAACE0_2_00FDAACE
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FA4BEF0_2_00FA4BEF
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F9CCC10_2_00F9CCC1
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F7AF500_2_00F7AF50
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F76F070_2_00F76F07
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F9D1B90_2_00F9D1B9
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FD31BC0_2_00FD31BC
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F8B11F0_2_00F8B11F
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FA724D0_2_00FA724D
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F9123A0_2_00F9123A
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F793F00_2_00F793F0
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB13CA0_2_00FB13CA
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F8F5630_2_00F8F563
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F796C00_2_00F796C0
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FBB6CC0_2_00FBB6CC
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FDF7FF0_2_00FDF7FF
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F777B00_2_00F777B0
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FA79C90_2_00FA79C9
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F8FA570_2_00F8FA57
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F79B600_2_00F79B60
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F77D190_2_00F77D19
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F99ED00_2_00F99ED0
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F8FE6F0_2_00F8FE6F
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F77FA30_2_00F77FA3
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_01725B180_2_01725B18
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004100231_2_00410023
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011401_2_00401140
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004169F31_2_004169F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004102431_2_00410243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E2231_2_0040E223
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E3671_2_0040E367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E3731_2_0040E373
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004025D01_2_004025D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402E101_2_00402E10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EED31_2_0042EED3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA3521_2_031FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032003E61_2_032003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F01_2_0314E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E02741_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C02C01_2_031C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA1181_2_031DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031301001_2_03130100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C81581_2_031C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032001AA1_2_032001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F81CC1_2_031F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D20001_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031647501_2_03164750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031407701_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313C7C01_2_0313C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315C6E01_2_0315C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031405351_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032005911_2_03200591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F24461_2_031F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EE4F61_2_031EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FAB401_2_031FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F6BD71_2_031F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA801_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031569621_2_03156962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320A9A61_2_0320A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A01_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314A8401_2_0314A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031428401_2_03142840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031268B81_2_031268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E8F01_2_0316E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160F301_2_03160F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03182F281_2_03182F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4F401_2_031B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BEFA01_2_031BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132FC81_2_03132FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FEE261_2_031FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140E591_2_03140E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152E901_2_03152E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FCE931_2_031FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FEEDB1_2_031FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314AD001_2_0314AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03158DBF1_2_03158DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313ADE01_2_0313ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140C001_2_03140C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0CB51_2_031E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130CF21_2_03130CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F132D1_2_031F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312D34C1_2_0312D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0318739A1_2_0318739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031452A01_2_031452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B2C01_2_0315B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED1_2_031E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320B16B1_2_0320B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F1721_2_0312F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317516C1_2_0317516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314B1B01_2_0314B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EF0CC1_2_031EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C01_2_031470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F70E91_2_031F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF0E01_2_031FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF7B01_2_031FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F16CC1_2_031F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F75711_2_031F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DD5B01_2_031DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF43F1_2_031FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031314601_2_03131460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFB761_2_031FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315FB801_2_0315FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B5BF01_2_031B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317DBF91_2_0317DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFA491_2_031FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F7A461_2_031F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B3A6C1_2_031B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DDAAC1_2_031DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03185AA01_2_03185AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EDAC61_2_031EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D59101_2_031D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031499501_2_03149950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B9501_2_0315B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AD8001_2_031AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031438E01_2_031438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFF091_2_031FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141F921_2_03141F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFFB11_2_031FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03103FD21_2_03103FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03103FD51_2_03103FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03149EB01_2_03149EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F1D5A1_2_031F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03143D401_2_03143D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F7D731_2_031F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315FDC01_2_0315FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B9C321_2_031B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFCF21_2_031FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03187E54 appears 98 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0312B970 appears 260 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03175130 appears 56 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031AEA12 appears 86 times
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: String function: 00F8EC2F appears 68 times
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: String function: 00F9F8A0 appears 35 times
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: String function: 00F96AC0 appears 42 times
          Source: PO#001498.exe, 00000000.00000003.1708629163.0000000003F3D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO#001498.exe
          Source: PO#001498.exe, 00000000.00000003.1708149357.0000000003A13000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO#001498.exe
          Source: PO#001498.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal88.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FBCE7A GetLastError,FormatMessageW,0_2_00FBCE7A
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FAAB84 AdjustTokenPrivileges,CloseHandle,0_2_00FAAB84
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FAB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00FAB134
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FBE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00FBE1FD
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00FB6532
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FCC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_00FCC18C
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F7406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00F7406B
          Source: C:\Users\user\Desktop\PO#001498.exeFile created: C:\Users\user\AppData\Local\Temp\autF61A.tmpJump to behavior
          Source: PO#001498.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO#001498.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: PO#001498.exeReversingLabs: Detection: 34%
          Source: unknownProcess created: C:\Users\user\Desktop\PO#001498.exe "C:\Users\user\Desktop\PO#001498.exe"
          Source: C:\Users\user\Desktop\PO#001498.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO#001498.exe"
          Source: C:\Users\user\Desktop\PO#001498.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO#001498.exe"Jump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: ntmarta.dllJump to behavior
          Source: PO#001498.exeStatic file information: File size 1208832 > 1048576
          Source: PO#001498.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: PO#001498.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: PO#001498.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: PO#001498.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: PO#001498.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: PO#001498.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: PO#001498.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: PO#001498.exe, 00000000.00000003.1708980953.0000000003E10000.00000004.00001000.00020000.00000000.sdmp, PO#001498.exe, 00000000.00000003.1709235228.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1714586639.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711465201.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2053844274.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2053844274.0000000003100000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: PO#001498.exe, 00000000.00000003.1708980953.0000000003E10000.00000004.00001000.00020000.00000000.sdmp, PO#001498.exe, 00000000.00000003.1709235228.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1714586639.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711465201.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2053844274.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2053844274.0000000003100000.00000040.00001000.00020000.00000000.sdmp
          Source: PO#001498.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: PO#001498.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: PO#001498.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: PO#001498.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: PO#001498.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F8E01E LoadLibraryA,GetProcAddress,0_2_00F8E01E
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F9C09E push esi; ret 0_2_00F9C0A0
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F9C187 push edi; ret 0_2_00F9C189
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FDC8BC push esi; ret 0_2_00FDC8BE
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F96B05 push ecx; ret 0_2_00F96B18
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FBB2B1 push FFFFFF8Bh; iretd 0_2_00FBB2B3
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F9BDAA push edi; ret 0_2_00F9BDAC
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F9BEC3 push esi; ret 0_2_00F9BEC5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004030C0 push eax; ret 1_2_004030C2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D0E4 push edx; retf 1_2_0040D0E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040808C push esp; ret 1_2_00408097
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417257 push 00000020h; iretd 1_2_00417259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417260 pushad ; retf 1_2_0041726B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041EA38 push eax; retf 1_2_0041EA4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004172D4 pushad ; retf 1_2_0041726B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041EA8D push esp; retf 1_2_0041EA8E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00423F50 push FFFFFFD3h; iretd 1_2_00423F5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416797 push ds; iretd 1_2_004167A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310225F pushad ; ret 1_2_031027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031027FA pushad ; ret 1_2_031027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031309AD push ecx; mov dword ptr [esp], ecx1_2_031309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310283D push eax; iretd 1_2_03102858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310135E push eax; iretd 1_2_03101369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03109939 push es; iretd 1_2_03109940
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FD8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00FD8111
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F8EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00F8EB42
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F9123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F9123A
          Source: C:\Users\user\Desktop\PO#001498.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\PO#001498.exeAPI/Special instruction interceptor: Address: 172573C
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: PO#001498.exe, 00000000.00000003.1694602652.0000000001609000.00000004.00000020.00020000.00000000.sdmp, PO#001498.exe, 00000000.00000003.1694513060.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, PO#001498.exe, 00000000.00000002.1716402167.0000000001609000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E rdtsc 1_2_0317096E
          Source: C:\Users\user\Desktop\PO#001498.exeEvaded block: after key decisiongraph_0-94486
          Source: C:\Users\user\Desktop\PO#001498.exeEvaded block: after key decisiongraph_0-93466
          Source: C:\Users\user\Desktop\PO#001498.exeAPI coverage: 4.6 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7364Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00FB6CA9
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00FB60DD
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00FB63F9
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FBEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FBEB60
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FBF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00FBF5FA
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FBF56F FindFirstFileW,FindClose,0_2_00FBF56F
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FC1B2F
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FC1C8A
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FC1F94
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F8DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F8DDC0
          Source: C:\Users\user\Desktop\PO#001498.exeAPI call chain: ExitProcess graph end nodegraph_0-93236
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E rdtsc 1_2_0317096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417983 LdrLoadDll,1_2_00417983
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC6AAF BlockInput,0_2_00FC6AAF
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F73D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F73D19
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FA3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00FA3920
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F8E01E LoadLibraryA,GetProcAddress,0_2_00F8E01E
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_01724368 mov eax, dword ptr fs:[00000030h]0_2_01724368
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_017259A8 mov eax, dword ptr fs:[00000030h]0_2_017259A8
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_01725A08 mov eax, dword ptr fs:[00000030h]0_2_01725A08
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C310 mov ecx, dword ptr fs:[00000030h]1_2_0312C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150310 mov ecx, dword ptr fs:[00000030h]1_2_03150310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov ecx, dword ptr fs:[00000030h]1_2_031B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA352 mov eax, dword ptr fs:[00000030h]1_2_031FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D8350 mov ecx, dword ptr fs:[00000030h]1_2_031D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D437C mov eax, dword ptr fs:[00000030h]1_2_031D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]1_2_0315438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]1_2_0315438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]1_2_031D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]1_2_031D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC3CD mov eax, dword ptr fs:[00000030h]1_2_031EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B63C0 mov eax, dword ptr fs:[00000030h]1_2_031B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031663FF mov eax, dword ptr fs:[00000030h]1_2_031663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312823B mov eax, dword ptr fs:[00000030h]1_2_0312823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A250 mov eax, dword ptr fs:[00000030h]1_2_0312A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136259 mov eax, dword ptr fs:[00000030h]1_2_03136259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B8243 mov eax, dword ptr fs:[00000030h]1_2_031B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B8243 mov ecx, dword ptr fs:[00000030h]1_2_031B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312826B mov eax, dword ptr fs:[00000030h]1_2_0312826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]1_2_0316E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]1_2_0316E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]1_2_031402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]1_2_031402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov ecx, dword ptr fs:[00000030h]1_2_031C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov ecx, dword ptr fs:[00000030h]1_2_031DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F0115 mov eax, dword ptr fs:[00000030h]1_2_031F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160124 mov eax, dword ptr fs:[00000030h]1_2_03160124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C156 mov eax, dword ptr fs:[00000030h]1_2_0312C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C8158 mov eax, dword ptr fs:[00000030h]1_2_031C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]1_2_03136154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]1_2_03136154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov ecx, dword ptr fs:[00000030h]1_2_031C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03170185 mov eax, dword ptr fs:[00000030h]1_2_03170185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]1_2_031EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]1_2_031EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]1_2_031D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]1_2_031D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032061E5 mov eax, dword ptr fs:[00000030h]1_2_032061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_031AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]1_2_031F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]1_2_031F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031601F8 mov eax, dword ptr fs:[00000030h]1_2_031601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4000 mov ecx, dword ptr fs:[00000030h]1_2_031B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6030 mov eax, dword ptr fs:[00000030h]1_2_031C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A020 mov eax, dword ptr fs:[00000030h]1_2_0312A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C020 mov eax, dword ptr fs:[00000030h]1_2_0312C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132050 mov eax, dword ptr fs:[00000030h]1_2_03132050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6050 mov eax, dword ptr fs:[00000030h]1_2_031B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315C073 mov eax, dword ptr fs:[00000030h]1_2_0315C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313208A mov eax, dword ptr fs:[00000030h]1_2_0313208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F60B8 mov eax, dword ptr fs:[00000030h]1_2_031F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F60B8 mov ecx, dword ptr fs:[00000030h]1_2_031F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C80A8 mov eax, dword ptr fs:[00000030h]1_2_031C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B20DE mov eax, dword ptr fs:[00000030h]1_2_031B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C0F0 mov eax, dword ptr fs:[00000030h]1_2_0312C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031720F0 mov ecx, dword ptr fs:[00000030h]1_2_031720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0312A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031380E9 mov eax, dword ptr fs:[00000030h]1_2_031380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B60E0 mov eax, dword ptr fs:[00000030h]1_2_031B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130710 mov eax, dword ptr fs:[00000030h]1_2_03130710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160710 mov eax, dword ptr fs:[00000030h]1_2_03160710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C700 mov eax, dword ptr fs:[00000030h]1_2_0316C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]1_2_0316273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov ecx, dword ptr fs:[00000030h]1_2_0316273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]1_2_0316273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AC730 mov eax, dword ptr fs:[00000030h]1_2_031AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]1_2_0316C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]1_2_0316C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130750 mov eax, dword ptr fs:[00000030h]1_2_03130750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE75D mov eax, dword ptr fs:[00000030h]1_2_031BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]1_2_03172750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]1_2_03172750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4755 mov eax, dword ptr fs:[00000030h]1_2_031B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov esi, dword ptr fs:[00000030h]1_2_0316674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]1_2_0316674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]1_2_0316674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138770 mov eax, dword ptr fs:[00000030h]1_2_03138770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D678E mov eax, dword ptr fs:[00000030h]1_2_031D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031307AF mov eax, dword ptr fs:[00000030h]1_2_031307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313C7C0 mov eax, dword ptr fs:[00000030h]1_2_0313C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B07C3 mov eax, dword ptr fs:[00000030h]1_2_031B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]1_2_031347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]1_2_031347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE7E1 mov eax, dword ptr fs:[00000030h]1_2_031BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172619 mov eax, dword ptr fs:[00000030h]1_2_03172619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE609 mov eax, dword ptr fs:[00000030h]1_2_031AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E627 mov eax, dword ptr fs:[00000030h]1_2_0314E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03166620 mov eax, dword ptr fs:[00000030h]1_2_03166620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168620 mov eax, dword ptr fs:[00000030h]1_2_03168620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313262C mov eax, dword ptr fs:[00000030h]1_2_0313262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314C640 mov eax, dword ptr fs:[00000030h]1_2_0314C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03162674 mov eax, dword ptr fs:[00000030h]1_2_03162674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]1_2_031F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]1_2_031F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]1_2_0316A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]1_2_0316A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]1_2_03134690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]1_2_03134690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031666B0 mov eax, dword ptr fs:[00000030h]1_2_031666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C6A6 mov eax, dword ptr fs:[00000030h]1_2_0316C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0316A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A6C7 mov eax, dword ptr fs:[00000030h]1_2_0316A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]1_2_031B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]1_2_031B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6500 mov eax, dword ptr fs:[00000030h]1_2_031C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]1_2_03138550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]1_2_03138550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]1_2_0316656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]1_2_0316656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]1_2_0316656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E59C mov eax, dword ptr fs:[00000030h]1_2_0316E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132582 mov eax, dword ptr fs:[00000030h]1_2_03132582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132582 mov ecx, dword ptr fs:[00000030h]1_2_03132582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03164588 mov eax, dword ptr fs:[00000030h]1_2_03164588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]1_2_031545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]1_2_031545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]1_2_031B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]1_2_031B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]1_2_031B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031365D0 mov eax, dword ptr fs:[00000030h]1_2_031365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]1_2_0316A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]1_2_0316A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]1_2_0316E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]1_2_0316E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031325E0 mov eax, dword ptr fs:[00000030h]1_2_031325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]1_2_0316C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]1_2_0316C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]1_2_03168402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]1_2_03168402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]1_2_03168402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A430 mov eax, dword ptr fs:[00000030h]1_2_0316A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]1_2_0312E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]1_2_0312E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]1_2_0312E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C427 mov eax, dword ptr fs:[00000030h]1_2_0312C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312645D mov eax, dword ptr fs:[00000030h]1_2_0312645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315245A mov eax, dword ptr fs:[00000030h]1_2_0315245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]1_2_0315A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]1_2_0315A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]1_2_0315A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC460 mov ecx, dword ptr fs:[00000030h]1_2_031BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031644B0 mov ecx, dword ptr fs:[00000030h]1_2_031644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BA4B0 mov eax, dword ptr fs:[00000030h]1_2_031BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031364AB mov eax, dword ptr fs:[00000030h]1_2_031364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031304E5 mov ecx, dword ptr fs:[00000030h]1_2_031304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]1_2_0315EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]1_2_0315EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]1_2_031F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]1_2_031F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]1_2_031C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]1_2_031C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FAB40 mov eax, dword ptr fs:[00000030h]1_2_031FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D8B42 mov eax, dword ptr fs:[00000030h]1_2_031D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312CB7E mov eax, dword ptr fs:[00000030h]1_2_0312CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]1_2_03140BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]1_2_03140BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DEBD0 mov eax, dword ptr fs:[00000030h]1_2_031DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]1_2_03150BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]1_2_03150BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]1_2_03150BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]1_2_03130BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]1_2_03130BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]1_2_03130BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]1_2_03138BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]1_2_03138BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]1_2_03138BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EBFC mov eax, dword ptr fs:[00000030h]1_2_0315EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BCBF0 mov eax, dword ptr fs:[00000030h]1_2_031BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BCA11 mov eax, dword ptr fs:[00000030h]1_2_031BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]1_2_03154A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]1_2_03154A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA38 mov eax, dword ptr fs:[00000030h]1_2_0316CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA24 mov eax, dword ptr fs:[00000030h]1_2_0316CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EA2E mov eax, dword ptr fs:[00000030h]1_2_0315EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]1_2_03140A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]1_2_03140A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]1_2_031ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]1_2_031ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]1_2_0316CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]1_2_0316CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]1_2_0316CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168A90 mov edx, dword ptr fs:[00000030h]1_2_03168A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204A80 mov eax, dword ptr fs:[00000030h]1_2_03204A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]1_2_03138AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]1_2_03138AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186AA4 mov eax, dword ptr fs:[00000030h]1_2_03186AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130AD0 mov eax, dword ptr fs:[00000030h]1_2_03130AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]1_2_03164AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]1_2_03164AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]1_2_03186ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]1_2_03186ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]1_2_03186ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]1_2_0316AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]1_2_0316AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC912 mov eax, dword ptr fs:[00000030h]1_2_031BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]1_2_03128918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]1_2_03128918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]1_2_031AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]1_2_031AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B892A mov eax, dword ptr fs:[00000030h]1_2_031B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C892B mov eax, dword ptr fs:[00000030h]1_2_031C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0946 mov eax, dword ptr fs:[00000030h]1_2_031B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]1_2_031D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]1_2_031D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC97C mov eax, dword ptr fs:[00000030h]1_2_031BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]1_2_03156962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]1_2_03156962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]1_2_03156962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]1_2_0317096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E mov edx, dword ptr fs:[00000030h]1_2_0317096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]1_2_0317096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B89B3 mov esi, dword ptr fs:[00000030h]1_2_031B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]1_2_031B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]1_2_031B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]1_2_031309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]1_2_031309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031649D0 mov eax, dword ptr fs:[00000030h]1_2_031649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA9D3 mov eax, dword ptr fs:[00000030h]1_2_031FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C69C0 mov eax, dword ptr fs:[00000030h]1_2_031C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]1_2_031629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]1_2_031629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE9E0 mov eax, dword ptr fs:[00000030h]1_2_031BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC810 mov eax, dword ptr fs:[00000030h]1_2_031BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov ecx, dword ptr fs:[00000030h]1_2_03152835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A830 mov eax, dword ptr fs:[00000030h]1_2_0316A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]1_2_031D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]1_2_031D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160854 mov eax, dword ptr fs:[00000030h]1_2_03160854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134859 mov eax, dword ptr fs:[00000030h]1_2_03134859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134859 mov eax, dword ptr fs:[00000030h]1_2_03134859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03142840 mov ecx, dword ptr fs:[00000030h]1_2_03142840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE872 mov eax, dword ptr fs:[00000030h]1_2_031BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE872 mov eax, dword ptr fs:[00000030h]1_2_031BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6870 mov eax, dword ptr fs:[00000030h]1_2_031C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6870 mov eax, dword ptr fs:[00000030h]1_2_031C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC89D mov eax, dword ptr fs:[00000030h]1_2_031BC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130887 mov eax, dword ptr fs:[00000030h]1_2_03130887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E8C0 mov eax, dword ptr fs:[00000030h]1_2_0315E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C8F9 mov eax, dword ptr fs:[00000030h]1_2_0316C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C8F9 mov eax, dword ptr fs:[00000030h]1_2_0316C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA8E4 mov eax, dword ptr fs:[00000030h]1_2_031FA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132F12 mov eax, dword ptr fs:[00000030h]1_2_03132F12
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CF1F mov eax, dword ptr fs:[00000030h]1_2_0316CF1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E6F00 mov eax, dword ptr fs:[00000030h]1_2_031E6F00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EF28 mov eax, dword ptr fs:[00000030h]1_2_0315EF28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312CF50 mov eax, dword ptr fs:[00000030h]1_2_0312CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312CF50 mov eax, dword ptr fs:[00000030h]1_2_0312CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312CF50 mov eax, dword ptr fs:[00000030h]1_2_0312CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312CF50 mov eax, dword ptr fs:[00000030h]1_2_0312CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312CF50 mov eax, dword ptr fs:[00000030h]1_2_0312CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312CF50 mov eax, dword ptr fs:[00000030h]1_2_0312CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CF50 mov eax, dword ptr fs:[00000030h]1_2_0316CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204F68 mov eax, dword ptr fs:[00000030h]1_2_03204F68
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D0F50 mov eax, dword ptr fs:[00000030h]1_2_031D0F50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4F40 mov eax, dword ptr fs:[00000030h]1_2_031B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4F40 mov eax, dword ptr fs:[00000030h]1_2_031B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4F40 mov eax, dword ptr fs:[00000030h]1_2_031B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4F40 mov eax, dword ptr fs:[00000030h]1_2_031B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4F42 mov eax, dword ptr fs:[00000030h]1_2_031D4F42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315AF69 mov eax, dword ptr fs:[00000030h]1_2_0315AF69
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315AF69 mov eax, dword ptr fs:[00000030h]1_2_0315AF69
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2F60 mov eax, dword ptr fs:[00000030h]1_2_031D2F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2F60 mov eax, dword ptr fs:[00000030h]1_2_031D2F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03162F98 mov eax, dword ptr fs:[00000030h]1_2_03162F98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03162F98 mov eax, dword ptr fs:[00000030h]1_2_03162F98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CF80 mov eax, dword ptr fs:[00000030h]1_2_0316CF80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204FE7 mov eax, dword ptr fs:[00000030h]1_2_03204FE7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312EFD8 mov eax, dword ptr fs:[00000030h]1_2_0312EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312EFD8 mov eax, dword ptr fs:[00000030h]1_2_0312EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312EFD8 mov eax, dword ptr fs:[00000030h]1_2_0312EFD8
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FAA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00FAA66C
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F981AC
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F98189 SetUnhandledExceptionFilter,0_2_00F98189

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\PO#001498.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\PO#001498.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2748008Jump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FAB106 LogonUserW,0_2_00FAB106
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F73D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F73D19
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB411C SendInput,keybd_event,0_2_00FB411C
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB74E7 mouse_event,0_2_00FB74E7
          Source: C:\Users\user\Desktop\PO#001498.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO#001498.exe"Jump to behavior
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FAA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00FAA66C
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FB71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00FB71FA
          Source: PO#001498.exeBinary or memory string: Shell_TrayWnd
          Source: PO#001498.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F965C4 cpuid 0_2_00F965C4
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_00FC091D
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FEB340 GetUserNameW,0_2_00FEB340
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FA1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00FA1E8E
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00F8DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F8DDC0

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2053810289.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2053520113.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: PO#001498.exeBinary or memory string: WIN_81
          Source: PO#001498.exeBinary or memory string: WIN_XP
          Source: PO#001498.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
          Source: PO#001498.exeBinary or memory string: WIN_XPe
          Source: PO#001498.exeBinary or memory string: WIN_VISTA
          Source: PO#001498.exeBinary or memory string: WIN_7
          Source: PO#001498.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2053810289.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2053520113.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00FC8C4F
          Source: C:\Users\user\Desktop\PO#001498.exeCode function: 0_2_00FC923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00FC923B

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory25
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO#001498.exe34%ReversingLabsWin32.Trojan.AutoitInject
          PO#001498.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1559467
          Start date and time:2024-11-20 15:24:34 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 7m 13s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:6
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:PO#001498.exe
          Detection:MAL
          Classification:mal88.troj.evad.winEXE@3/2@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 97%
          • Number of executed functions: 52
          • Number of non-executed functions: 293
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • VT rate limit hit for: PO#001498.exe

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\autF61A.tmp

          Download File
          Process:C:\Users\user\Desktop\PO#001498.exe
          File Type:data
          Category:dropped
          Size (bytes):288768
          Entropy (8bit):7.9956826876709615
          Encrypted:true
          SSDEEP:6144:lpXAp/pSuSdt7u6v4fztZfT2NgqWbuqZ8kDlxjcNeOFTvwFrBhOQwzE:PANpSt7ozjfTufWbuNBcOFbwBOhE
          MD5:15371DAD366653D6DAEE846CED8545E9
          SHA1:9265837C726DB2B4F2105851B79C112DBEF5A361
          SHA-256:98265DC13946294813165B85F54A5DDC132A0F1EB07AA245A4CD1C5D328DAA0B
          SHA-512:DE5EE27A2A01F060256F66005FD90BD2CADCB1AEF7EB18DE8DD9921717D4F41E892BCD840184BFD907741B04EEA22B40D0609A1E65565A5F6AA240EC09A12C95
          Malicious:false
          Reputation:low
          Preview:...7IMMD]TDX..A3.90JKEYR.N3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSR.7JMC[.ZD.Q.`.Iu.k.-0!o>A+7!3+.),#*6 d:=t3F&.Y$k...o#\ 5}_K=nMMDYTDX!UH.uYW.v%>.r.T.J....**.^...d83.)..v+"..&-[y04.F7JMMDYT..XT.2I97..YRON3DPS.F5KFLOYT.\XTA3H90JK.JRON#DPS"B7JM.DYDDXXVA3N90JKEYRIN3DPSRF7:IMD[TDXXTA1Hy.JKUYR_N3DPCRF'JMMDYTTXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON.05+&F7J..@YTTXXT.7H9 JKEYRON3DPSRF7jMM$YTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXT

          C:\Users\user\AppData\Local\Temp\miaoued

          Download File
          Process:C:\Users\user\Desktop\PO#001498.exe
          File Type:data
          Category:dropped
          Size (bytes):288768
          Entropy (8bit):7.9956826876709615
          Encrypted:true
          SSDEEP:6144:lpXAp/pSuSdt7u6v4fztZfT2NgqWbuqZ8kDlxjcNeOFTvwFrBhOQwzE:PANpSt7ozjfTufWbuNBcOFbwBOhE
          MD5:15371DAD366653D6DAEE846CED8545E9
          SHA1:9265837C726DB2B4F2105851B79C112DBEF5A361
          SHA-256:98265DC13946294813165B85F54A5DDC132A0F1EB07AA245A4CD1C5D328DAA0B
          SHA-512:DE5EE27A2A01F060256F66005FD90BD2CADCB1AEF7EB18DE8DD9921717D4F41E892BCD840184BFD907741B04EEA22B40D0609A1E65565A5F6AA240EC09A12C95
          Malicious:false
          Reputation:low
          Preview:...7IMMD]TDX..A3.90JKEYR.N3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSR.7JMC[.ZD.Q.`.Iu.k.-0!o>A+7!3+.),#*6 d:=t3F&.Y$k...o#\ 5}_K=nMMDYTDX!UH.uYW.v%>.r.T.J....**.^...d83.)..v+"..&-[y04.F7JMMDYT..XT.2I97..YRON3DPS.F5KFLOYT.\XTA3H90JK.JRON#DPS"B7JM.DYDDXXVA3N90JKEYRIN3DPSRF7:IMD[TDXXTA1Hy.JKUYR_N3DPCRF'JMMDYTTXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON.05+&F7J..@YTTXXT.7H9 JKEYRON3DPSRF7jMM$YTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXTA3H90JKEYRON3DPSRF7JMMDYTDXXT

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.1415962723128485
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:PO#001498.exe
          File size:1'208'832 bytes
          MD5:c9d5aeb62d2a1523bdd0a02825d37b3c
          SHA1:53b8687154bd9960bb4c2a970d13649fd05b92e9
          SHA256:dfca89417813396e9d060f2f40daac56a35f967a51be67db122c328dc4968973
          SHA512:c07e261748611e1541f55fe6f3d5633ae197bef10d821f15ac10c76eb1997f6fc9fb63dc7384a95d21194aa64e7f8aa1fadf65a877ba77ae14a34aa193fbd225
          SSDEEP:24576:xtb20pkaCqT5TBWgNQ7aVv0+EsKzmHmjthe5pEg6A:CVg5tQ7aVvDKyHmRIR5
          TLSH:3545D01273DD8360C7B25273BA65B701BEBF782506B5F96B2FD8093DE920121521EA73
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

          File Icon

          Icon Hash:aaf3e3e3938382a0

          Static PE Info

          General

          Entrypoint:0x425f74
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x673DC225 [Wed Nov 20 11:04:05 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:3d95adbf13bbe79dc24dccb401c12091

          Entrypoint Preview

          Instruction
          call 00007F9B1C8F1AEFh
          jmp 00007F9B1C8E4B04h
          int3
          int3
          push edi
          push esi
          mov esi, dword ptr [esp+10h]
          mov ecx, dword ptr [esp+14h]
          mov edi, dword ptr [esp+0Ch]
          mov eax, ecx
          mov edx, ecx
          add eax, esi
          cmp edi, esi
          jbe 00007F9B1C8E4C8Ah
          cmp edi, eax
          jc 00007F9B1C8E4FEEh
          bt dword ptr [004C0158h], 01h
          jnc 00007F9B1C8E4C89h
          rep movsb
          jmp 00007F9B1C8E4F9Ch
          cmp ecx, 00000080h
          jc 00007F9B1C8E4E54h
          mov eax, edi
          xor eax, esi
          test eax, 0000000Fh
          jne 00007F9B1C8E4C90h
          bt dword ptr [004BA370h], 01h
          jc 00007F9B1C8E5160h
          bt dword ptr [004C0158h], 00000000h
          jnc 00007F9B1C8E4E2Dh
          test edi, 00000003h
          jne 00007F9B1C8E4E3Eh
          test esi, 00000003h
          jne 00007F9B1C8E4E1Dh
          bt edi, 02h
          jnc 00007F9B1C8E4C8Fh
          mov eax, dword ptr [esi]
          sub ecx, 04h
          lea esi, dword ptr [esi+04h]
          mov dword ptr [edi], eax
          lea edi, dword ptr [edi+04h]
          bt edi, 03h
          jnc 00007F9B1C8E4C93h
          movq xmm1, qword ptr [esi]
          sub ecx, 08h
          lea esi, dword ptr [esi+08h]
          movq qword ptr [edi], xmm1
          lea edi, dword ptr [edi+08h]
          test esi, 00000007h
          je 00007F9B1C8E4CE5h
          bt esi, 03h
          jnc 00007F9B1C8E4D38h
          movdqa xmm1, dqword ptr [esi+00h]

          Rich Headers

          Programming Language:
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729
          • [ASM] VS2012 UPD4 build 61030
          • [RES] VS2012 UPD4 build 61030
          • [LNK] VS2012 UPD4 build 61030

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5e168.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1230000x6c4c.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xc40000x5e1680x5e20072c1138098cf6e879bdc6f689bab4e00False0.9305227008632138data7.900110411343122IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x1230000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
          RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
          RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
          RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
          RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
          RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
          RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
          RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
          RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
          RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
          RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xcc7b80x5546ddata1.0003320994122413
          RT_GROUP_ICON0x121c280x76dataEnglishGreat Britain0.6610169491525424
          RT_GROUP_ICON0x121ca00x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x121cb40x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x121cc80x14dataEnglishGreat Britain1.25
          RT_VERSION0x121cdc0xdcdataEnglishGreat Britain0.6181818181818182
          RT_MANIFEST0x121db80x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

          Imports

          DLLImport
          WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
          WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
          USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
          UxTheme.dllIsThemeActive
          KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
          USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
          GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
          ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
          OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:09:25:28
          Start date:20/11/2024
          Path:C:\Users\user\Desktop\PO#001498.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\PO#001498.exe"
          Imagebase:0xf70000
          File size:1'208'832 bytes
          MD5 hash:C9D5AEB62D2A1523BDD0A02825D37B3C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:09:25:29
          Start date:20/11/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\PO#001498.exe"
          Imagebase:0x330000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2053810289.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2053520113.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:4%
            Dynamic/Decrypted Code Coverage:0.4%
            Signature Coverage:11.1%
            Total number of Nodes:2000
            Total number of Limit Nodes:153
            execution_graph 92862 fe19dd 92867 f74a30 92862->92867 92864 fe19f1 92887 f90f0a 52 API calls __cinit 92864->92887 92866 fe19fb 92868 f74a40 __ftell_nolock 92867->92868 92888 f7d7f7 92868->92888 92872 f74aff 92900 f7363c 92872->92900 92879 f7d7f7 48 API calls 92880 f74b32 92879->92880 92922 f749fb 92880->92922 92882 f74b43 Mailbox 92882->92864 92884 f74b3d _wcscat Mailbox __wsetenvp 92884->92882 92885 f764cf 48 API calls 92884->92885 92886 f761a6 48 API calls 92884->92886 92936 f7ce19 92884->92936 92885->92884 92886->92884 92887->92866 92942 f8f4ea 92888->92942 92890 f7d818 92891 f8f4ea 48 API calls 92890->92891 92892 f74af6 92891->92892 92893 f75374 92892->92893 92973 f9f8a0 92893->92973 92896 f7ce19 48 API calls 92897 f753a7 92896->92897 92975 f7660f 92897->92975 92899 f753b1 Mailbox 92899->92872 92901 f73649 __ftell_nolock 92900->92901 93022 f7366c GetFullPathNameW 92901->93022 92903 f7365a 92904 f76a63 48 API calls 92903->92904 92905 f73669 92904->92905 92906 f7518c 92905->92906 92907 f75197 92906->92907 92908 fe1ace 92907->92908 92909 f7519f 92907->92909 92910 f76b4a 48 API calls 92908->92910 93024 f75130 92909->93024 92913 fe1adb __wsetenvp 92910->92913 92912 f74b18 92916 f764cf 92912->92916 92914 f8ee75 48 API calls 92913->92914 92915 fe1b07 _memcpy_s 92914->92915 92917 f7651b 92916->92917 92921 f764dd _memcpy_s 92916->92921 92920 f8f4ea 48 API calls 92917->92920 92918 f8f4ea 48 API calls 92919 f74b29 92918->92919 92919->92879 92920->92921 92921->92918 93039 f7bcce 92922->93039 92925 fe41cc RegQueryValueExW 92927 fe4246 RegCloseKey 92925->92927 92928 fe41e5 92925->92928 92926 f74a2b 92926->92884 92929 f8f4ea 48 API calls 92928->92929 92930 fe41fe 92929->92930 93045 f747b7 92930->93045 92933 fe423b 92933->92927 92934 fe4224 92935 f76a63 48 API calls 92934->92935 92935->92933 92937 f7ce28 __wsetenvp 92936->92937 92938 f8ee75 48 API calls 92937->92938 92939 f7ce50 _memcpy_s 92938->92939 92940 f8f4ea 48 API calls 92939->92940 92941 f7ce66 92940->92941 92941->92884 92945 f8f4f2 __calloc_impl 92942->92945 92944 f8f50c 92944->92890 92945->92944 92946 f8f50e std::exception::exception 92945->92946 92951 f9395c 92945->92951 92965 f96805 RaiseException 92946->92965 92948 f8f538 92966 f9673b 47 API calls _free 92948->92966 92950 f8f54a 92950->92890 92952 f939d7 __calloc_impl 92951->92952 92954 f93968 __calloc_impl 92951->92954 92972 f97c0e 47 API calls __getptd_noexit 92952->92972 92953 f93973 92953->92954 92967 f981c2 47 API calls 2 library calls 92953->92967 92968 f9821f 47 API calls 7 library calls 92953->92968 92969 f91145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 92953->92969 92954->92953 92957 f9399b RtlAllocateHeap 92954->92957 92960 f939c3 92954->92960 92963 f939c1 92954->92963 92957->92954 92958 f939cf 92957->92958 92958->92945 92970 f97c0e 47 API calls __getptd_noexit 92960->92970 92971 f97c0e 47 API calls __getptd_noexit 92963->92971 92965->92948 92966->92950 92967->92953 92968->92953 92970->92963 92971->92958 92972->92958 92974 f75381 GetModuleFileNameW 92973->92974 92974->92896 92976 f9f8a0 __ftell_nolock 92975->92976 92977 f7661c GetFullPathNameW 92976->92977 92982 f76a63 92977->92982 92979 f76643 92993 f76571 92979->92993 92983 f76adf 92982->92983 92985 f76a6f __wsetenvp 92982->92985 93010 f7b18b 92983->93010 92986 f76ad7 92985->92986 92987 f76a8b 92985->92987 93009 f7c369 48 API calls 92986->93009 92997 f76b4a 92987->92997 92990 f76a95 93000 f8ee75 92990->93000 92991 f76ab6 _memcpy_s 92991->92979 92994 f7657f 92993->92994 92995 f7b18b 48 API calls 92994->92995 92996 f7658f 92995->92996 92996->92899 92998 f8f4ea 48 API calls 92997->92998 92999 f76b54 92998->92999 92999->92990 93002 f8f4ea __calloc_impl 93000->93002 93001 f9395c _W_store_winword 47 API calls 93001->93002 93002->93001 93003 f8f50c 93002->93003 93004 f8f50e std::exception::exception 93002->93004 93003->92991 93014 f96805 RaiseException 93004->93014 93006 f8f538 93015 f9673b 47 API calls _free 93006->93015 93008 f8f54a 93008->92991 93009->92991 93011 f7b199 93010->93011 93013 f7b1a2 _memcpy_s 93010->93013 93011->93013 93016 f7bdfa 93011->93016 93013->92991 93014->93006 93015->93008 93017 f7be0d 93016->93017 93021 f7be0a _memcpy_s 93016->93021 93018 f8f4ea 48 API calls 93017->93018 93019 f7be17 93018->93019 93020 f8ee75 48 API calls 93019->93020 93020->93021 93021->93013 93023 f7368a 93022->93023 93023->92903 93025 f7513f __wsetenvp 93024->93025 93026 f75151 93025->93026 93027 fe1b27 93025->93027 93034 f7bb85 93026->93034 93028 f76b4a 48 API calls 93027->93028 93030 fe1b34 93028->93030 93032 f8ee75 48 API calls 93030->93032 93031 f7515e _memcpy_s 93031->92912 93033 fe1b57 _memcpy_s 93032->93033 93035 f7bb9b 93034->93035 93038 f7bb96 _memcpy_s 93034->93038 93036 fe1b77 93035->93036 93037 f8ee75 48 API calls 93035->93037 93037->93038 93038->93031 93040 f74a0a RegOpenKeyExW 93039->93040 93041 f7bce8 93039->93041 93040->92925 93040->92926 93042 f8f4ea 48 API calls 93041->93042 93043 f7bcf2 93042->93043 93044 f8ee75 48 API calls 93043->93044 93044->93040 93046 f8f4ea 48 API calls 93045->93046 93047 f747c9 RegQueryValueExW 93046->93047 93047->92933 93047->92934 93048 f95dfd 93049 f95e09 _fprintf 93048->93049 93085 f97eeb GetStartupInfoW 93049->93085 93051 f95e0e 93087 f99ca7 GetProcessHeap 93051->93087 93053 f95e66 93054 f95e71 93053->93054 93172 f95f4d 47 API calls 3 library calls 93053->93172 93088 f97b47 93054->93088 93057 f95e77 93058 f95e82 __RTC_Initialize 93057->93058 93173 f95f4d 47 API calls 3 library calls 93057->93173 93109 f9acb3 93058->93109 93061 f95e91 93062 f95e9d GetCommandLineW 93061->93062 93174 f95f4d 47 API calls 3 library calls 93061->93174 93128 fa2e7d GetEnvironmentStringsW 93062->93128 93065 f95e9c 93065->93062 93069 f95ec2 93141 fa2cb4 93069->93141 93072 f95ec8 93073 f95ed3 93072->93073 93176 f9115b 47 API calls 3 library calls 93072->93176 93155 f91195 93073->93155 93076 f95edb 93077 f95ee6 __wwincmdln 93076->93077 93177 f9115b 47 API calls 3 library calls 93076->93177 93159 f73a0f 93077->93159 93080 f95efa 93081 f95f09 93080->93081 93178 f913f1 47 API calls _doexit 93080->93178 93179 f91186 47 API calls _doexit 93081->93179 93084 f95f0e _fprintf 93086 f97f01 93085->93086 93086->93051 93087->93053 93180 f9123a 30 API calls 2 library calls 93088->93180 93090 f97b4c 93181 f97e23 InitializeCriticalSectionAndSpinCount 93090->93181 93092 f97b51 93093 f97b55 93092->93093 93183 f97e6d TlsAlloc 93092->93183 93182 f97bbd 50 API calls 2 library calls 93093->93182 93096 f97b5a 93096->93057 93097 f97b67 93097->93093 93098 f97b72 93097->93098 93184 f96986 93098->93184 93101 f97bb4 93192 f97bbd 50 API calls 2 library calls 93101->93192 93104 f97b93 93104->93101 93106 f97b99 93104->93106 93105 f97bb9 93105->93057 93191 f97a94 47 API calls 4 library calls 93106->93191 93108 f97ba1 GetCurrentThreadId 93108->93057 93110 f9acbf _fprintf 93109->93110 93201 f97cf4 93110->93201 93112 f9acc6 93113 f96986 __calloc_crt 47 API calls 93112->93113 93114 f9acd7 93113->93114 93115 f9ad42 GetStartupInfoW 93114->93115 93116 f9ace2 @_EH4_CallFilterFunc@8 _fprintf 93114->93116 93117 f9ad57 93115->93117 93123 f9ae80 93115->93123 93116->93061 93121 f96986 __calloc_crt 47 API calls 93117->93121 93117->93123 93124 f9ada5 93117->93124 93118 f9af44 93208 f9af58 LeaveCriticalSection _doexit 93118->93208 93120 f9aec9 GetStdHandle 93120->93123 93121->93117 93122 f9aedb GetFileType 93122->93123 93123->93118 93123->93120 93123->93122 93125 f9af08 InitializeCriticalSectionAndSpinCount 93123->93125 93124->93123 93126 f9ade5 InitializeCriticalSectionAndSpinCount 93124->93126 93127 f9add7 GetFileType 93124->93127 93125->93123 93126->93124 93127->93124 93127->93126 93129 f95ead 93128->93129 93131 fa2e8e 93128->93131 93135 fa2a7b GetModuleFileNameW 93129->93135 93130 fa2ea9 93247 f969d0 47 API calls _W_store_winword 93130->93247 93131->93130 93131->93131 93133 fa2eb4 _memcpy_s 93134 fa2eca FreeEnvironmentStringsW 93133->93134 93134->93129 93136 fa2aaf _wparse_cmdline 93135->93136 93137 f95eb7 93136->93137 93138 fa2ae9 93136->93138 93137->93069 93175 f9115b 47 API calls 3 library calls 93137->93175 93248 f969d0 47 API calls _W_store_winword 93138->93248 93140 fa2aef _wparse_cmdline 93140->93137 93142 fa2cc5 93141->93142 93143 fa2ccd __wsetenvp 93141->93143 93142->93072 93144 f96986 __calloc_crt 47 API calls 93143->93144 93151 fa2cf6 __wsetenvp 93144->93151 93145 fa2d4d 93146 f91c9d _free 47 API calls 93145->93146 93146->93142 93147 f96986 __calloc_crt 47 API calls 93147->93151 93148 fa2d72 93149 f91c9d _free 47 API calls 93148->93149 93149->93142 93151->93142 93151->93145 93151->93147 93151->93148 93152 fa2d89 93151->93152 93249 fa2567 47 API calls _fprintf 93151->93249 93250 f96e20 IsProcessorFeaturePresent 93152->93250 93154 fa2d95 93154->93072 93156 f911a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 93155->93156 93158 f911e0 __IsNonwritableInCurrentImage 93156->93158 93273 f90f0a 52 API calls __cinit 93156->93273 93158->93076 93160 fe1ebf 93159->93160 93161 f73a29 93159->93161 93162 f73a63 IsThemeActive 93161->93162 93274 f91405 93162->93274 93166 f73a8f 93286 f73adb SystemParametersInfoW SystemParametersInfoW 93166->93286 93168 f73a9b 93287 f73d19 93168->93287 93170 f73aa3 SystemParametersInfoW 93171 f73ac8 93170->93171 93171->93080 93172->93054 93173->93058 93174->93065 93178->93081 93179->93084 93180->93090 93181->93092 93182->93096 93183->93097 93187 f9698d 93184->93187 93186 f969ca 93186->93101 93190 f97ec9 TlsSetValue 93186->93190 93187->93186 93188 f969ab Sleep 93187->93188 93193 fa30aa 93187->93193 93189 f969c2 93188->93189 93189->93186 93189->93187 93190->93104 93191->93108 93192->93105 93194 fa30d0 __calloc_impl 93193->93194 93195 fa30b5 93193->93195 93197 fa30e0 RtlAllocateHeap 93194->93197 93199 fa30c6 93194->93199 93195->93194 93196 fa30c1 93195->93196 93200 f97c0e 47 API calls __getptd_noexit 93196->93200 93197->93194 93197->93199 93199->93187 93200->93199 93202 f97d18 EnterCriticalSection 93201->93202 93203 f97d05 93201->93203 93202->93112 93209 f97d7c 93203->93209 93205 f97d0b 93205->93202 93233 f9115b 47 API calls 3 library calls 93205->93233 93208->93116 93210 f97d88 _fprintf 93209->93210 93211 f97da9 93210->93211 93212 f97d91 93210->93212 93213 f97da7 93211->93213 93219 f97e11 _fprintf 93211->93219 93234 f981c2 47 API calls 2 library calls 93212->93234 93213->93211 93237 f969d0 47 API calls _W_store_winword 93213->93237 93216 f97d96 93235 f9821f 47 API calls 7 library calls 93216->93235 93217 f97dbd 93220 f97dd3 93217->93220 93221 f97dc4 93217->93221 93219->93205 93224 f97cf4 __lock 46 API calls 93220->93224 93238 f97c0e 47 API calls __getptd_noexit 93221->93238 93222 f97d9d 93236 f91145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93222->93236 93227 f97dda 93224->93227 93226 f97dc9 93226->93219 93228 f97de9 InitializeCriticalSectionAndSpinCount 93227->93228 93229 f97dfe 93227->93229 93230 f97e04 93228->93230 93239 f91c9d 93229->93239 93245 f97e1a LeaveCriticalSection _doexit 93230->93245 93234->93216 93235->93222 93237->93217 93238->93226 93240 f91ccf _free 93239->93240 93241 f91ca6 RtlFreeHeap 93239->93241 93240->93230 93241->93240 93242 f91cbb 93241->93242 93246 f97c0e 47 API calls __getptd_noexit 93242->93246 93244 f91cc1 GetLastError 93244->93240 93245->93219 93246->93244 93247->93133 93248->93140 93249->93151 93251 f96e2b 93250->93251 93256 f96cb5 93251->93256 93255 f96e46 93255->93154 93257 f96ccf _memset __call_reportfault 93256->93257 93258 f96cef IsDebuggerPresent 93257->93258 93264 f981ac SetUnhandledExceptionFilter UnhandledExceptionFilter 93258->93264 93261 f96db3 __call_reportfault 93265 f9a70c 93261->93265 93262 f96dd6 93263 f98197 GetCurrentProcess TerminateProcess 93262->93263 93263->93255 93264->93261 93266 f9a714 93265->93266 93267 f9a716 IsProcessorFeaturePresent 93265->93267 93266->93262 93269 fa37b0 93267->93269 93272 fa375f 5 API calls 2 library calls 93269->93272 93271 fa3893 93271->93262 93272->93271 93273->93158 93275 f97cf4 __lock 47 API calls 93274->93275 93276 f91410 93275->93276 93339 f97e58 LeaveCriticalSection 93276->93339 93278 f73a88 93279 f9146d 93278->93279 93280 f91491 93279->93280 93281 f91477 93279->93281 93280->93166 93281->93280 93340 f97c0e 47 API calls __getptd_noexit 93281->93340 93283 f91481 93341 f96e10 8 API calls _fprintf 93283->93341 93285 f9148c 93285->93166 93286->93168 93288 f73d26 __ftell_nolock 93287->93288 93289 f7d7f7 48 API calls 93288->93289 93290 f73d31 GetCurrentDirectoryW 93289->93290 93342 f761ca 93290->93342 93292 f73d57 IsDebuggerPresent 93293 f73d65 93292->93293 93294 fe1cc1 MessageBoxA 93292->93294 93295 f73e3a 93293->93295 93297 fe1cd9 93293->93297 93298 f73d82 93293->93298 93294->93297 93296 f73e41 SetCurrentDirectoryW 93295->93296 93299 f73e4e Mailbox 93296->93299 93528 f8c682 48 API calls 93297->93528 93416 f740e5 93298->93416 93299->93170 93302 fe1ce9 93307 fe1cff SetCurrentDirectoryW 93302->93307 93304 f73da0 GetFullPathNameW 93305 f76a63 48 API calls 93304->93305 93306 f73ddb 93305->93306 93432 f76430 93306->93432 93307->93299 93310 f73df6 93311 f73e00 93310->93311 93529 fb71fa AllocateAndInitializeSid CheckTokenMembership FreeSid 93310->93529 93448 f73e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 93311->93448 93314 fe1d1c 93314->93311 93317 fe1d2d 93314->93317 93319 f75374 50 API calls 93317->93319 93318 f73e0a 93320 f73e1f 93318->93320 93456 f74ffc 93318->93456 93321 fe1d35 93319->93321 93466 f7e8d0 93320->93466 93324 f7ce19 48 API calls 93321->93324 93326 fe1d42 93324->93326 93328 fe1d6e 93326->93328 93329 fe1d49 93326->93329 93330 f7518c 48 API calls 93328->93330 93331 f7518c 48 API calls 93329->93331 93332 fe1d6a GetForegroundWindow ShellExecuteW 93330->93332 93333 fe1d54 93331->93333 93336 fe1d9e Mailbox 93332->93336 93530 f7510d 93333->93530 93336->93295 93338 f7518c 48 API calls 93338->93332 93339->93278 93340->93283 93341->93285 93539 f8e99b 93342->93539 93346 f761eb 93347 f75374 50 API calls 93346->93347 93348 f761ff 93347->93348 93349 f7ce19 48 API calls 93348->93349 93350 f7620c 93349->93350 93556 f739db 93350->93556 93352 f76216 Mailbox 93568 f76eed 93352->93568 93357 f7ce19 48 API calls 93358 f76244 93357->93358 93575 f7d6e9 93358->93575 93360 f76254 Mailbox 93361 f7ce19 48 API calls 93360->93361 93362 f7627c 93361->93362 93363 f7d6e9 55 API calls 93362->93363 93364 f7628f Mailbox 93363->93364 93365 f7ce19 48 API calls 93364->93365 93366 f762a0 93365->93366 93579 f7d645 93366->93579 93368 f762b2 Mailbox 93369 f7d7f7 48 API calls 93368->93369 93370 f762c5 93369->93370 93589 f763fc 93370->93589 93374 f762df 93375 fe1c08 93374->93375 93376 f762e9 93374->93376 93378 f763fc 48 API calls 93375->93378 93377 f90fa7 _W_store_winword 59 API calls 93376->93377 93379 f762f4 93377->93379 93380 fe1c1c 93378->93380 93379->93380 93381 f762fe 93379->93381 93383 f763fc 48 API calls 93380->93383 93382 f90fa7 _W_store_winword 59 API calls 93381->93382 93384 f76309 93382->93384 93386 fe1c38 93383->93386 93385 f76313 93384->93385 93384->93386 93388 f90fa7 _W_store_winword 59 API calls 93385->93388 93387 f75374 50 API calls 93386->93387 93389 fe1c5d 93387->93389 93390 f7631e 93388->93390 93391 f763fc 48 API calls 93389->93391 93392 f7635f 93390->93392 93393 fe1c86 93390->93393 93397 f763fc 48 API calls 93390->93397 93395 fe1c69 93391->93395 93392->93393 93394 f7636c 93392->93394 93398 f76eed 48 API calls 93393->93398 93605 f8c050 93394->93605 93396 f76eed 48 API calls 93395->93396 93401 fe1c77 93396->93401 93402 f76342 93397->93402 93399 fe1ca8 93398->93399 93403 f763fc 48 API calls 93399->93403 93405 f763fc 48 API calls 93401->93405 93406 f76eed 48 API calls 93402->93406 93408 fe1cb5 93403->93408 93404 f76384 93616 f81b90 93404->93616 93405->93393 93407 f76350 93406->93407 93410 f763fc 48 API calls 93407->93410 93408->93408 93410->93392 93411 f81b90 48 API calls 93413 f76394 93411->93413 93413->93411 93414 f763fc 48 API calls 93413->93414 93415 f763d6 Mailbox 93413->93415 93632 f76b68 48 API calls 93413->93632 93414->93413 93415->93292 93417 f740f2 __ftell_nolock 93416->93417 93418 fe370e _memset 93417->93418 93419 f7410b 93417->93419 93422 fe372a GetOpenFileNameW 93418->93422 93420 f7660f 49 API calls 93419->93420 93421 f74114 93420->93421 94161 f740a7 93421->94161 93424 fe3779 93422->93424 93426 f76a63 48 API calls 93424->93426 93428 fe378e 93426->93428 93428->93428 93429 f74129 94179 f74139 93429->94179 93433 f7643d __ftell_nolock 93432->93433 94384 f74c75 93433->94384 93435 f76442 93447 f73dee 93435->93447 94395 f75928 86 API calls 93435->94395 93437 f7644f 93437->93447 94396 f75798 88 API calls Mailbox 93437->94396 93439 f76458 93440 f7645c GetFullPathNameW 93439->93440 93439->93447 93441 f76a63 48 API calls 93440->93441 93442 f76488 93441->93442 93443 f76a63 48 API calls 93442->93443 93444 f76495 93443->93444 93445 f76a63 48 API calls 93444->93445 93446 fe5dcf _wcscat 93444->93446 93445->93447 93447->93302 93447->93310 93449 fe1cba 93448->93449 93450 f73ed8 93448->93450 94446 f74024 93450->94446 93454 f73e05 93455 f736b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 93454->93455 93455->93318 93457 f75027 _memset 93456->93457 94451 f74c30 93457->94451 93460 f750ac 93462 fe3d28 Shell_NotifyIconW 93460->93462 93463 f750ca Shell_NotifyIconW 93460->93463 94455 f751af 93463->94455 93465 f750df 93465->93320 93467 f7e8f6 93466->93467 93526 f7e906 Mailbox 93466->93526 93469 f7ed52 93467->93469 93467->93526 93468 fbcc5c 86 API calls 93468->93526 94650 f8e3cd 335 API calls 93469->94650 93471 f73e2a 93471->93295 93527 f73847 Shell_NotifyIconW _memset 93471->93527 93473 f7ed63 93473->93471 93474 f7ed70 93473->93474 94652 f8e312 335 API calls Mailbox 93474->94652 93475 f7e94c PeekMessageW 93475->93526 93477 fe526e Sleep 93477->93526 93478 f7ed77 LockWindowUpdate DestroyWindow GetMessageW 93478->93471 93480 f7eda9 93478->93480 93482 fe59ef TranslateMessage DispatchMessageW GetMessageW 93480->93482 93481 f7ebc7 93481->93471 94651 f72ff6 16 API calls 93481->94651 93482->93482 93484 fe5a1f 93482->93484 93484->93471 93485 f7ed21 PeekMessageW 93485->93526 93486 f7ebf7 timeGetTime 93486->93526 93488 f8f4ea 48 API calls 93488->93526 93489 f76eed 48 API calls 93489->93526 93490 fe5557 WaitForSingleObject 93493 fe5574 GetExitCodeProcess CloseHandle 93490->93493 93490->93526 93491 f7ed3a TranslateMessage DispatchMessageW 93491->93485 93492 fe588f Sleep 93523 fe5429 Mailbox 93492->93523 93493->93526 93494 f7d7f7 48 API calls 93494->93523 93495 f7edae timeGetTime 94653 f71caa 49 API calls 93495->94653 93496 fe5733 Sleep 93496->93523 93497 f8dc38 timeGetTime 93497->93523 93501 fe5926 GetExitCodeProcess 93505 fe593c WaitForSingleObject 93501->93505 93506 fe5952 CloseHandle 93501->93506 93503 f72aae 311 API calls 93503->93526 93504 fe5445 Sleep 93504->93526 93505->93506 93505->93526 93506->93523 93507 fe5432 Sleep 93507->93504 93508 fd8c4b 108 API calls 93508->93523 93509 f72c79 107 API calls 93509->93523 93511 fe59ae Sleep 93511->93526 93512 f71caa 49 API calls 93512->93526 93515 f7ce19 48 API calls 93515->93523 93518 f7d6e9 55 API calls 93518->93523 93522 f7ce19 48 API calls 93522->93526 93523->93494 93523->93497 93523->93501 93523->93504 93523->93507 93523->93508 93523->93509 93523->93511 93523->93515 93523->93518 93523->93526 94655 fb4cbe 49 API calls Mailbox 93523->94655 94656 f71caa 49 API calls 93523->94656 94657 f72aae 335 API calls 93523->94657 94687 fcccb2 50 API calls 93523->94687 94688 fb7a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 93523->94688 94689 fb6532 63 API calls 3 library calls 93523->94689 93525 f7d6e9 55 API calls 93525->93526 93526->93468 93526->93475 93526->93477 93526->93481 93526->93485 93526->93486 93526->93488 93526->93489 93526->93490 93526->93491 93526->93492 93526->93495 93526->93496 93526->93503 93526->93504 93526->93512 93526->93522 93526->93523 93526->93525 94478 f7ef00 93526->94478 94485 f7f110 93526->94485 94550 f845e0 93526->94550 94567 f8e244 93526->94567 94572 f8dc5f 93526->94572 94577 f7eed0 335 API calls Mailbox 93526->94577 94578 f83200 93526->94578 94654 fd8d23 48 API calls 93526->94654 94658 f7fe30 93526->94658 93527->93295 93528->93302 93529->93314 93531 f7511f 93530->93531 93532 fe1be7 93530->93532 94987 f7b384 93531->94987 94996 faa58f 48 API calls _memcpy_s 93532->94996 93535 f7512b 93535->93338 93536 fe1bf1 93537 f76eed 48 API calls 93536->93537 93538 fe1bf9 Mailbox 93537->93538 93540 f7d7f7 48 API calls 93539->93540 93541 f761db 93540->93541 93542 f76009 93541->93542 93543 f76016 __ftell_nolock 93542->93543 93544 f76a63 48 API calls 93543->93544 93549 f7617c Mailbox 93543->93549 93546 f76048 93544->93546 93555 f7607e Mailbox 93546->93555 93633 f761a6 93546->93633 93547 f761a6 48 API calls 93547->93555 93548 f7614f 93548->93549 93550 f7ce19 48 API calls 93548->93550 93549->93346 93552 f76170 93550->93552 93551 f7ce19 48 API calls 93551->93555 93553 f764cf 48 API calls 93552->93553 93553->93549 93554 f764cf 48 API calls 93554->93555 93555->93547 93555->93548 93555->93549 93555->93551 93555->93554 93636 f741a9 93556->93636 93559 f73a06 93559->93352 93562 fe2ff0 93564 f91c9d _free 47 API calls 93562->93564 93565 fe2ffd 93564->93565 93566 f74252 84 API calls 93565->93566 93567 fe3006 93566->93567 93567->93567 93569 f7622b 93568->93569 93570 f76ef8 93568->93570 93572 f79048 93569->93572 94149 f7dd47 48 API calls _memcpy_s 93570->94149 93573 f8f4ea 48 API calls 93572->93573 93574 f76237 93573->93574 93574->93357 93576 f7d6f4 93575->93576 93577 f7d71b 93576->93577 94150 f7d764 55 API calls 93576->94150 93577->93360 93580 f7d654 93579->93580 93588 f7d67e 93579->93588 93581 f7d65b 93580->93581 93585 f7d6c2 93580->93585 93582 f7d6ab 93581->93582 93583 f7d666 93581->93583 93582->93588 94152 f8dce0 53 API calls 93582->94152 94151 f7d9a0 53 API calls __cinit 93583->94151 93585->93582 94153 f8dce0 53 API calls 93585->94153 93588->93368 93590 f76406 93589->93590 93591 f7641f 93589->93591 93592 f76eed 48 API calls 93590->93592 93593 f76a63 48 API calls 93591->93593 93594 f762d1 93592->93594 93593->93594 93595 f90fa7 93594->93595 93596 f91028 93595->93596 93597 f90fb3 93595->93597 94156 f9103a 59 API calls 3 library calls 93596->94156 93604 f90fd8 93597->93604 94154 f97c0e 47 API calls __getptd_noexit 93597->94154 93600 f91035 93600->93374 93601 f90fbf 94155 f96e10 8 API calls _fprintf 93601->94155 93603 f90fca 93603->93374 93604->93374 93606 f8c064 93605->93606 93608 f8c069 Mailbox 93605->93608 94157 f8c1af 48 API calls 93606->94157 93614 f8c077 93608->93614 94158 f8c15c 48 API calls 93608->94158 93610 f8f4ea 48 API calls 93612 f8c108 93610->93612 93611 f8c152 93611->93404 93613 f8f4ea 48 API calls 93612->93613 93615 f8c113 93613->93615 93614->93610 93614->93611 93615->93404 93615->93615 93617 f81cf6 93616->93617 93619 f81ba2 93616->93619 93617->93413 93618 f81bae 93626 f81bb9 93618->93626 94160 f8c15c 48 API calls 93618->94160 93619->93618 93621 f8f4ea 48 API calls 93619->93621 93622 fe49c4 93621->93622 93623 f8f4ea 48 API calls 93622->93623 93631 fe49cf 93623->93631 93624 f81c5d 93624->93413 93625 f8f4ea 48 API calls 93627 f81c9f 93625->93627 93626->93624 93626->93625 93628 f81cb2 93627->93628 94159 f72925 48 API calls 93627->94159 93628->93413 93630 f8f4ea 48 API calls 93630->93631 93631->93618 93631->93630 93632->93413 93634 f7bdfa 48 API calls 93633->93634 93635 f761b1 93634->93635 93635->93546 93701 f74214 93636->93701 93641 f741d4 LoadLibraryExW 93711 f74291 93641->93711 93642 fe4f73 93643 f74252 84 API calls 93642->93643 93646 fe4f7a 93643->93646 93648 f74291 3 API calls 93646->93648 93650 fe4f82 93648->93650 93649 f741fb 93649->93650 93651 f74207 93649->93651 93737 f744ed 93650->93737 93652 f74252 84 API calls 93651->93652 93654 f739fe 93652->93654 93654->93559 93660 fbc396 93654->93660 93657 fe4fa9 93745 f74950 93657->93745 93659 fe4fb6 93661 f74517 83 API calls 93660->93661 93662 fbc405 93661->93662 93923 fbc56d 93662->93923 93665 f744ed 64 API calls 93666 fbc432 93665->93666 93667 f744ed 64 API calls 93666->93667 93668 fbc442 93667->93668 93669 f744ed 64 API calls 93668->93669 93670 fbc45d 93669->93670 93671 f744ed 64 API calls 93670->93671 93672 fbc478 93671->93672 93673 f74517 83 API calls 93672->93673 93674 fbc48f 93673->93674 93675 f9395c _W_store_winword 47 API calls 93674->93675 93676 fbc496 93675->93676 93677 f9395c _W_store_winword 47 API calls 93676->93677 93678 fbc4a0 93677->93678 93679 f744ed 64 API calls 93678->93679 93680 fbc4b4 93679->93680 93681 fbbf5a GetSystemTimeAsFileTime 93680->93681 93682 fbc4c7 93681->93682 93683 fbc4dc 93682->93683 93684 fbc4f1 93682->93684 93685 f91c9d _free 47 API calls 93683->93685 93686 fbc4f7 93684->93686 93687 fbc556 93684->93687 93690 fbc4e2 93685->93690 93929 fbb965 118 API calls __fcloseall 93686->93929 93689 f91c9d _free 47 API calls 93687->93689 93692 fbc41b 93689->93692 93693 f91c9d _free 47 API calls 93690->93693 93691 fbc54e 93694 f91c9d _free 47 API calls 93691->93694 93692->93562 93695 f74252 93692->93695 93693->93692 93694->93692 93696 f7425c 93695->93696 93700 f74263 93695->93700 93930 f935e4 93696->93930 93698 f74283 FreeLibrary 93699 f74272 93698->93699 93699->93562 93700->93698 93700->93699 93750 f74339 93701->93750 93704 f7423c 93706 f74244 FreeLibrary 93704->93706 93707 f741bb 93704->93707 93706->93707 93708 f93499 93707->93708 93758 f934ae 93708->93758 93710 f741c8 93710->93641 93710->93642 93837 f742e4 93711->93837 93714 f742b8 93715 f742c1 FreeLibrary 93714->93715 93716 f741ec 93714->93716 93715->93716 93718 f74380 93716->93718 93719 f8f4ea 48 API calls 93718->93719 93720 f74395 93719->93720 93721 f747b7 48 API calls 93720->93721 93722 f743a1 _memcpy_s 93721->93722 93723 f743dc 93722->93723 93724 f744d1 93722->93724 93725 f74499 93722->93725 93726 f74950 57 API calls 93723->93726 93856 fbc750 93 API calls 93724->93856 93845 f7406b CreateStreamOnHGlobal 93725->93845 93734 f743e5 93726->93734 93729 f744ed 64 API calls 93729->93734 93730 f74479 93730->93649 93732 fe4ed7 93733 f74517 83 API calls 93732->93733 93735 fe4eeb 93733->93735 93734->93729 93734->93730 93734->93732 93851 f74517 93734->93851 93736 f744ed 64 API calls 93735->93736 93736->93730 93738 f744ff 93737->93738 93739 fe4fc0 93737->93739 93880 f9381e 93738->93880 93742 fbbf5a 93900 fbbdb4 93742->93900 93744 fbbf70 93744->93657 93746 f7495f 93745->93746 93747 fe5002 93745->93747 93905 f93e65 93746->93905 93749 f74967 93749->93659 93754 f7434b 93750->93754 93753 f74321 LoadLibraryA GetProcAddress 93753->93704 93755 f7422f 93754->93755 93756 f74354 LoadLibraryA 93754->93756 93755->93704 93755->93753 93756->93755 93757 f74365 GetProcAddress 93756->93757 93757->93755 93760 f934ba _fprintf 93758->93760 93759 f934cd 93806 f97c0e 47 API calls __getptd_noexit 93759->93806 93760->93759 93762 f934fe 93760->93762 93777 f9e4c8 93762->93777 93763 f934d2 93807 f96e10 8 API calls _fprintf 93763->93807 93766 f93503 93767 f93519 93766->93767 93768 f9350c 93766->93768 93770 f93543 93767->93770 93771 f93523 93767->93771 93808 f97c0e 47 API calls __getptd_noexit 93768->93808 93791 f9e5e0 93770->93791 93809 f97c0e 47 API calls __getptd_noexit 93771->93809 93776 f934dd @_EH4_CallFilterFunc@8 _fprintf 93776->93710 93778 f9e4d4 _fprintf 93777->93778 93779 f97cf4 __lock 47 API calls 93778->93779 93786 f9e4e2 93779->93786 93780 f9e559 93816 f969d0 47 API calls _W_store_winword 93780->93816 93783 f9e560 93785 f9e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 93783->93785 93789 f9e552 93783->93789 93784 f9e5cc _fprintf 93784->93766 93785->93789 93786->93780 93787 f97d7c __mtinitlocknum 47 API calls 93786->93787 93786->93789 93814 f94e5b 48 API calls __lock 93786->93814 93815 f94ec5 LeaveCriticalSection LeaveCriticalSection _doexit 93786->93815 93787->93786 93811 f9e5d7 93789->93811 93792 f9e600 __wopenfile 93791->93792 93793 f9e61a 93792->93793 93805 f9e7d5 93792->93805 93823 f9185b 59 API calls 2 library calls 93792->93823 93821 f97c0e 47 API calls __getptd_noexit 93793->93821 93795 f9e61f 93822 f96e10 8 API calls _fprintf 93795->93822 93797 f9e838 93818 fa63c9 93797->93818 93799 f9354e 93810 f93570 LeaveCriticalSection LeaveCriticalSection _fprintf 93799->93810 93801 f9e7ce 93801->93805 93824 f9185b 59 API calls 2 library calls 93801->93824 93803 f9e7ed 93803->93805 93825 f9185b 59 API calls 2 library calls 93803->93825 93805->93793 93805->93797 93806->93763 93807->93776 93808->93776 93809->93776 93810->93776 93817 f97e58 LeaveCriticalSection 93811->93817 93813 f9e5de 93813->93784 93814->93786 93815->93786 93816->93783 93817->93813 93826 fa5bb1 93818->93826 93820 fa63e2 93820->93799 93821->93795 93822->93799 93823->93801 93824->93803 93825->93805 93829 fa5bbd _fprintf 93826->93829 93827 fa5bcf 93828 f97c0e _fprintf 47 API calls 93827->93828 93830 fa5bd4 93828->93830 93829->93827 93831 fa5c06 93829->93831 93832 f96e10 _fprintf 8 API calls 93830->93832 93833 fa5c78 __wsopen_helper 110 API calls 93831->93833 93836 fa5bde _fprintf 93832->93836 93834 fa5c23 93833->93834 93835 fa5c4c __wsopen_helper LeaveCriticalSection 93834->93835 93835->93836 93836->93820 93841 f742f6 93837->93841 93840 f742cc LoadLibraryA GetProcAddress 93840->93714 93842 f742aa 93841->93842 93843 f742ff LoadLibraryA 93841->93843 93842->93714 93842->93840 93843->93842 93844 f74310 GetProcAddress 93843->93844 93844->93842 93846 f74085 FindResourceExW 93845->93846 93850 f740a2 93845->93850 93847 fe4f16 LoadResource 93846->93847 93846->93850 93848 fe4f2b SizeofResource 93847->93848 93847->93850 93849 fe4f3f LockResource 93848->93849 93848->93850 93849->93850 93850->93723 93852 f74526 93851->93852 93853 fe4fe0 93851->93853 93857 f93a8d 93852->93857 93855 f74534 93855->93734 93856->93723 93858 f93a99 _fprintf 93857->93858 93859 f93aa7 93858->93859 93860 f93acd 93858->93860 93870 f97c0e 47 API calls __getptd_noexit 93859->93870 93872 f94e1c 93860->93872 93863 f93aac 93871 f96e10 8 API calls _fprintf 93863->93871 93864 f93ad3 93878 f939fe 81 API calls 3 library calls 93864->93878 93867 f93ae2 93879 f93b04 LeaveCriticalSection LeaveCriticalSection _fprintf 93867->93879 93869 f93ab7 _fprintf 93869->93855 93870->93863 93871->93869 93873 f94e2c 93872->93873 93874 f94e4e EnterCriticalSection 93872->93874 93873->93874 93875 f94e34 93873->93875 93876 f94e44 93874->93876 93877 f97cf4 __lock 47 API calls 93875->93877 93876->93864 93877->93876 93878->93867 93879->93869 93883 f93839 93880->93883 93882 f74510 93882->93742 93884 f93845 _fprintf 93883->93884 93885 f93888 93884->93885 93886 f9385b _memset 93884->93886 93895 f93880 _fprintf 93884->93895 93887 f94e1c __lock_file 48 API calls 93885->93887 93896 f97c0e 47 API calls __getptd_noexit 93886->93896 93889 f9388e 93887->93889 93898 f9365b 62 API calls 4 library calls 93889->93898 93890 f93875 93897 f96e10 8 API calls _fprintf 93890->93897 93892 f938a4 93899 f938c2 LeaveCriticalSection LeaveCriticalSection _fprintf 93892->93899 93895->93882 93896->93890 93897->93895 93898->93892 93899->93895 93903 f9344a GetSystemTimeAsFileTime 93900->93903 93902 fbbdc3 93902->93744 93904 f93478 __aulldiv 93903->93904 93904->93902 93906 f93e71 _fprintf 93905->93906 93907 f93e7f 93906->93907 93908 f93e94 93906->93908 93919 f97c0e 47 API calls __getptd_noexit 93907->93919 93909 f94e1c __lock_file 48 API calls 93908->93909 93911 f93e9a 93909->93911 93921 f93b0c 55 API calls 4 library calls 93911->93921 93912 f93e84 93920 f96e10 8 API calls _fprintf 93912->93920 93915 f93ea5 93922 f93ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 93915->93922 93917 f93eb7 93918 f93e8f _fprintf 93917->93918 93918->93749 93919->93912 93920->93918 93921->93915 93922->93917 93927 fbc581 __tzset_nolock _wcscmp 93923->93927 93924 fbc417 93924->93665 93924->93692 93925 f744ed 64 API calls 93925->93927 93926 fbbf5a GetSystemTimeAsFileTime 93926->93927 93927->93924 93927->93925 93927->93926 93928 f74517 83 API calls 93927->93928 93928->93927 93929->93691 93931 f935f0 _fprintf 93930->93931 93932 f9361c 93931->93932 93933 f93604 93931->93933 93935 f94e1c __lock_file 48 API calls 93932->93935 93940 f93614 _fprintf 93932->93940 93959 f97c0e 47 API calls __getptd_noexit 93933->93959 93937 f9362e 93935->93937 93936 f93609 93960 f96e10 8 API calls _fprintf 93936->93960 93943 f93578 93937->93943 93940->93700 93944 f9359b 93943->93944 93945 f93587 93943->93945 93947 f93597 93944->93947 93962 f92c84 93944->93962 94002 f97c0e 47 API calls __getptd_noexit 93945->94002 93961 f93653 LeaveCriticalSection LeaveCriticalSection _fprintf 93947->93961 93948 f9358c 94003 f96e10 8 API calls _fprintf 93948->94003 93955 f935b5 93979 f9e9d2 93955->93979 93957 f935bb 93957->93947 93958 f91c9d _free 47 API calls 93957->93958 93958->93947 93959->93936 93960->93940 93961->93940 93963 f92c97 93962->93963 93967 f92cbb 93962->93967 93964 f92933 _fprintf 47 API calls 93963->93964 93963->93967 93965 f92cb4 93964->93965 94004 f9af61 93965->94004 93968 f9eb36 93967->93968 93969 f935af 93968->93969 93970 f9eb43 93968->93970 93972 f92933 93969->93972 93970->93969 93971 f91c9d _free 47 API calls 93970->93971 93971->93969 93973 f9293d 93972->93973 93974 f92952 93972->93974 94110 f97c0e 47 API calls __getptd_noexit 93973->94110 93974->93955 93976 f92942 94111 f96e10 8 API calls _fprintf 93976->94111 93978 f9294d 93978->93955 93980 f9e9de _fprintf 93979->93980 93981 f9e9fe 93980->93981 93982 f9e9e6 93980->93982 93984 f9ea7b 93981->93984 93989 f9ea28 93981->93989 94127 f97bda 47 API calls __getptd_noexit 93982->94127 94131 f97bda 47 API calls __getptd_noexit 93984->94131 93985 f9e9eb 94128 f97c0e 47 API calls __getptd_noexit 93985->94128 93988 f9ea80 94132 f97c0e 47 API calls __getptd_noexit 93988->94132 93991 f9a8ed ___lock_fhandle 49 API calls 93989->93991 93993 f9ea2e 93991->93993 93992 f9ea88 94133 f96e10 8 API calls _fprintf 93992->94133 93996 f9ea4c 93993->93996 93997 f9ea41 93993->93997 93995 f9e9f3 _fprintf 93995->93957 94129 f97c0e 47 API calls __getptd_noexit 93996->94129 94112 f9ea9c 93997->94112 94000 f9ea47 94130 f9ea73 LeaveCriticalSection __unlock_fhandle 94000->94130 94002->93948 94003->93947 94005 f9af6d _fprintf 94004->94005 94006 f9af8d 94005->94006 94007 f9af75 94005->94007 94009 f9b022 94006->94009 94014 f9afbf 94006->94014 94102 f97bda 47 API calls __getptd_noexit 94007->94102 94107 f97bda 47 API calls __getptd_noexit 94009->94107 94010 f9af7a 94103 f97c0e 47 API calls __getptd_noexit 94010->94103 94013 f9b027 94108 f97c0e 47 API calls __getptd_noexit 94013->94108 94029 f9a8ed 94014->94029 94015 f9af82 _fprintf 94015->93967 94018 f9b02f 94109 f96e10 8 API calls _fprintf 94018->94109 94019 f9afc5 94021 f9afd8 94019->94021 94022 f9afeb 94019->94022 94038 f9b043 94021->94038 94104 f97c0e 47 API calls __getptd_noexit 94022->94104 94025 f9aff0 94105 f97bda 47 API calls __getptd_noexit 94025->94105 94027 f9afe4 94106 f9b01a LeaveCriticalSection __unlock_fhandle 94027->94106 94030 f9a8f9 _fprintf 94029->94030 94031 f9a946 EnterCriticalSection 94030->94031 94033 f97cf4 __lock 47 API calls 94030->94033 94032 f9a96c _fprintf 94031->94032 94032->94019 94034 f9a91d 94033->94034 94035 f9a928 InitializeCriticalSectionAndSpinCount 94034->94035 94036 f9a93a 94034->94036 94035->94036 94037 f9a970 ___lock_fhandle LeaveCriticalSection 94036->94037 94037->94031 94039 f9b050 __ftell_nolock 94038->94039 94040 f9b08d 94039->94040 94041 f9b0ac 94039->94041 94071 f9b082 94039->94071 94043 f97bda __set_osfhnd 47 API calls 94040->94043 94044 f9b105 94041->94044 94045 f9b0e9 94041->94045 94042 f9a70c __wtof_l 6 API calls 94046 f9b86b 94042->94046 94047 f9b092 94043->94047 94049 f9b11c 94044->94049 94053 f9f82f __lseeki64_nolock 49 API calls 94044->94053 94048 f97bda __set_osfhnd 47 API calls 94045->94048 94046->94027 94050 f97c0e _fprintf 47 API calls 94047->94050 94052 f9b0ee 94048->94052 94051 fa3bf2 __stbuf 47 API calls 94049->94051 94054 f9b099 94050->94054 94056 f9b12a 94051->94056 94057 f97c0e _fprintf 47 API calls 94052->94057 94053->94049 94055 f96e10 _fprintf 8 API calls 94054->94055 94055->94071 94058 f9b44b 94056->94058 94063 f97a0d __setmbcp 47 API calls 94056->94063 94059 f9b0f5 94057->94059 94060 f9b7b8 WriteFile 94058->94060 94061 f9b463 94058->94061 94062 f96e10 _fprintf 8 API calls 94059->94062 94065 f9b7e1 GetLastError 94060->94065 94070 f9b410 94060->94070 94064 f9b55a 94061->94064 94074 f9b479 94061->94074 94062->94071 94066 f9b150 GetConsoleMode 94063->94066 94075 f9b663 94064->94075 94078 f9b565 94064->94078 94065->94070 94066->94058 94068 f9b189 94066->94068 94067 f9b81b 94069 f97c0e _fprintf 47 API calls 94067->94069 94067->94071 94068->94058 94072 f9b199 GetConsoleCP 94068->94072 94076 f9b843 94069->94076 94070->94067 94070->94071 94077 f9b7f7 94070->94077 94071->94042 94072->94070 94100 f9b1c2 94072->94100 94073 f9b4e9 WriteFile 94073->94065 94079 f9b526 94073->94079 94074->94067 94074->94073 94075->94067 94080 f9b6d8 WideCharToMultiByte 94075->94080 94081 f97bda __set_osfhnd 47 API calls 94076->94081 94082 f9b7fe 94077->94082 94083 f9b812 94077->94083 94078->94067 94084 f9b5de WriteFile 94078->94084 94079->94070 94079->94074 94085 f9b555 94079->94085 94080->94065 94094 f9b71f 94080->94094 94081->94071 94086 f97c0e _fprintf 47 API calls 94082->94086 94087 f97bed __dosmaperr 47 API calls 94083->94087 94084->94065 94088 f9b62d 94084->94088 94085->94070 94090 f9b803 94086->94090 94087->94071 94088->94070 94088->94078 94088->94085 94089 f9b727 WriteFile 94092 f9b77a GetLastError 94089->94092 94089->94094 94093 f97bda __set_osfhnd 47 API calls 94090->94093 94091 f91688 __chsize_nolock 57 API calls 94091->94100 94092->94094 94093->94071 94094->94070 94094->94075 94094->94085 94094->94089 94095 fa5884 WriteConsoleW CreateFileW __chsize_nolock 94098 f9b2f6 94095->94098 94096 fa40f7 59 API calls __chsize_nolock 94096->94100 94097 f9b28f WideCharToMultiByte 94097->94070 94099 f9b2ca WriteFile 94097->94099 94098->94065 94098->94070 94098->94095 94098->94100 94101 f9b321 WriteFile 94098->94101 94099->94065 94099->94098 94100->94070 94100->94091 94100->94096 94100->94097 94100->94098 94101->94065 94101->94098 94102->94010 94103->94015 94104->94025 94105->94027 94106->94015 94107->94013 94108->94018 94109->94015 94110->93976 94111->93978 94134 f9aba4 94112->94134 94114 f9eb00 94147 f9ab1e 48 API calls 2 library calls 94114->94147 94116 f9eaaa 94116->94114 94119 f9aba4 __lseek_nolock 47 API calls 94116->94119 94126 f9eade 94116->94126 94117 f9aba4 __lseek_nolock 47 API calls 94120 f9eaea CloseHandle 94117->94120 94118 f9eb08 94121 f9eb2a 94118->94121 94148 f97bed 47 API calls 3 library calls 94118->94148 94122 f9ead5 94119->94122 94120->94114 94124 f9eaf6 GetLastError 94120->94124 94121->94000 94123 f9aba4 __lseek_nolock 47 API calls 94122->94123 94123->94126 94124->94114 94126->94114 94126->94117 94127->93985 94128->93995 94129->94000 94130->93995 94131->93988 94132->93992 94133->93995 94135 f9abaf 94134->94135 94137 f9abc4 94134->94137 94136 f97bda __set_osfhnd 47 API calls 94135->94136 94139 f9abb4 94136->94139 94138 f97bda __set_osfhnd 47 API calls 94137->94138 94140 f9abe9 94137->94140 94141 f9abf3 94138->94141 94142 f97c0e _fprintf 47 API calls 94139->94142 94140->94116 94143 f97c0e _fprintf 47 API calls 94141->94143 94144 f9abbc 94142->94144 94145 f9abfb 94143->94145 94144->94116 94146 f96e10 _fprintf 8 API calls 94145->94146 94146->94144 94147->94118 94148->94121 94149->93569 94150->93577 94151->93588 94152->93588 94153->93582 94154->93601 94155->93603 94156->93600 94157->93608 94158->93614 94159->93628 94160->93626 94162 f9f8a0 __ftell_nolock 94161->94162 94163 f740b4 GetLongPathNameW 94162->94163 94164 f76a63 48 API calls 94163->94164 94165 f740dc 94164->94165 94166 f749a0 94165->94166 94167 f7d7f7 48 API calls 94166->94167 94168 f749b2 94167->94168 94169 f7660f 49 API calls 94168->94169 94170 f749bd 94169->94170 94171 fe2e35 94170->94171 94172 f749c8 94170->94172 94177 fe2e4f 94171->94177 94219 f8d35e 60 API calls 94171->94219 94173 f764cf 48 API calls 94172->94173 94175 f749d4 94173->94175 94213 f728a6 94175->94213 94178 f749e7 Mailbox 94178->93429 94180 f741a9 136 API calls 94179->94180 94181 f7415e 94180->94181 94182 fe3489 94181->94182 94183 f741a9 136 API calls 94181->94183 94184 fbc396 122 API calls 94182->94184 94185 f74172 94183->94185 94186 fe349e 94184->94186 94185->94182 94189 f7417a 94185->94189 94187 fe34bf 94186->94187 94188 fe34a2 94186->94188 94191 f8f4ea 48 API calls 94187->94191 94190 f74252 84 API calls 94188->94190 94192 f74186 94189->94192 94193 fe34aa 94189->94193 94190->94193 94212 fe3504 Mailbox 94191->94212 94220 f7c833 94192->94220 94316 fb6b49 87 API calls _wprintf 94193->94316 94196 fe34b8 94196->94187 94198 fe36b4 94199 f91c9d _free 47 API calls 94198->94199 94200 fe36bc 94199->94200 94201 f74252 84 API calls 94200->94201 94206 fe36c5 94201->94206 94205 f91c9d _free 47 API calls 94205->94206 94206->94205 94208 f74252 84 API calls 94206->94208 94321 fb25b5 86 API calls 4 library calls 94206->94321 94208->94206 94209 f7ce19 48 API calls 94209->94212 94212->94198 94212->94206 94212->94209 94308 f7ba85 94212->94308 94317 fb2551 48 API calls _memcpy_s 94212->94317 94318 fb2472 60 API calls 2 library calls 94212->94318 94319 fb9c12 48 API calls 94212->94319 94320 f74dd9 48 API calls 94212->94320 94214 f728b8 94213->94214 94218 f728d7 _memcpy_s 94213->94218 94217 f8f4ea 48 API calls 94214->94217 94215 f8f4ea 48 API calls 94216 f728ee 94215->94216 94216->94178 94217->94218 94218->94215 94219->94171 94221 f7c843 __ftell_nolock 94220->94221 94222 f7c860 94221->94222 94223 fe3095 94221->94223 94327 f748ba 49 API calls 94222->94327 94346 fb25b5 86 API calls 4 library calls 94223->94346 94226 f7c882 94328 f74550 56 API calls 94226->94328 94228 fe30a8 94347 fb25b5 86 API calls 4 library calls 94228->94347 94229 f7c897 94229->94228 94231 f7c89f 94229->94231 94233 f7d7f7 48 API calls 94231->94233 94232 fe30c4 94235 f7c90c 94232->94235 94234 f7c8ab 94233->94234 94329 f8e968 49 API calls __ftell_nolock 94234->94329 94237 fe30d7 94235->94237 94238 f7c91a 94235->94238 94241 f74907 CloseHandle 94237->94241 94332 f91dfc 94238->94332 94239 f7c8b7 94242 f7d7f7 48 API calls 94239->94242 94243 fe30e3 94241->94243 94244 f7c8c3 94242->94244 94245 f741a9 136 API calls 94243->94245 94246 f7660f 49 API calls 94244->94246 94247 fe310d 94245->94247 94248 f7c8d1 94246->94248 94250 fe3136 94247->94250 94254 fbc396 122 API calls 94247->94254 94330 f8eb66 SetFilePointerEx ReadFile 94248->94330 94249 f7c943 _wcscat _wcscpy 94253 f7c96d SetCurrentDirectoryW 94249->94253 94348 fb25b5 86 API calls 4 library calls 94250->94348 94258 f8f4ea 48 API calls 94253->94258 94259 fe3129 94254->94259 94255 f7c8fd 94331 f746ce SetFilePointerEx SetFilePointerEx 94255->94331 94257 fe314d 94292 f7cad1 Mailbox 94257->94292 94260 f7c988 94258->94260 94261 fe3152 94259->94261 94262 fe3131 94259->94262 94264 f747b7 48 API calls 94260->94264 94263 f74252 84 API calls 94261->94263 94265 f74252 84 API calls 94262->94265 94266 fe3157 94263->94266 94295 f7c993 Mailbox __wsetenvp 94264->94295 94265->94250 94267 f8f4ea 48 API calls 94266->94267 94274 fe3194 94267->94274 94268 f7ca9d 94342 f74907 94268->94342 94272 f73d98 94272->93295 94272->93304 94273 f7caa9 SetCurrentDirectoryW 94273->94292 94276 f7ba85 48 API calls 94274->94276 94305 fe31dd Mailbox 94276->94305 94278 fe33ce 94353 fb9b72 48 API calls 94278->94353 94279 fe3467 94357 fb25b5 86 API calls 4 library calls 94279->94357 94283 fe3480 94283->94268 94284 fe33f0 94354 fd29e8 48 API calls _memcpy_s 94284->94354 94286 fe33fd 94287 f91c9d _free 47 API calls 94286->94287 94287->94292 94289 fe345f 94356 fb240b 48 API calls 3 library calls 94289->94356 94290 f7ce19 48 API calls 94290->94295 94322 f748dd 94292->94322 94293 f7ba85 48 API calls 94293->94305 94295->94268 94295->94279 94295->94289 94295->94290 94335 f7b337 56 API calls _wcscpy 94295->94335 94336 f8c258 GetStringTypeW 94295->94336 94337 f7cb93 59 API calls __wcsnicmp 94295->94337 94338 f7cb5a GetStringTypeW __wsetenvp 94295->94338 94339 f916d0 GetStringTypeW __wtof_l 94295->94339 94340 f7cc24 162 API calls 3 library calls 94295->94340 94341 f8c682 48 API calls 94295->94341 94299 f7ce19 48 API calls 94299->94305 94302 fe3420 94355 fb25b5 86 API calls 4 library calls 94302->94355 94304 fe3439 94306 f91c9d _free 47 API calls 94304->94306 94305->94278 94305->94293 94305->94299 94305->94302 94349 fb2551 48 API calls _memcpy_s 94305->94349 94350 fb2472 60 API calls 2 library calls 94305->94350 94351 fb9c12 48 API calls 94305->94351 94352 f8c682 48 API calls 94305->94352 94307 fe344c 94306->94307 94307->94292 94309 f7bb25 94308->94309 94313 f7ba98 _memcpy_s 94308->94313 94311 f8f4ea 48 API calls 94309->94311 94310 f8f4ea 48 API calls 94312 f7ba9f 94310->94312 94311->94313 94314 f7bac8 94312->94314 94315 f8f4ea 48 API calls 94312->94315 94313->94310 94314->94212 94315->94314 94316->94196 94317->94212 94318->94212 94319->94212 94320->94212 94321->94206 94323 f74907 CloseHandle 94322->94323 94324 f748e5 Mailbox 94323->94324 94325 f74907 CloseHandle 94324->94325 94326 f748fc 94325->94326 94326->94272 94327->94226 94328->94229 94329->94239 94330->94255 94331->94235 94358 f91e46 94332->94358 94335->94295 94336->94295 94337->94295 94338->94295 94339->94295 94340->94295 94341->94295 94343 f74911 94342->94343 94344 f74920 94342->94344 94343->94273 94344->94343 94345 f74925 CloseHandle 94344->94345 94345->94343 94346->94228 94347->94232 94348->94257 94349->94305 94350->94305 94351->94305 94352->94305 94353->94284 94354->94286 94355->94304 94356->94279 94357->94283 94359 f91e61 94358->94359 94360 f91e55 94358->94360 94382 f97c0e 47 API calls __getptd_noexit 94359->94382 94360->94359 94373 f91ed4 94360->94373 94377 f99d6b 47 API calls _fprintf 94360->94377 94362 f92019 94366 f91e41 94362->94366 94383 f96e10 8 API calls _fprintf 94362->94383 94365 f91fa0 94365->94359 94365->94366 94368 f91fb0 94365->94368 94366->94249 94367 f91f5f 94367->94359 94369 f91f7b 94367->94369 94379 f99d6b 47 API calls _fprintf 94367->94379 94381 f99d6b 47 API calls _fprintf 94368->94381 94369->94359 94369->94366 94372 f91f91 94369->94372 94380 f99d6b 47 API calls _fprintf 94372->94380 94373->94359 94376 f91f41 94373->94376 94378 f99d6b 47 API calls _fprintf 94373->94378 94376->94365 94376->94367 94377->94373 94378->94376 94379->94369 94380->94366 94381->94366 94382->94362 94383->94366 94385 f74c8b 94384->94385 94389 f74d94 94384->94389 94386 f8f4ea 48 API calls 94385->94386 94385->94389 94387 f74cb2 94386->94387 94388 f8f4ea 48 API calls 94387->94388 94394 f74d22 94388->94394 94389->93435 94393 f7ba85 48 API calls 94393->94394 94394->94389 94394->94393 94397 f7b470 94394->94397 94425 f74dd9 48 API calls 94394->94425 94426 fb9af1 48 API calls 94394->94426 94395->93437 94396->93439 94427 f76b0f 94397->94427 94399 f7b69b 94400 f7ba85 48 API calls 94399->94400 94401 f7b6b5 Mailbox 94400->94401 94401->94394 94404 f7ba85 48 API calls 94418 f7b495 94404->94418 94405 fe397b 94444 fb26bc 88 API calls 4 library calls 94405->94444 94408 f7b9e4 94445 fb26bc 88 API calls 4 library calls 94408->94445 94409 fe3973 94409->94401 94412 fe3989 94414 f7ba85 48 API calls 94412->94414 94413 f7bcce 48 API calls 94413->94418 94414->94409 94415 fe3909 94417 f76b4a 48 API calls 94415->94417 94416 f7bb85 48 API calls 94416->94418 94419 fe3914 94417->94419 94418->94399 94418->94404 94418->94405 94418->94408 94418->94413 94418->94415 94418->94416 94421 f7bdfa 48 API calls 94418->94421 94424 fe3939 _memcpy_s 94418->94424 94432 f7c413 59 API calls 94418->94432 94433 f7bc74 48 API calls 94418->94433 94434 f7c6a5 49 API calls 94418->94434 94435 f7c799 94418->94435 94423 f8f4ea 48 API calls 94419->94423 94422 f7b66c CharUpperBuffW 94421->94422 94422->94418 94423->94424 94443 fb26bc 88 API calls 4 library calls 94424->94443 94425->94394 94426->94394 94428 f8f4ea 48 API calls 94427->94428 94429 f76b34 94428->94429 94430 f76b4a 48 API calls 94429->94430 94431 f76b43 94430->94431 94431->94418 94432->94418 94433->94418 94434->94418 94436 fe1f17 94435->94436 94439 f7c7b0 94435->94439 94437 f76b4a 48 API calls 94436->94437 94438 fe1f21 94437->94438 94442 f8f4ea 48 API calls 94438->94442 94440 f8ee75 48 API calls 94439->94440 94441 f7c7bd _memcpy_s 94439->94441 94440->94441 94441->94418 94442->94441 94443->94409 94444->94412 94445->94409 94447 fe418d EnumResourceNamesW 94446->94447 94448 f7403c LoadImageW 94446->94448 94449 f73ee1 RegisterClassExW 94447->94449 94448->94449 94450 f73f53 7 API calls 94449->94450 94450->93454 94452 f74c44 94451->94452 94453 fe3c33 94451->94453 94452->93460 94477 fb5819 61 API calls _W_store_winword 94452->94477 94453->94452 94454 fe3c3c DestroyIcon 94453->94454 94454->94452 94456 f752a2 Mailbox 94455->94456 94457 f751cb 94455->94457 94456->93465 94458 f76b0f 48 API calls 94457->94458 94459 f751d9 94458->94459 94460 f751e6 94459->94460 94461 fe3ca1 LoadStringW 94459->94461 94462 f76a63 48 API calls 94460->94462 94464 fe3cbb 94461->94464 94463 f751fb 94462->94463 94463->94464 94465 f7520c 94463->94465 94466 f7510d 48 API calls 94464->94466 94467 f752a7 94465->94467 94468 f75216 94465->94468 94471 fe3cc5 94466->94471 94472 f7518c 48 API calls 94471->94472 94473 f75220 _memset _wcscpy 94471->94473 94477->93460 94479 f7ef2f 94478->94479 94480 f7ef1d 94478->94480 94691 fbcc5c 86 API calls 4 library calls 94479->94691 94690 f7e3b0 335 API calls 2 library calls 94480->94690 94483 f7ef26 94483->93526 94484 fe86f9 94484->94484 94486 f7f130 94485->94486 94489 f7fe30 335 API calls 94486->94489 94494 f7f199 94486->94494 94487 f7f3dd 94490 fe87c8 94487->94490 94500 f7f3f2 94487->94500 94533 f7f431 Mailbox 94487->94533 94488 f7f595 94496 f7d7f7 48 API calls 94488->94496 94488->94533 94491 fe8728 94489->94491 94696 fbcc5c 86 API calls 4 library calls 94490->94696 94491->94494 94693 fbcc5c 86 API calls 4 library calls 94491->94693 94492 f7fe30 335 API calls 94492->94533 94494->94487 94494->94488 94497 f7d7f7 48 API calls 94494->94497 94528 f7f229 94494->94528 94498 fe87a3 94496->94498 94502 fe8772 94497->94502 94695 f90f0a 52 API calls __cinit 94498->94695 94526 f7f418 94500->94526 94697 fb9af1 48 API calls 94500->94697 94501 fe8b1b 94518 fe8bcf 94501->94518 94519 fe8b2c 94501->94519 94694 f90f0a 52 API calls __cinit 94502->94694 94504 f7f770 94511 fe8a45 94504->94511 94527 f7f77a 94504->94527 94506 f7d6e9 55 API calls 94506->94533 94507 fe8b7e 94706 fce40a 335 API calls Mailbox 94507->94706 94508 fe8c53 94711 fbcc5c 86 API calls 4 library calls 94508->94711 94509 fe8810 94698 fceef8 335 API calls 94509->94698 94510 f7fe30 335 API calls 94530 f7f6aa 94510->94530 94703 f8c1af 48 API calls 94511->94703 94512 fe8beb 94709 fcbdbd 335 API calls Mailbox 94512->94709 94708 fbcc5c 86 API calls 4 library calls 94518->94708 94705 fcf5ee 335 API calls 94519->94705 94520 f81b90 48 API calls 94520->94533 94521 f81b90 48 API calls 94521->94533 94525 fe8c00 94549 f7f537 Mailbox 94525->94549 94710 fbcc5c 86 API calls 4 library calls 94525->94710 94526->94501 94526->94530 94526->94533 94527->94520 94528->94487 94528->94488 94528->94526 94528->94533 94529 f7fce0 94529->94549 94707 fbcc5c 86 API calls 4 library calls 94529->94707 94530->94504 94530->94510 94530->94529 94530->94533 94530->94549 94532 fe8823 94532->94526 94537 fe884b 94532->94537 94533->94492 94533->94506 94533->94507 94533->94508 94533->94512 94533->94521 94533->94529 94536 fbcc5c 86 API calls 94533->94536 94533->94549 94692 f7dd47 48 API calls _memcpy_s 94533->94692 94704 fa97ed InterlockedDecrement 94533->94704 94712 f8c1af 48 API calls 94533->94712 94536->94533 94699 fcccdc 48 API calls 94537->94699 94539 fe8857 94549->93526 94551 f8479f 94550->94551 94552 f84637 94550->94552 94555 f7ce19 48 API calls 94551->94555 94553 fe6e05 94552->94553 94554 f84643 94552->94554 94767 fce822 94553->94767 94766 f84300 335 API calls _memcpy_s 94554->94766 94562 f846e4 Mailbox 94555->94562 94558 fe6e11 94559 f84739 Mailbox 94558->94559 94807 fbcc5c 86 API calls 4 library calls 94558->94807 94559->93526 94561 f84659 94561->94558 94561->94559 94561->94562 94563 f74252 84 API calls 94562->94563 94713 fbfa0c 94562->94713 94754 fb6524 94562->94754 94757 fc6ff0 94562->94757 94563->94559 94568 f8e253 94567->94568 94569 fedf42 94567->94569 94568->93526 94570 fedf77 94569->94570 94571 fedf59 TranslateAcceleratorW 94569->94571 94571->94568 94573 f8dca3 94572->94573 94576 f8dc71 94572->94576 94573->93526 94574 f8dc96 IsDialogMessageW 94574->94573 94574->94576 94575 fedd1d GetClassLongW 94575->94574 94575->94576 94576->94573 94576->94574 94576->94575 94577->93526 94943 f7bd30 94578->94943 94580 f83267 94582 f832f8 94580->94582 94583 fe907a 94580->94583 94642 f83628 94580->94642 94955 f8c36b 86 API calls 94582->94955 94961 fbcc5c 86 API calls 4 library calls 94583->94961 94586 f83313 94638 f834eb _memcpy_s Mailbox 94586->94638 94586->94642 94643 fe94df 94586->94643 94948 f72b7a 94586->94948 94588 fe91fa 94966 fbcc5c 86 API calls 4 library calls 94588->94966 94592 fe93c5 94595 f7fe30 335 API calls 94592->94595 94593 fe926d 94970 fbcc5c 86 API calls 4 library calls 94593->94970 94594 fe909a 94594->94588 94596 f7d645 53 API calls 94594->94596 94598 fe9407 94595->94598 94599 fe910c 94596->94599 94608 f7d6e9 55 API calls 94598->94608 94598->94642 94602 fe9114 94599->94602 94603 fe9220 94599->94603 94612 fe9438 94608->94612 94975 fbcc5c 86 API calls 4 library calls 94612->94975 94614 f7fe30 335 API calls 94614->94638 94617 f8c3c3 48 API calls 94617->94638 94633 f8f4ea 48 API calls 94633->94638 94634 f8351f 94636 f76eed 48 API calls 94634->94636 94637 f83540 94634->94637 94636->94637 94637->94642 94644 fe94b0 94637->94644 94646 f83585 94637->94646 94638->94592 94638->94593 94638->94594 94638->94612 94638->94614 94638->94617 94638->94633 94638->94634 94639 fe9394 94638->94639 94638->94642 94957 f7d9a0 53 API calls __cinit 94638->94957 94958 f7d8c0 53 API calls 94638->94958 94959 f8c2d6 48 API calls _memcpy_s 94638->94959 94971 fccda2 82 API calls Mailbox 94638->94971 94972 fb80e3 53 API calls 94638->94972 94973 f7d764 55 API calls 94638->94973 94974 f7dcae 50 API calls Mailbox 94638->94974 94641 f8f4ea 48 API calls 94639->94641 94641->94592 94649 f83635 Mailbox 94642->94649 94960 fbcc5c 86 API calls 4 library calls 94642->94960 94643->94642 94978 fbcc5c 86 API calls 4 library calls 94643->94978 94646->94642 94646->94643 94649->93526 94650->93481 94651->93473 94652->93478 94653->93526 94654->93526 94655->93523 94656->93523 94657->93523 94659 f7fe50 94658->94659 94685 f7fe7e 94658->94685 94660 f8f4ea 48 API calls 94659->94660 94660->94685 94661 f90f0a 52 API calls __cinit 94661->94685 94662 f81473 94984 fbcc5c 86 API calls 4 library calls 94662->94984 94663 f8146e 94664 f76eed 48 API calls 94663->94664 94684 f7ffe1 94664->94684 94665 fa97ed InterlockedDecrement 94665->94685 94666 f80509 94985 fbcc5c 86 API calls 4 library calls 94666->94985 94669 f8f4ea 48 API calls 94669->94685 94670 f76eed 48 API calls 94670->94685 94672 fea246 94675 f76eed 48 API calls 94672->94675 94673 fea922 94673->93526 94675->94684 94677 f7d7f7 48 API calls 94677->94685 94678 fea873 94678->93526 94679 fea30e 94679->94684 94982 fa97ed InterlockedDecrement 94679->94982 94681 fea973 94986 fbcc5c 86 API calls 4 library calls 94681->94986 94683 fea982 94684->93526 94685->94661 94685->94662 94685->94663 94685->94665 94685->94666 94685->94669 94685->94670 94685->94672 94685->94677 94685->94679 94685->94681 94685->94684 94686 f815b5 94685->94686 94980 f81820 335 API calls 2 library calls 94685->94980 94981 f81d10 59 API calls Mailbox 94685->94981 94983 fbcc5c 86 API calls 4 library calls 94686->94983 94687->93523 94688->93523 94689->93523 94690->94483 94691->94484 94692->94533 94693->94494 94694->94528 94695->94533 94696->94549 94697->94509 94698->94532 94699->94539 94703->94533 94704->94533 94705->94533 94706->94529 94707->94549 94708->94549 94709->94525 94710->94549 94711->94549 94712->94533 94714 fbfa1c __ftell_nolock 94713->94714 94715 fbfa44 94714->94715 94889 f7d286 48 API calls 94714->94889 94808 f7936c 94715->94808 94718 fbfa5e 94719 fbfb68 94718->94719 94720 fbfa80 94718->94720 94732 fbfb92 94718->94732 94722 f7936c 81 API calls 94720->94722 94732->94559 94930 fb6ca9 GetFileAttributesW 94754->94930 94758 f7936c 81 API calls 94757->94758 94759 fc702a 94758->94759 94760 f7b470 91 API calls 94759->94760 94761 fc703a 94760->94761 94762 fc705f 94761->94762 94763 f7fe30 335 API calls 94761->94763 94765 fc7063 94762->94765 94934 f7cdb9 48 API calls 94762->94934 94763->94762 94765->94559 94766->94561 94768 fce84e 94767->94768 94769 fce868 94767->94769 94935 fbcc5c 86 API calls 4 library calls 94768->94935 94936 fcccdc 48 API calls 94769->94936 94772 fce871 94773 f7fe30 334 API calls 94772->94773 94774 fce8cf 94773->94774 94775 fce96a 94774->94775 94776 fce916 94774->94776 94800 fce860 Mailbox 94774->94800 94777 fce978 94775->94777 94780 fce9c7 94775->94780 94937 fb9b72 48 API calls 94776->94937 94780->94800 94800->94558 94807->94559 94809 f79384 94808->94809 94826 f79380 94808->94826 94810 fe4cbd __i64tow 94809->94810 94811 fe4bbf 94809->94811 94812 f79398 94809->94812 94820 f793b0 __itow Mailbox _wcscpy 94809->94820 94813 fe4bc8 94811->94813 94814 fe4ca5 94811->94814 94892 f9172b 80 API calls 3 library calls 94812->94892 94813->94820 94817 f8f4ea 48 API calls 94818 f793ba 94817->94818 94818->94826 94820->94817 94826->94718 94889->94715 94892->94820 94931 fb6529 94930->94931 94932 fb6cc4 FindFirstFileW 94930->94932 94931->94559 94932->94931 94933 fb6cd9 FindClose 94932->94933 94933->94931 94934->94765 94935->94800 94936->94772 94944 f7bd3f 94943->94944 94947 f7bd5a 94943->94947 94945 f7bdfa 48 API calls 94944->94945 94946 f7bd47 CharUpperBuffW 94945->94946 94946->94947 94947->94580 94949 fe436a 94948->94949 94950 f72b8b 94948->94950 94951 f8f4ea 48 API calls 94950->94951 94952 f72b92 94951->94952 94953 f72bb3 94952->94953 94979 f72bce 48 API calls 94952->94979 94955->94586 94957->94638 94958->94638 94959->94638 94960->94649 94961->94586 94966->94642 94970->94642 94971->94638 94972->94638 94973->94638 94974->94638 94975->94642 94978->94642 94979->94953 94980->94685 94981->94685 94982->94684 94983->94684 94984->94678 94985->94673 94986->94683 94988 f7b392 94987->94988 94994 f7b3c5 _memcpy_s 94987->94994 94989 f7b3fd 94988->94989 94990 f7b3b8 94988->94990 94988->94994 94991 f8f4ea 48 API calls 94989->94991 94992 f7bb85 48 API calls 94990->94992 94993 f7b407 94991->94993 94992->94994 94995 f8f4ea 48 API calls 94993->94995 94994->93535 94995->94994 94996->93536 94997 fe19ba 95002 f8c75a 94997->95002 95001 fe19c9 95003 f7d7f7 48 API calls 95002->95003 95004 f8c7c8 95003->95004 95010 f8d26c 95004->95010 95007 f8c865 95008 f8c881 95007->95008 95013 f8d1fa 48 API calls _memcpy_s 95007->95013 95009 f90f0a 52 API calls __cinit 95008->95009 95009->95001 95014 f8d298 95010->95014 95013->95007 95015 f8d28b 95014->95015 95016 f8d2a5 95014->95016 95015->95007 95016->95015 95017 f8d2ac RegOpenKeyExW 95016->95017 95017->95015 95018 f8d2c6 RegQueryValueExW 95017->95018 95019 f8d2fc RegCloseKey 95018->95019 95020 f8d2e7 95018->95020 95019->95015 95020->95019 95021 fe197b 95026 f8dd94 95021->95026 95025 fe198a 95027 f8f4ea 48 API calls 95026->95027 95028 f8dd9c 95027->95028 95030 f8ddb0 95028->95030 95034 f8df3d 95028->95034 95033 f90f0a 52 API calls __cinit 95030->95033 95033->95025 95035 f8dda8 95034->95035 95036 f8df46 95034->95036 95038 f8ddc0 95035->95038 95066 f90f0a 52 API calls __cinit 95036->95066 95039 f7d7f7 48 API calls 95038->95039 95040 f8ddd7 GetVersionExW 95039->95040 95041 f76a63 48 API calls 95040->95041 95042 f8de1a 95041->95042 95067 f8dfb4 95042->95067 95045 f76571 48 API calls 95046 f8de2e 95045->95046 95049 fe24c8 95046->95049 95071 f8df77 95046->95071 95050 f8dea4 GetCurrentProcess 95080 f8df5f LoadLibraryA GetProcAddress 95050->95080 95051 f8debb 95053 f8df31 GetSystemInfo 95051->95053 95054 f8dee3 95051->95054 95055 f8df0e 95053->95055 95074 f8e00c 95054->95074 95057 f8df1c FreeLibrary 95055->95057 95058 f8df21 95055->95058 95057->95058 95058->95030 95060 f8df29 GetSystemInfo 95062 f8df03 95060->95062 95061 f8def9 95077 f8dff4 95061->95077 95062->95055 95064 f8df09 FreeLibrary 95062->95064 95064->95055 95066->95035 95068 f8dfbd 95067->95068 95069 f7b18b 48 API calls 95068->95069 95070 f8de22 95069->95070 95070->95045 95081 f8df89 95071->95081 95085 f8e01e 95074->95085 95078 f8e00c 2 API calls 95077->95078 95079 f8df01 GetNativeSystemInfo 95078->95079 95079->95062 95080->95051 95082 f8dea0 95081->95082 95083 f8df92 LoadLibraryA 95081->95083 95082->95050 95082->95051 95083->95082 95084 f8dfa3 GetProcAddress 95083->95084 95084->95082 95086 f8def1 95085->95086 95087 f8e027 LoadLibraryA 95085->95087 95086->95060 95086->95061 95087->95086 95088 f8e038 GetProcAddress 95087->95088 95088->95086 95089 fe8eb8 95093 fba635 95089->95093 95091 fe8ec3 95092 fba635 84 API calls 95091->95092 95092->95091 95094 fba66f 95093->95094 95098 fba642 95093->95098 95094->95091 95095 fba671 95105 f8ec4e 81 API calls 95095->95105 95096 fba676 95099 f7936c 81 API calls 95096->95099 95098->95094 95098->95095 95098->95096 95102 fba669 95098->95102 95100 fba67d 95099->95100 95101 f7510d 48 API calls 95100->95101 95101->95094 95104 f84525 61 API calls _memcpy_s 95102->95104 95104->95094 95105->95096 95106 f7b7b1 95115 f7c62c 95106->95115 95108 f7b7ec 95110 f7ba85 48 API calls 95108->95110 95109 f7b7c2 95109->95108 95123 f7bc74 48 API calls 95109->95123 95112 f7b6b7 Mailbox 95110->95112 95113 f7b7e0 95114 f7ba85 48 API calls 95113->95114 95114->95108 95116 f7bcce 48 API calls 95115->95116 95119 f7c63b 95116->95119 95117 fe39fd 95124 fb26bc 88 API calls 4 library calls 95117->95124 95119->95117 95120 f7c68b 95119->95120 95122 f7c799 48 API calls 95119->95122 95120->95109 95121 fe3a0b 95122->95119 95123->95113 95124->95121 95125 fe9bec 95149 f80ae0 _memcpy_s Mailbox 95125->95149 95127 f81526 Mailbox 95217 fbcc5c 86 API calls 4 library calls 95127->95217 95130 f815b5 95218 fbcc5c 86 API calls 4 library calls 95130->95218 95131 f80509 95220 fbcc5c 86 API calls 4 library calls 95131->95220 95133 f8146e 95139 f76eed 48 API calls 95133->95139 95135 f8f4ea 48 API calls 95151 f7fec8 95135->95151 95136 f76eed 48 API calls 95136->95151 95138 f81473 95219 fbcc5c 86 API calls 4 library calls 95138->95219 95153 f7ffe1 Mailbox 95139->95153 95141 fea246 95144 f76eed 48 API calls 95141->95144 95142 fea922 95144->95153 95146 fea873 95147 fa97ed InterlockedDecrement 95147->95151 95148 f7d7f7 48 API calls 95148->95151 95149->95127 95149->95151 95152 f7ce19 48 API calls 95149->95152 95149->95153 95159 fce822 335 API calls 95149->95159 95160 f7fe30 335 API calls 95149->95160 95161 fea706 95149->95161 95163 f8f4ea 48 API calls 95149->95163 95164 fa97ed InterlockedDecrement 95149->95164 95167 fc6ff0 335 API calls 95149->95167 95168 fd0d1d 95149->95168 95171 fd0d09 95149->95171 95174 fcf0ac 95149->95174 95206 fba6ef 95149->95206 95214 fcef61 82 API calls 2 library calls 95149->95214 95150 fea30e 95150->95153 95215 fa97ed InterlockedDecrement 95150->95215 95151->95130 95151->95131 95151->95133 95151->95135 95151->95136 95151->95138 95151->95141 95151->95147 95151->95148 95151->95150 95151->95153 95155 fea973 95151->95155 95157 f90f0a 52 API calls __cinit 95151->95157 95212 f81820 335 API calls 2 library calls 95151->95212 95213 f81d10 59 API calls Mailbox 95151->95213 95152->95149 95221 fbcc5c 86 API calls 4 library calls 95155->95221 95157->95151 95158 fea982 95159->95149 95160->95149 95216 fbcc5c 86 API calls 4 library calls 95161->95216 95163->95149 95164->95149 95167->95149 95222 fcf8ae 95168->95222 95170 fd0d2d 95170->95149 95172 fcf8ae 129 API calls 95171->95172 95173 fd0d19 95172->95173 95173->95149 95175 f7d7f7 48 API calls 95174->95175 95176 fcf0c0 95175->95176 95177 f7d7f7 48 API calls 95176->95177 95178 fcf0c8 95177->95178 95179 f7d7f7 48 API calls 95178->95179 95180 fcf0d0 95179->95180 95181 f7936c 81 API calls 95180->95181 95194 fcf0de 95181->95194 95182 f76a63 48 API calls 95182->95194 95183 fcf2cc 95184 fcf2f9 Mailbox 95183->95184 95324 f76b68 48 API calls 95183->95324 95184->95149 95185 fcf2b3 95189 f7518c 48 API calls 95185->95189 95187 fcf2ce 95191 f7518c 48 API calls 95187->95191 95188 f76eed 48 API calls 95188->95194 95192 fcf2c0 95189->95192 95190 f7c799 48 API calls 95190->95194 95193 fcf2dd 95191->95193 95196 f7510d 48 API calls 95192->95196 95197 f7510d 48 API calls 95193->95197 95194->95182 95194->95183 95194->95184 95194->95185 95194->95187 95194->95188 95194->95190 95195 f7bdfa 48 API calls 95194->95195 95198 f7bdfa 48 API calls 95194->95198 95203 f7936c 81 API calls 95194->95203 95204 f7518c 48 API calls 95194->95204 95205 f7510d 48 API calls 95194->95205 95199 fcf175 CharUpperBuffW 95195->95199 95196->95183 95197->95183 95200 fcf23a CharUpperBuffW 95198->95200 95201 f7d645 53 API calls 95199->95201 95323 f8d922 55 API calls 2 library calls 95200->95323 95201->95194 95203->95194 95204->95194 95205->95194 95207 fba6fb 95206->95207 95208 f8f4ea 48 API calls 95207->95208 95209 fba709 95208->95209 95210 fba717 95209->95210 95211 f7d7f7 48 API calls 95209->95211 95210->95149 95211->95210 95212->95151 95213->95151 95214->95149 95215->95153 95216->95127 95217->95153 95218->95153 95219->95146 95220->95142 95221->95158 95223 f7936c 81 API calls 95222->95223 95224 fcf8ea 95223->95224 95248 fcf92c Mailbox 95224->95248 95258 fd0567 95224->95258 95226 fcfb8b 95227 fcfcfa 95226->95227 95231 fcfb95 95226->95231 95306 fd0688 89 API calls Mailbox 95227->95306 95230 fcfd07 95230->95231 95232 fcfd13 95230->95232 95271 fcf70a 95231->95271 95232->95248 95233 f7936c 81 API calls 95243 fcf984 Mailbox 95233->95243 95238 fcfbc9 95285 f8ed18 95238->95285 95241 fcfbfd 95245 f8c050 48 API calls 95241->95245 95242 fcfbe3 95304 fbcc5c 86 API calls 4 library calls 95242->95304 95243->95226 95243->95233 95243->95248 95302 fd29e8 48 API calls _memcpy_s 95243->95302 95303 fcfda5 60 API calls 2 library calls 95243->95303 95247 fcfc14 95245->95247 95246 fcfbee GetCurrentProcess TerminateProcess 95246->95241 95249 f81b90 48 API calls 95247->95249 95256 fcfc3e 95247->95256 95248->95170 95250 fcfc2d 95249->95250 95253 fd040f 105 API calls 95250->95253 95251 f81b90 48 API calls 95251->95256 95252 fcfd65 95252->95248 95254 fcfd7e FreeLibrary 95252->95254 95253->95256 95254->95248 95256->95251 95256->95252 95289 fd040f 95256->95289 95305 f7dcae 50 API calls Mailbox 95256->95305 95259 f7bdfa 48 API calls 95258->95259 95260 fd0582 CharLowerBuffW 95259->95260 95307 fb1f11 95260->95307 95264 f7d7f7 48 API calls 95265 fd05bb 95264->95265 95314 f769e9 48 API calls _memcpy_s 95265->95314 95267 fd05d2 95268 f7b18b 48 API calls 95267->95268 95269 fd05de Mailbox 95268->95269 95270 fd061a Mailbox 95269->95270 95315 fcfda5 60 API calls 2 library calls 95269->95315 95270->95243 95272 fcf77a 95271->95272 95273 fcf725 95271->95273 95277 fd0828 95272->95277 95274 f8f4ea 48 API calls 95273->95274 95276 fcf747 95274->95276 95275 f8f4ea 48 API calls 95275->95276 95276->95272 95276->95275 95278 fd0a53 Mailbox 95277->95278 95281 fd084b _strcat _wcscpy __wsetenvp 95277->95281 95278->95238 95279 f7cf93 58 API calls 95279->95281 95280 f7d286 48 API calls 95280->95281 95281->95278 95281->95279 95281->95280 95282 f9395c 47 API calls _W_store_winword 95281->95282 95283 f7936c 81 API calls 95281->95283 95318 fb8035 50 API calls __wsetenvp 95281->95318 95282->95281 95283->95281 95286 f8ed2d 95285->95286 95287 f8edc5 VirtualProtect 95286->95287 95288 f8ed93 95286->95288 95287->95288 95288->95241 95288->95242 95290 fd0427 95289->95290 95297 fd0443 95289->95297 95291 fd044f 95290->95291 95292 fd042e 95290->95292 95293 fd04f8 95290->95293 95290->95297 95321 f7cdb9 48 API calls 95291->95321 95319 fb7c56 50 API calls _strlen 95292->95319 95322 fb9dc5 103 API calls 95293->95322 95294 fd051e 95294->95256 95295 f91c9d _free 47 API calls 95295->95294 95297->95294 95297->95295 95300 fd0438 95320 f7cdb9 48 API calls 95300->95320 95302->95243 95303->95243 95304->95246 95305->95256 95306->95230 95308 fb1f3b __wsetenvp 95307->95308 95309 fb1f79 95308->95309 95311 fb1f6f 95308->95311 95312 fb1ffa 95308->95312 95309->95264 95309->95269 95311->95309 95316 f8d37a 60 API calls 95311->95316 95312->95309 95317 f8d37a 60 API calls 95312->95317 95314->95267 95315->95270 95316->95311 95317->95312 95318->95281 95319->95300 95320->95297 95321->95297 95322->95297 95323->95194 95324->95184 95325 fe19cb 95330 f72322 95325->95330 95327 fe19d1 95363 f90f0a 52 API calls __cinit 95327->95363 95329 fe19db 95331 f72344 95330->95331 95364 f726df 95331->95364 95336 f7d7f7 48 API calls 95337 f72384 95336->95337 95338 f7d7f7 48 API calls 95337->95338 95339 f7238e 95338->95339 95340 f7d7f7 48 API calls 95339->95340 95341 f72398 95340->95341 95342 f7d7f7 48 API calls 95341->95342 95343 f723de 95342->95343 95344 f7d7f7 48 API calls 95343->95344 95345 f724c1 95344->95345 95372 f7263f 95345->95372 95349 f724f1 95350 f7d7f7 48 API calls 95349->95350 95351 f724fb 95350->95351 95401 f72745 95351->95401 95353 f72546 95354 f72556 GetStdHandle 95353->95354 95355 fe501d 95354->95355 95356 f725b1 95354->95356 95355->95356 95358 fe5026 95355->95358 95357 f725b7 CoInitialize 95356->95357 95357->95327 95408 fb92d4 53 API calls 95358->95408 95360 fe502d 95409 fb99f9 CreateThread 95360->95409 95362 fe5039 CloseHandle 95362->95357 95363->95329 95410 f72854 95364->95410 95367 f76a63 48 API calls 95368 f7234a 95367->95368 95369 f7272e 95368->95369 95424 f727ec 6 API calls 95369->95424 95371 f7237a 95371->95336 95373 f7d7f7 48 API calls 95372->95373 95374 f7264f 95373->95374 95375 f7d7f7 48 API calls 95374->95375 95376 f72657 95375->95376 95425 f726a7 95376->95425 95379 f726a7 48 API calls 95380 f72667 95379->95380 95381 f7d7f7 48 API calls 95380->95381 95382 f72672 95381->95382 95383 f8f4ea 48 API calls 95382->95383 95384 f724cb 95383->95384 95385 f722a4 95384->95385 95386 f722b2 95385->95386 95387 f7d7f7 48 API calls 95386->95387 95388 f722bd 95387->95388 95389 f7d7f7 48 API calls 95388->95389 95390 f722c8 95389->95390 95391 f7d7f7 48 API calls 95390->95391 95392 f722d3 95391->95392 95393 f7d7f7 48 API calls 95392->95393 95394 f722de 95393->95394 95395 f726a7 48 API calls 95394->95395 95396 f722e9 95395->95396 95397 f8f4ea 48 API calls 95396->95397 95398 f722f0 95397->95398 95399 fe1fe7 95398->95399 95400 f722f9 RegisterWindowMessageW 95398->95400 95400->95349 95402 f72755 95401->95402 95403 fe5f4d 95401->95403 95404 f8f4ea 48 API calls 95402->95404 95430 fbc942 50 API calls 95403->95430 95406 f7275d 95404->95406 95406->95353 95407 fe5f58 95408->95360 95409->95362 95431 fb99df 54 API calls 95409->95431 95417 f72870 95410->95417 95413 f72870 48 API calls 95414 f72864 95413->95414 95415 f7d7f7 48 API calls 95414->95415 95416 f72716 95415->95416 95416->95367 95418 f7d7f7 48 API calls 95417->95418 95419 f7287b 95418->95419 95420 f7d7f7 48 API calls 95419->95420 95421 f72883 95420->95421 95422 f7d7f7 48 API calls 95421->95422 95423 f7285c 95422->95423 95423->95413 95424->95371 95426 f7d7f7 48 API calls 95425->95426 95427 f726b0 95426->95427 95428 f7d7f7 48 API calls 95427->95428 95429 f7265f 95428->95429 95429->95379 95430->95407 95432 f73742 95433 f7374b 95432->95433 95434 f73769 95433->95434 95435 f737c8 95433->95435 95473 f737c6 95433->95473 95439 f73776 95434->95439 95440 f7382c PostQuitMessage 95434->95440 95437 f737ce 95435->95437 95438 fe1e00 95435->95438 95436 f737ab DefWindowProcW 95462 f737b9 95436->95462 95441 f737f6 SetTimer RegisterWindowMessageW 95437->95441 95442 f737d3 95437->95442 95487 f72ff6 16 API calls 95438->95487 95444 fe1e88 95439->95444 95445 f73781 95439->95445 95440->95462 95450 f7381f CreatePopupMenu 95441->95450 95441->95462 95447 fe1da3 95442->95447 95448 f737da KillTimer 95442->95448 95492 fb4ddd 60 API calls _memset 95444->95492 95451 f73836 95445->95451 95452 f73789 95445->95452 95455 fe1ddc MoveWindow 95447->95455 95456 fe1da8 95447->95456 95484 f73847 Shell_NotifyIconW _memset 95448->95484 95449 fe1e27 95488 f8e312 335 API calls Mailbox 95449->95488 95450->95462 95477 f8eb83 95451->95477 95453 f73794 95452->95453 95466 fe1e6d 95452->95466 95459 f7379f 95453->95459 95460 fe1e58 95453->95460 95455->95462 95463 fe1dac 95456->95463 95464 fe1dcb SetFocus 95456->95464 95459->95436 95489 f73847 Shell_NotifyIconW _memset 95459->95489 95490 fb55bd 70 API calls _memset 95460->95490 95461 fe1e9a 95461->95436 95461->95462 95463->95459 95467 fe1db5 95463->95467 95464->95462 95465 f737ed 95485 f7390f DeleteObject DestroyWindow Mailbox 95465->95485 95466->95436 95491 faa5f3 48 API calls 95466->95491 95486 f72ff6 16 API calls 95467->95486 95472 fe1e68 95472->95462 95473->95436 95475 fe1e4c 95476 f74ffc 67 API calls 95475->95476 95476->95473 95478 f8ec1c 95477->95478 95479 f8eb9a _memset 95477->95479 95478->95462 95480 f751af 50 API calls 95479->95480 95482 f8ebc1 95480->95482 95481 f8ec05 KillTimer SetTimer 95481->95478 95482->95481 95483 fe3c7a Shell_NotifyIconW 95482->95483 95483->95481 95484->95465 95485->95462 95486->95462 95487->95449 95488->95459 95489->95475 95490->95472 95491->95473 95492->95461 95493 f7ef80 95496 f83b70 95493->95496 95495 f7ef8c 95497 f83bc8 95496->95497 95518 f842a5 95496->95518 95498 f83bef 95497->95498 95500 fe6fd1 95497->95500 95502 fe6f7e 95497->95502 95509 fe6f9b 95497->95509 95499 f8f4ea 48 API calls 95498->95499 95501 f83c18 95499->95501 95576 fcceca 335 API calls Mailbox 95500->95576 95504 f8f4ea 48 API calls 95501->95504 95502->95498 95505 fe6f87 95502->95505 95540 f83c2c _memcpy_s __wsetenvp 95504->95540 95573 fcd552 335 API calls Mailbox 95505->95573 95506 fe6fbe 95575 fbcc5c 86 API calls 4 library calls 95506->95575 95509->95506 95574 fcda0e 335 API calls 2 library calls 95509->95574 95511 f842f2 95595 fbcc5c 86 API calls 4 library calls 95511->95595 95513 fe73b0 95513->95495 95514 fe7297 95584 fbcc5c 86 API calls 4 library calls 95514->95584 95515 fe737a 95594 fbcc5c 86 API calls 4 library calls 95515->95594 95588 fbcc5c 86 API calls 4 library calls 95518->95588 95519 f8dce0 53 API calls 95519->95540 95522 f840df 95585 fbcc5c 86 API calls 4 library calls 95522->95585 95524 fe707e 95577 fbcc5c 86 API calls 4 library calls 95524->95577 95525 f7d6e9 55 API calls 95525->95540 95528 f7d645 53 API calls 95528->95540 95531 fe72d2 95586 fbcc5c 86 API calls 4 library calls 95531->95586 95533 fe7350 95592 fbcc5c 86 API calls 4 library calls 95533->95592 95535 fe7363 95593 fbcc5c 86 API calls 4 library calls 95535->95593 95537 fe72e9 95587 fbcc5c 86 API calls 4 library calls 95537->95587 95540->95511 95540->95514 95540->95515 95540->95518 95540->95519 95540->95522 95540->95524 95540->95525 95540->95528 95540->95531 95540->95533 95540->95535 95540->95537 95541 f76a63 48 API calls 95540->95541 95543 fe714c 95540->95543 95544 f8f4ea 48 API calls 95540->95544 95545 f8c050 48 API calls 95540->95545 95546 f7fe30 335 API calls 95540->95546 95548 fe733f 95540->95548 95549 f83f2b 95540->95549 95551 f7d286 48 API calls 95540->95551 95554 fe71e1 95540->95554 95557 f8ee75 48 API calls 95540->95557 95558 f76eed 48 API calls 95540->95558 95568 f7d9a0 53 API calls __cinit 95540->95568 95569 f7d83d 53 API calls 95540->95569 95570 f7cdb9 48 API calls 95540->95570 95571 f8c15c 48 API calls 95540->95571 95572 f8becb 335 API calls 95540->95572 95578 f7dcae 50 API calls Mailbox 95540->95578 95579 fcccdc 48 API calls 95540->95579 95580 fba1eb 50 API calls 95540->95580 95541->95540 95581 fcccdc 48 API calls 95543->95581 95544->95540 95545->95540 95546->95540 95591 fbcc5c 86 API calls 4 library calls 95548->95591 95549->95495 95551->95540 95553 fe71a1 95583 f8c15c 48 API calls 95553->95583 95554->95549 95590 fbcc5c 86 API calls 4 library calls 95554->95590 95557->95540 95558->95540 95560 fe715f 95560->95553 95582 fcccdc 48 API calls 95560->95582 95562 fe71ce 95563 f8c050 48 API calls 95562->95563 95565 fe71d6 95563->95565 95564 fe71ab 95564->95518 95564->95562 95565->95554 95566 fe7313 95565->95566 95589 fbcc5c 86 API calls 4 library calls 95566->95589 95568->95540 95569->95540 95570->95540 95571->95540 95572->95540 95573->95549 95574->95506 95575->95500 95576->95540 95577->95549 95578->95540 95579->95540 95580->95540 95581->95560 95582->95560 95583->95564 95584->95522 95585->95549 95586->95537 95587->95549 95588->95549 95589->95549 95590->95549 95591->95549 95592->95549 95593->95549 95594->95549 95595->95513 95596 fe9c06 95607 f8d3be 95596->95607 95598 fe9c1c 95599 fe9c91 Mailbox 95598->95599 95616 f71caa 49 API calls 95598->95616 95601 f83200 335 API calls 95599->95601 95603 fe9cc5 95601->95603 95602 fe9c71 95602->95603 95617 fbb171 48 API calls 95602->95617 95605 fea7ab Mailbox 95603->95605 95618 fbcc5c 86 API calls 4 library calls 95603->95618 95608 f8d3ca 95607->95608 95609 f8d3dc 95607->95609 95619 f7dcae 50 API calls Mailbox 95608->95619 95611 f8d40b 95609->95611 95612 f8d3e2 95609->95612 95620 f7dcae 50 API calls Mailbox 95611->95620 95614 f8f4ea 48 API calls 95612->95614 95615 f8d3d4 95614->95615 95615->95598 95616->95602 95617->95599 95618->95605 95619->95615 95620->95615 95621 17248a8 95635 17224f8 95621->95635 95623 172497f 95638 1724798 95623->95638 95637 1722b83 95635->95637 95641 17259a8 GetPEB 95635->95641 95637->95623 95639 17247a1 Sleep 95638->95639 95640 17247af 95639->95640 95641->95637 95642 fbbb64 95643 fbbb77 95642->95643 95644 fbbb71 95642->95644 95646 fbbb88 95643->95646 95648 f91c9d _free 47 API calls 95643->95648 95645 f91c9d _free 47 API calls 95644->95645 95645->95643 95647 fbbb9a 95646->95647 95649 f91c9d _free 47 API calls 95646->95649 95648->95646 95649->95647

            Executed Functions

            Function 00F9B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 643 f9b043-f9b080 call f9f8a0 646 f9b089-f9b08b 643->646 647 f9b082-f9b084 643->647 649 f9b08d-f9b0a7 call f97bda call f97c0e call f96e10 646->649 650 f9b0ac-f9b0d9 646->650 648 f9b860-f9b86c call f9a70c 647->648 649->648 651 f9b0db-f9b0de 650->651 652 f9b0e0-f9b0e7 650->652 651->652 655 f9b10b-f9b110 651->655 656 f9b0e9-f9b100 call f97bda call f97c0e call f96e10 652->656 657 f9b105 652->657 661 f9b11f-f9b12d call fa3bf2 655->661 662 f9b112-f9b11c call f9f82f 655->662 692 f9b851-f9b854 656->692 657->655 673 f9b44b-f9b45d 661->673 674 f9b133-f9b145 661->674 662->661 677 f9b7b8-f9b7d5 WriteFile 673->677 678 f9b463-f9b473 673->678 674->673 676 f9b14b-f9b183 call f97a0d GetConsoleMode 674->676 676->673 696 f9b189-f9b18f 676->696 684 f9b7e1-f9b7e7 GetLastError 677->684 685 f9b7d7-f9b7df 677->685 681 f9b479-f9b484 678->681 682 f9b55a-f9b55f 678->682 690 f9b81b-f9b833 681->690 691 f9b48a-f9b49a 681->691 687 f9b663-f9b66e 682->687 688 f9b565-f9b56e 682->688 686 f9b7e9 684->686 685->686 693 f9b7ef-f9b7f1 686->693 687->690 700 f9b674 687->700 688->690 694 f9b574 688->694 698 f9b83e-f9b84e call f97c0e call f97bda 690->698 699 f9b835-f9b838 690->699 697 f9b4a0-f9b4a3 691->697 695 f9b85e-f9b85f 692->695 703 f9b7f3-f9b7f5 693->703 704 f9b856-f9b85c 693->704 705 f9b57e-f9b595 694->705 695->648 706 f9b199-f9b1bc GetConsoleCP 696->706 707 f9b191-f9b193 696->707 708 f9b4e9-f9b520 WriteFile 697->708 709 f9b4a5-f9b4be 697->709 698->692 699->698 710 f9b83a-f9b83c 699->710 701 f9b67e-f9b693 700->701 711 f9b699-f9b69b 701->711 703->690 713 f9b7f7-f9b7fc 703->713 704->695 714 f9b59b-f9b59e 705->714 715 f9b440-f9b446 706->715 716 f9b1c2-f9b1ca 706->716 707->673 707->706 708->684 719 f9b526-f9b538 708->719 717 f9b4cb-f9b4e7 709->717 718 f9b4c0-f9b4ca 709->718 710->695 721 f9b6d8-f9b719 WideCharToMultiByte 711->721 722 f9b69d-f9b6b3 711->722 724 f9b7fe-f9b810 call f97c0e call f97bda 713->724 725 f9b812-f9b819 call f97bed 713->725 726 f9b5de-f9b627 WriteFile 714->726 727 f9b5a0-f9b5b6 714->727 715->703 728 f9b1d4-f9b1d6 716->728 717->697 717->708 718->717 719->693 720 f9b53e-f9b54f 719->720 720->691 729 f9b555 720->729 721->684 733 f9b71f-f9b721 721->733 730 f9b6b5-f9b6c4 722->730 731 f9b6c7-f9b6d6 722->731 724->692 725->692 726->684 738 f9b62d-f9b645 726->738 735 f9b5b8-f9b5ca 727->735 736 f9b5cd-f9b5dc 727->736 739 f9b36b-f9b36e 728->739 740 f9b1dc-f9b1fe 728->740 729->693 730->731 731->711 731->721 743 f9b727-f9b75a WriteFile 733->743 735->736 736->714 736->726 738->693 746 f9b64b-f9b658 738->746 741 f9b370-f9b373 739->741 742 f9b375-f9b3a2 739->742 747 f9b200-f9b215 740->747 748 f9b217-f9b223 call f91688 740->748 741->742 750 f9b3a8-f9b3ab 741->750 742->750 751 f9b77a-f9b78e GetLastError 743->751 752 f9b75c-f9b776 743->752 746->705 754 f9b65e 746->754 755 f9b271-f9b283 call fa40f7 747->755 763 f9b269-f9b26b 748->763 764 f9b225-f9b239 748->764 757 f9b3ad-f9b3b0 750->757 758 f9b3b2-f9b3c5 call fa5884 750->758 762 f9b794-f9b796 751->762 752->743 759 f9b778 752->759 754->693 773 f9b289 755->773 774 f9b435-f9b43b 755->774 757->758 765 f9b407-f9b40a 757->765 758->684 777 f9b3cb-f9b3d5 758->777 759->762 762->686 768 f9b798-f9b7b0 762->768 763->755 770 f9b23f-f9b254 call fa40f7 764->770 771 f9b412-f9b42d 764->771 765->728 769 f9b410 765->769 768->701 775 f9b7b6 768->775 769->774 770->774 783 f9b25a-f9b267 770->783 771->774 778 f9b28f-f9b2c4 WideCharToMultiByte 773->778 774->686 775->693 780 f9b3fb-f9b401 777->780 781 f9b3d7-f9b3ee call fa5884 777->781 778->774 782 f9b2ca-f9b2f0 WriteFile 778->782 780->765 781->684 789 f9b3f4-f9b3f5 781->789 782->684 785 f9b2f6-f9b30e 782->785 783->778 785->774 787 f9b314-f9b31b 785->787 787->780 788 f9b321-f9b34c WriteFile 787->788 788->684 790 f9b352-f9b359 788->790 789->780 790->774 791 f9b35f-f9b366 790->791 791->780
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c268dc6e57509d0a43c1c3f400c032076e493573cf1baf5e190febc1a8798012
            • Instruction ID: 1c0e99bbef75bcf7b49de558d757852b5265c6fc1524fc7e36b74e169827ee21
            • Opcode Fuzzy Hash: c268dc6e57509d0a43c1c3f400c032076e493573cf1baf5e190febc1a8798012
            • Instruction Fuzzy Hash: 2F327E75E022288BEF24CF54ED816E9B7B5FF46310F0841D9E40AA7A85D7349E81DF52
            Function 00F73D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00F73AA3,?), ref: 00F73D45
            • IsDebuggerPresent.KERNEL32(?,?,?,?,00F73AA3,?), ref: 00F73D57
            • GetFullPathNameW.KERNEL32(00007FFF,?,?,01031148,01031130,?,?,?,?,00F73AA3,?), ref: 00F73DC8
              • Part of subcall function 00F76430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F73DEE,01031148,?,?,?,?,?,00F73AA3,?), ref: 00F76471
            • SetCurrentDirectoryW.KERNEL32(?,?,?,00F73AA3,?), ref: 00F73E48
            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010228F4,00000010), ref: 00FE1CCE
            • SetCurrentDirectoryW.KERNEL32(?,01031148,?,?,?,?,?,00F73AA3,?), ref: 00FE1D06
            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0100DAB4,01031148,?,?,?,?,?,00F73AA3,?), ref: 00FE1D89
            • ShellExecuteW.SHELL32(00000000,?,?,?,?,00F73AA3), ref: 00FE1D90
              • Part of subcall function 00F73E6E: GetSysColorBrush.USER32(0000000F), ref: 00F73E79
              • Part of subcall function 00F73E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00F73E88
              • Part of subcall function 00F73E6E: LoadIconW.USER32(00000063), ref: 00F73E9E
              • Part of subcall function 00F73E6E: LoadIconW.USER32(000000A4), ref: 00F73EB0
              • Part of subcall function 00F73E6E: LoadIconW.USER32(000000A2), ref: 00F73EC2
              • Part of subcall function 00F73E6E: RegisterClassExW.USER32(?), ref: 00F73F30
              • Part of subcall function 00F736B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F736E6
              • Part of subcall function 00F736B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F73707
              • Part of subcall function 00F736B8: ShowWindow.USER32(00000000,?,?,?,?,00F73AA3,?), ref: 00F7371B
              • Part of subcall function 00F736B8: ShowWindow.USER32(00000000,?,?,?,?,00F73AA3,?), ref: 00F73724
              • Part of subcall function 00F74FFC: _memset.LIBCMT ref: 00F75022
              • Part of subcall function 00F74FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F750CB
            Strings
            • runas, xrefs: 00FE1D84
            • This is a third-party compiled AutoIt script., xrefs: 00FE1CC8
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
            • String ID: This is a third-party compiled AutoIt script.$runas
            • API String ID: 438480954-3287110873
            • Opcode ID: f9c4748bd1924f4249d2c8a9b966ddb85d27ac884ffdc554263e3ee1ca9515a3
            • Instruction ID: c5c95461dd919b9ee93e55cd20469c69f76ac64ea975aef5153f8576679693b0
            • Opcode Fuzzy Hash: f9c4748bd1924f4249d2c8a9b966ddb85d27ac884ffdc554263e3ee1ca9515a3
            • Instruction Fuzzy Hash: AF513831E04248BACB21ABF1DC41EED7B7DAF49B10F00C06AF59566142DBB94609FB23
            Function 00F8DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1137 f8ddc0-f8de4f call f7d7f7 GetVersionExW call f76a63 call f8dfb4 call f76571 1146 fe24c8-fe24cb 1137->1146 1147 f8de55-f8de56 1137->1147 1148 fe24cd 1146->1148 1149 fe24e4-fe24e8 1146->1149 1150 f8de58-f8de63 1147->1150 1151 f8de92-f8dea2 call f8df77 1147->1151 1153 fe24d0 1148->1153 1154 fe24ea-fe24f3 1149->1154 1155 fe24d3-fe24dc 1149->1155 1156 fe244e-fe2454 1150->1156 1157 f8de69-f8de6b 1150->1157 1164 f8dea4-f8dec1 GetCurrentProcess call f8df5f 1151->1164 1165 f8dec7-f8dee1 1151->1165 1153->1155 1154->1153 1161 fe24f5-fe24f8 1154->1161 1155->1149 1159 fe245e-fe2464 1156->1159 1160 fe2456-fe2459 1156->1160 1162 fe2469-fe2475 1157->1162 1163 f8de71-f8de74 1157->1163 1159->1151 1160->1151 1161->1155 1166 fe247f-fe2485 1162->1166 1167 fe2477-fe247a 1162->1167 1168 f8de7a-f8de89 1163->1168 1169 fe2495-fe2498 1163->1169 1164->1165 1188 f8dec3 1164->1188 1171 f8df31-f8df3b GetSystemInfo 1165->1171 1172 f8dee3-f8def7 call f8e00c 1165->1172 1166->1151 1167->1151 1173 fe248a-fe2490 1168->1173 1174 f8de8f 1168->1174 1169->1151 1175 fe249e-fe24b3 1169->1175 1179 f8df0e-f8df1a 1171->1179 1185 f8df29-f8df2f GetSystemInfo 1172->1185 1186 f8def9-f8df01 call f8dff4 GetNativeSystemInfo 1172->1186 1173->1151 1174->1151 1176 fe24bd-fe24c3 1175->1176 1177 fe24b5-fe24b8 1175->1177 1176->1151 1177->1151 1181 f8df1c-f8df1f FreeLibrary 1179->1181 1182 f8df21-f8df26 1179->1182 1181->1182 1187 f8df03-f8df07 1185->1187 1186->1187 1187->1179 1190 f8df09-f8df0c FreeLibrary 1187->1190 1188->1165 1190->1179
            APIs
            • GetVersionExW.KERNEL32(?), ref: 00F8DDEC
            • GetCurrentProcess.KERNEL32(00000000,0100DC38,?,?), ref: 00F8DEAC
            • GetNativeSystemInfo.KERNELBASE(?,0100DC38,?,?), ref: 00F8DF01
            • FreeLibrary.KERNEL32(00000000,?,?), ref: 00F8DF0C
            • FreeLibrary.KERNEL32(00000000,?,?), ref: 00F8DF1F
            • GetSystemInfo.KERNEL32(?,0100DC38,?,?), ref: 00F8DF29
            • GetSystemInfo.KERNEL32(?,0100DC38,?,?), ref: 00F8DF35
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
            • String ID:
            • API String ID: 3851250370-0
            • Opcode ID: 8191dc0850fbd31917f8f958dcb6d0c9e8b40f29b97ee98cf2c4c89387e13a5d
            • Instruction ID: dfdc27301eecf540c74f7859d48f300ca8163cb1aa77d1f2be3154b6725b644c
            • Opcode Fuzzy Hash: 8191dc0850fbd31917f8f958dcb6d0c9e8b40f29b97ee98cf2c4c89387e13a5d
            • Instruction Fuzzy Hash: 3061B2B280A3C4DBCF15DF6898C11E9BFB46F29300B1989D9D8459F287D624C909EB66
            Function 00F7406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1209 f7406b-f74083 CreateStreamOnHGlobal 1210 f74085-f7409c FindResourceExW 1209->1210 1211 f740a3-f740a6 1209->1211 1212 f740a2 1210->1212 1213 fe4f16-fe4f25 LoadResource 1210->1213 1212->1211 1213->1212 1214 fe4f2b-fe4f39 SizeofResource 1213->1214 1214->1212 1215 fe4f3f-fe4f4a LockResource 1214->1215 1215->1212 1216 fe4f50-fe4f6e 1215->1216 1216->1212
            APIs
            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F7449E,?,?,00000000,00000001), ref: 00F7407B
            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F7449E,?,?,00000000,00000001), ref: 00F74092
            • LoadResource.KERNEL32(?,00000000,?,?,00F7449E,?,?,00000000,00000001,?,?,?,?,?,?,00F741FB), ref: 00FE4F1A
            • SizeofResource.KERNEL32(?,00000000,?,?,00F7449E,?,?,00000000,00000001,?,?,?,?,?,?,00F741FB), ref: 00FE4F2F
            • LockResource.KERNEL32(00F7449E,?,?,00F7449E,?,?,00000000,00000001,?,?,?,?,?,?,00F741FB,00000000), ref: 00FE4F42
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
            • String ID: SCRIPT
            • API String ID: 3051347437-3967369404
            • Opcode ID: 864a4f488d7829eb3590482fc78fa4a34a1ea8eca57112ff9109e165b9cda7ac
            • Instruction ID: 83eb1fae1582aa02d7657f4fad87529e3388e7c5baff9418a9db1829eb143fb4
            • Opcode Fuzzy Hash: 864a4f488d7829eb3590482fc78fa4a34a1ea8eca57112ff9109e165b9cda7ac
            • Instruction Fuzzy Hash: 89111C71600705AFE7218B65DC48F277BBEEFC5B51F14816DB60696250DB71EC00EA71
            Function 00FB6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNELBASE(?,00FE2F49), ref: 00FB6CB9
            • FindFirstFileW.KERNELBASE(?,?), ref: 00FB6CCA
            • FindClose.KERNEL32(00000000), ref: 00FB6CDA
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseFirst
            • String ID:
            • API String ID: 48322524-0
            • Opcode ID: 72d707f8637f5cbc4fe3bf7058b92faebaab643a2080894ba2076df0c11407c3
            • Instruction ID: 2000eea8b4d62d2b3ede2b4e3830a37dd31773e9f92ee0bd3fff00b817bd20af
            • Opcode Fuzzy Hash: 72d707f8637f5cbc4fe3bf7058b92faebaab643a2080894ba2076df0c11407c3
            • Instruction Fuzzy Hash: F7E0D8728104145792106738EC0D4F93B6DDF0533AF100705F571C11D0E774E900A9D5
            Function 00F83B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Exception@8Throwstd::exception::exception
            • String ID: @
            • API String ID: 3728558374-2766056989
            • Opcode ID: 81e58f77fadf42ec223b1cc1f30819ba976d660a5973345aea6d0257fd229053
            • Instruction ID: a215d471569c02e92bcd06215ea979eeb25223893f3d08fc989fa955f5b40fe2
            • Opcode Fuzzy Hash: 81e58f77fadf42ec223b1cc1f30819ba976d660a5973345aea6d0257fd229053
            • Instruction Fuzzy Hash: EB72DD71E04249DFCF24EF94C881BEEB7B5EF48710F14805AE909AB252D734AE45EB91
            Function 00F83200 Relevance: 1.0, Instructions: 986COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID:
            • API String ID: 3964851224-0
            • Opcode ID: 44207fa007b63157cca21ebad8e9c9cbb08f8d1ff0e3acdc74e23ddf544c9488
            • Instruction ID: 2c073ca0932a9e21f7819585ca01afd7faa8c96a008b8573ff7cd72ba026ee3c
            • Opcode Fuzzy Hash: 44207fa007b63157cca21ebad8e9c9cbb08f8d1ff0e3acdc74e23ddf544c9488
            • Instruction Fuzzy Hash: 7E92AC70608341CFD724EF18C480BAAB7E1BF88714F14885DE98A8B3A2D775ED45EB52
            Function 00F7E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F7E959
            • timeGetTime.WINMM ref: 00F7EBFA
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F7ED2E
            • TranslateMessage.USER32(?), ref: 00F7ED3F
            • DispatchMessageW.USER32(?), ref: 00F7ED4A
            • LockWindowUpdate.USER32(00000000), ref: 00F7ED79
            • DestroyWindow.USER32 ref: 00F7ED85
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F7ED9F
            • Sleep.KERNEL32(0000000A), ref: 00FE5270
            • TranslateMessage.USER32(?), ref: 00FE59F7
            • DispatchMessageW.USER32(?), ref: 00FE5A05
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FE5A19
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
            • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
            • API String ID: 2641332412-570651680
            • Opcode ID: 4393ef939ec3ab8d9929371ec6af1826b4387b4e8aaab551f2dfc5dcae5079bb
            • Instruction ID: 765a314340fd0dcab9ac4488a58aeab2e0771239c7018377e1653488ee17c46c
            • Opcode Fuzzy Hash: 4393ef939ec3ab8d9929371ec6af1826b4387b4e8aaab551f2dfc5dcae5079bb
            • Instruction Fuzzy Hash: EF62C371504380DFDB20DF24C885BAA77E5BF48714F0489AFF98A8B292D7799844EB53
            Function 00FA5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___createFile.LIBCMT ref: 00FA5EC3
            • ___createFile.LIBCMT ref: 00FA5F04
            • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00FA5F2D
            • __dosmaperr.LIBCMT ref: 00FA5F34
            • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00FA5F47
            • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00FA5F6A
            • __dosmaperr.LIBCMT ref: 00FA5F73
            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00FA5F7C
            • __set_osfhnd.LIBCMT ref: 00FA5FAC
            • __lseeki64_nolock.LIBCMT ref: 00FA6016
            • __close_nolock.LIBCMT ref: 00FA603C
            • __chsize_nolock.LIBCMT ref: 00FA606C
            • __lseeki64_nolock.LIBCMT ref: 00FA607E
            • __lseeki64_nolock.LIBCMT ref: 00FA6176
            • __lseeki64_nolock.LIBCMT ref: 00FA618B
            • __close_nolock.LIBCMT ref: 00FA61EB
              • Part of subcall function 00F9EA9C: CloseHandle.KERNELBASE(00000000,0101EEF4,00000000,?,00FA6041,0101EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00F9EAEC
              • Part of subcall function 00F9EA9C: GetLastError.KERNEL32(?,00FA6041,0101EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00F9EAF6
              • Part of subcall function 00F9EA9C: __free_osfhnd.LIBCMT ref: 00F9EB03
              • Part of subcall function 00F9EA9C: __dosmaperr.LIBCMT ref: 00F9EB25
              • Part of subcall function 00F97C0E: __getptd_noexit.LIBCMT ref: 00F97C0E
            • __lseeki64_nolock.LIBCMT ref: 00FA620D
            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00FA6342
            • ___createFile.LIBCMT ref: 00FA6361
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00FA636E
            • __dosmaperr.LIBCMT ref: 00FA6375
            • __free_osfhnd.LIBCMT ref: 00FA6395
            • __invoke_watson.LIBCMT ref: 00FA63C3
            • __wsopen_helper.LIBCMT ref: 00FA63DD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
            • String ID: @
            • API String ID: 3896587723-2766056989
            • Opcode ID: f84888361a5333606a0b068a9306b0f2fb7993600565e0e9225938f6d13849f2
            • Instruction ID: 7909a16e3b4ac23fcaadaaf2b1da7703400b16dc321bb444a19ae3686c646538
            • Opcode Fuzzy Hash: f84888361a5333606a0b068a9306b0f2fb7993600565e0e9225938f6d13849f2
            • Instruction Fuzzy Hash: 8C2203F2D046099FEF299E68CC85BBD7B61EB16734F284229E521DB2D1C3398D40E791
            Function 00FBFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • _wcscpy.LIBCMT ref: 00FBFA96
            • _wcschr.LIBCMT ref: 00FBFAA4
            • _wcscpy.LIBCMT ref: 00FBFABB
            • _wcscat.LIBCMT ref: 00FBFACA
            • _wcscat.LIBCMT ref: 00FBFAE8
            • _wcscpy.LIBCMT ref: 00FBFB09
            • __wsplitpath.LIBCMT ref: 00FBFBE6
            • _wcscpy.LIBCMT ref: 00FBFC0B
            • _wcscpy.LIBCMT ref: 00FBFC1D
            • _wcscpy.LIBCMT ref: 00FBFC32
            • _wcscat.LIBCMT ref: 00FBFC47
            • _wcscat.LIBCMT ref: 00FBFC59
            • _wcscat.LIBCMT ref: 00FBFC6E
              • Part of subcall function 00FBBFA4: _wcscmp.LIBCMT ref: 00FBC03E
              • Part of subcall function 00FBBFA4: __wsplitpath.LIBCMT ref: 00FBC083
              • Part of subcall function 00FBBFA4: _wcscpy.LIBCMT ref: 00FBC096
              • Part of subcall function 00FBBFA4: _wcscat.LIBCMT ref: 00FBC0A9
              • Part of subcall function 00FBBFA4: __wsplitpath.LIBCMT ref: 00FBC0CE
              • Part of subcall function 00FBBFA4: _wcscat.LIBCMT ref: 00FBC0E4
              • Part of subcall function 00FBBFA4: _wcscat.LIBCMT ref: 00FBC0F7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
            • String ID: >>>AUTOIT SCRIPT<<<
            • API String ID: 2955681530-2806939583
            • Opcode ID: a338a6790ff195216dd0441058b4a057e9990deb283af9fd6b71740c4c2250da
            • Instruction ID: 442dae10bc15d3748ef01ca5e2439e85331891b6ce1d99df92f6ef11c8f10cbd
            • Opcode Fuzzy Hash: a338a6790ff195216dd0441058b4a057e9990deb283af9fd6b71740c4c2250da
            • Instruction Fuzzy Hash: 10919471504305AFDB20EB55CC51F9AB3E9BF84310F04886AF95997291DB38FA48DF92
            Function 00F73F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00F73F86
            • RegisterClassExW.USER32(00000030), ref: 00F73FB0
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F73FC1
            • InitCommonControlsEx.COMCTL32(?), ref: 00F73FDE
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F73FEE
            • LoadIconW.USER32(000000A9), ref: 00F74004
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F74013
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: 02825c00bc5f440c36e5305e1671a7bc5d3caf73f57094ac7c73075166b437b3
            • Instruction ID: 1b566763b2541b84bce99625b51c5139d8adc5dce2ea7433a2d192b64b219627
            • Opcode Fuzzy Hash: 02825c00bc5f440c36e5305e1671a7bc5d3caf73f57094ac7c73075166b437b3
            • Instruction Fuzzy Hash: DE21C4B5900318AFDB10EFE4E889BDDBBB9FB0C700F00421AF651AA294D7B54544EF91
            Function 00FBBFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00FBBDB4: __time64.LIBCMT ref: 00FBBDBE
              • Part of subcall function 00F74517: _fseek.LIBCMT ref: 00F7452F
            • __wsplitpath.LIBCMT ref: 00FBC083
              • Part of subcall function 00F91DFC: __wsplitpath_helper.LIBCMT ref: 00F91E3C
            • _wcscpy.LIBCMT ref: 00FBC096
            • _wcscat.LIBCMT ref: 00FBC0A9
            • __wsplitpath.LIBCMT ref: 00FBC0CE
            • _wcscat.LIBCMT ref: 00FBC0E4
            • _wcscat.LIBCMT ref: 00FBC0F7
            • _wcscmp.LIBCMT ref: 00FBC03E
              • Part of subcall function 00FBC56D: _wcscmp.LIBCMT ref: 00FBC65D
              • Part of subcall function 00FBC56D: _wcscmp.LIBCMT ref: 00FBC670
            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FBC2A1
            • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FBC338
            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FBC34E
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FBC35F
            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FBC371
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
            • String ID:
            • API String ID: 2378138488-0
            • Opcode ID: 26788f9f463ddd265105736494fad90a729c8af46f22e9ee02f0eb1c7d66e513
            • Instruction ID: cc7087ad9cd647c95ee4c714c5b13601affc1882f43c6156d6d2e451e74d85c2
            • Opcode Fuzzy Hash: 26788f9f463ddd265105736494fad90a729c8af46f22e9ee02f0eb1c7d66e513
            • Instruction Fuzzy Hash: 44C11CB1E00229AFDF11DF95CC81EDEB7BDAF49310F0080A6F609E6151DB749A44AF61
            Function 00F73742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 957 f73742-f73762 959 f73764-f73767 957->959 960 f737c2-f737c4 957->960 962 f73769-f73770 959->962 963 f737c8 959->963 960->959 961 f737c6 960->961 964 f737ab-f737b3 DefWindowProcW 961->964 967 f73776-f7377b 962->967 968 f7382c-f73834 PostQuitMessage 962->968 965 f737ce-f737d1 963->965 966 fe1e00-fe1e2e call f72ff6 call f8e312 963->966 970 f737b9-f737bf 964->970 971 f737f6-f7381d SetTimer RegisterWindowMessageW 965->971 972 f737d3-f737d4 965->972 1000 fe1e33-fe1e3a 966->1000 974 fe1e88-fe1e9c call fb4ddd 967->974 975 f73781-f73783 967->975 969 f737f2-f737f4 968->969 969->970 971->969 980 f7381f-f7382a CreatePopupMenu 971->980 977 fe1da3-fe1da6 972->977 978 f737da-f737ed KillTimer call f73847 call f7390f 972->978 974->969 994 fe1ea2 974->994 981 f73836-f73840 call f8eb83 975->981 982 f73789-f7378e 975->982 987 fe1ddc-fe1dfb MoveWindow 977->987 988 fe1da8-fe1daa 977->988 978->969 980->969 995 f73845 981->995 983 fe1e6d-fe1e74 982->983 984 f73794-f73799 982->984 983->964 999 fe1e7a-fe1e83 call faa5f3 983->999 992 fe1e58-fe1e68 call fb55bd 984->992 993 f7379f-f737a5 984->993 987->969 996 fe1dac-fe1daf 988->996 997 fe1dcb-fe1dd7 SetFocus 988->997 992->969 993->964 993->1000 994->964 995->969 996->993 1001 fe1db5-fe1dc6 call f72ff6 996->1001 997->969 999->964 1000->964 1005 fe1e40-fe1e53 call f73847 call f74ffc 1000->1005 1001->969 1005->964
            APIs
            • DefWindowProcW.USER32(?,?,?,?), ref: 00F737B3
            • KillTimer.USER32(?,00000001), ref: 00F737DD
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F73800
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F7380B
            • CreatePopupMenu.USER32 ref: 00F7381F
            • PostQuitMessage.USER32(00000000), ref: 00F7382E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
            • String ID: TaskbarCreated
            • API String ID: 129472671-2362178303
            • Opcode ID: 2aaee0c516b107c325ef6df26fec6400f7b3ef9c4a45831ec775ed524c6b67e3
            • Instruction ID: b172e1136f0e003fe56c021fca5cf65601fe1800fb6817583e236a2a54ba3a5b
            • Opcode Fuzzy Hash: 2aaee0c516b107c325ef6df26fec6400f7b3ef9c4a45831ec775ed524c6b67e3
            • Instruction Fuzzy Hash: 21413BF260814AB7DB285F68DC4AFB9366EFB48310F048117F549D6181DB799E02B763
            Function 00F73E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00F73E79
            • LoadCursorW.USER32(00000000,00007F00), ref: 00F73E88
            • LoadIconW.USER32(00000063), ref: 00F73E9E
            • LoadIconW.USER32(000000A4), ref: 00F73EB0
            • LoadIconW.USER32(000000A2), ref: 00F73EC2
              • Part of subcall function 00F74024: LoadImageW.USER32(00F70000,00000063,00000001,00000010,00000010,00000000), ref: 00F74048
            • RegisterClassExW.USER32(?), ref: 00F73F30
              • Part of subcall function 00F73F53: GetSysColorBrush.USER32(0000000F), ref: 00F73F86
              • Part of subcall function 00F73F53: RegisterClassExW.USER32(00000030), ref: 00F73FB0
              • Part of subcall function 00F73F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F73FC1
              • Part of subcall function 00F73F53: InitCommonControlsEx.COMCTL32(?), ref: 00F73FDE
              • Part of subcall function 00F73F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F73FEE
              • Part of subcall function 00F73F53: LoadIconW.USER32(000000A9), ref: 00F74004
              • Part of subcall function 00F73F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F74013
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
            • String ID: #$0$AutoIt v3
            • API String ID: 423443420-4155596026
            • Opcode ID: 45407a1b0b44e9ae75c5f1c340cd47f41bca51a90f308a0f7c3f7768780a7dcc
            • Instruction ID: 4a98daf23e1f96220aaf783624ab974d8238f6f8670a23f8eb93772c4aa5311b
            • Opcode Fuzzy Hash: 45407a1b0b44e9ae75c5f1c340cd47f41bca51a90f308a0f7c3f7768780a7dcc
            • Instruction Fuzzy Hash: A92165B1E04304ABCB14DFA9E845A99BFF9FB4C310F00812AE244A7294D37A4500DF91
            Function 00F9ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1021 f9acb3-f9ace0 call f96ac0 call f97cf4 call f96986 1028 f9acfd-f9ad02 1021->1028 1029 f9ace2-f9acf8 call f9e880 1021->1029 1030 f9ad08-f9ad0f 1028->1030 1035 f9af52-f9af57 call f96b05 1029->1035 1033 f9ad11-f9ad40 1030->1033 1034 f9ad42-f9ad51 GetStartupInfoW 1030->1034 1033->1030 1036 f9ae80-f9ae86 1034->1036 1037 f9ad57-f9ad5c 1034->1037 1040 f9ae8c-f9ae9d 1036->1040 1041 f9af44-f9af50 call f9af58 1036->1041 1037->1036 1039 f9ad62-f9ad79 1037->1039 1044 f9ad7b-f9ad7d 1039->1044 1045 f9ad80-f9ad83 1039->1045 1046 f9ae9f-f9aea2 1040->1046 1047 f9aeb2-f9aeb8 1040->1047 1041->1035 1044->1045 1051 f9ad86-f9ad8c 1045->1051 1046->1047 1052 f9aea4-f9aead 1046->1052 1049 f9aeba-f9aebd 1047->1049 1050 f9aebf-f9aec6 1047->1050 1054 f9aec9-f9aed5 GetStdHandle 1049->1054 1050->1054 1055 f9adae-f9adb6 1051->1055 1056 f9ad8e-f9ad9f call f96986 1051->1056 1053 f9af3e-f9af3f 1052->1053 1053->1036 1057 f9af1c-f9af32 1054->1057 1058 f9aed7-f9aed9 1054->1058 1060 f9adb9-f9adbb 1055->1060 1068 f9ae33-f9ae3a 1056->1068 1069 f9ada5-f9adab 1056->1069 1057->1053 1064 f9af34-f9af37 1057->1064 1058->1057 1062 f9aedb-f9aee4 GetFileType 1058->1062 1060->1036 1061 f9adc1-f9adc6 1060->1061 1065 f9adc8-f9adcb 1061->1065 1066 f9ae20-f9ae31 1061->1066 1062->1057 1067 f9aee6-f9aef0 1062->1067 1064->1053 1065->1066 1070 f9adcd-f9add1 1065->1070 1066->1060 1071 f9aefa-f9aefd 1067->1071 1072 f9aef2-f9aef8 1067->1072 1073 f9ae40-f9ae4e 1068->1073 1069->1055 1070->1066 1074 f9add3-f9add5 1070->1074 1076 f9af08-f9af1a InitializeCriticalSectionAndSpinCount 1071->1076 1077 f9aeff-f9af03 1071->1077 1075 f9af05 1072->1075 1078 f9ae50-f9ae72 1073->1078 1079 f9ae74-f9ae7b 1073->1079 1080 f9ade5-f9ae1a InitializeCriticalSectionAndSpinCount 1074->1080 1081 f9add7-f9ade3 GetFileType 1074->1081 1075->1076 1076->1053 1077->1075 1078->1073 1079->1051 1082 f9ae1d 1080->1082 1081->1080 1081->1082 1082->1066
            APIs
            • __lock.LIBCMT ref: 00F9ACC1
              • Part of subcall function 00F97CF4: __mtinitlocknum.LIBCMT ref: 00F97D06
              • Part of subcall function 00F97CF4: EnterCriticalSection.KERNEL32(00000000,?,00F97ADD,0000000D), ref: 00F97D1F
            • __calloc_crt.LIBCMT ref: 00F9ACD2
              • Part of subcall function 00F96986: __calloc_impl.LIBCMT ref: 00F96995
              • Part of subcall function 00F96986: Sleep.KERNEL32(00000000,000003BC,00F8F507,?,0000000E), ref: 00F969AC
            • @_EH4_CallFilterFunc@8.LIBCMT ref: 00F9ACED
            • GetStartupInfoW.KERNEL32(?,01026E28,00000064,00F95E91,01026C70,00000014), ref: 00F9AD46
            • __calloc_crt.LIBCMT ref: 00F9AD91
            • GetFileType.KERNEL32(00000001), ref: 00F9ADD8
            • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00F9AE11
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
            • String ID:
            • API String ID: 1426640281-0
            • Opcode ID: 61805f95bfc3a6aefebb5687bd065798f254fc0615ce17ebb331b27a742d17b2
            • Instruction ID: 23660f9744c0b4edbb8ce89975de752dd2169ada7b4b143a7ba225a199e8dc15
            • Opcode Fuzzy Hash: 61805f95bfc3a6aefebb5687bd065798f254fc0615ce17ebb331b27a742d17b2
            • Instruction Fuzzy Hash: 9C81D171D053558FEF24DF69C8805A9BBF4AF05334B24425EE4A6AB3D1C7399803EB92
            Function 01724AF8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1083 1724af8-1724ba6 call 17224f8 1086 1724bad-1724bd3 call 1725a08 CreateFileW 1083->1086 1089 1724bd5 1086->1089 1090 1724bda-1724bea 1086->1090 1091 1724d25-1724d29 1089->1091 1097 1724bf1-1724c0b VirtualAlloc 1090->1097 1098 1724bec 1090->1098 1092 1724d6b-1724d6e 1091->1092 1093 1724d2b-1724d2f 1091->1093 1099 1724d71-1724d78 1092->1099 1095 1724d31-1724d34 1093->1095 1096 1724d3b-1724d3f 1093->1096 1095->1096 1100 1724d41-1724d4b 1096->1100 1101 1724d4f-1724d53 1096->1101 1102 1724c12-1724c29 ReadFile 1097->1102 1103 1724c0d 1097->1103 1098->1091 1104 1724d7a-1724d85 1099->1104 1105 1724dcd-1724de2 1099->1105 1100->1101 1108 1724d63 1101->1108 1109 1724d55-1724d5f 1101->1109 1110 1724c30-1724c70 VirtualAlloc 1102->1110 1111 1724c2b 1102->1111 1103->1091 1112 1724d87 1104->1112 1113 1724d89-1724d95 1104->1113 1106 1724df2-1724dfa 1105->1106 1107 1724de4-1724def VirtualFree 1105->1107 1107->1106 1108->1092 1109->1108 1116 1724c72 1110->1116 1117 1724c77-1724c92 call 1725c58 1110->1117 1111->1091 1112->1105 1114 1724d97-1724da7 1113->1114 1115 1724da9-1724db5 1113->1115 1119 1724dcb 1114->1119 1120 1724dc2-1724dc8 1115->1120 1121 1724db7-1724dc0 1115->1121 1116->1091 1123 1724c9d-1724ca7 1117->1123 1119->1099 1120->1119 1121->1119 1124 1724cda-1724cee call 1725a68 1123->1124 1125 1724ca9-1724cd8 call 1725c58 1123->1125 1131 1724cf2-1724cf6 1124->1131 1132 1724cf0 1124->1132 1125->1123 1133 1724d02-1724d06 1131->1133 1134 1724cf8-1724cfc CloseHandle 1131->1134 1132->1091 1135 1724d16-1724d1f 1133->1135 1136 1724d08-1724d13 VirtualFree 1133->1136 1134->1133 1135->1086 1135->1091 1136->1135
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01724BC9
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01724DEF
            Memory Dump Source
            • Source File: 00000000.00000002.1716575812.0000000001722000.00000040.00000020.00020000.00000000.sdmp, Offset: 01722000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1722000_PO#001498.jbxd
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
            • Instruction ID: 35bfb69f1f5932227877d327ec00e05bc32b23496773152dd597688f7cf4704b
            • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
            • Instruction Fuzzy Hash: 76A10A74E00219EBDB14CF94C898BEEFBB5FF48305F108559E602BB281D7759A81CB54
            Function 00F749FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1192 f749fb-f74a25 call f7bcce RegOpenKeyExW 1195 fe41cc-fe41e3 RegQueryValueExW 1192->1195 1196 f74a2b-f74a2f 1192->1196 1197 fe4246-fe424f RegCloseKey 1195->1197 1198 fe41e5-fe4222 call f8f4ea call f747b7 RegQueryValueExW 1195->1198 1203 fe423d-fe4245 call f747e2 1198->1203 1204 fe4224-fe423b call f76a63 1198->1204 1203->1197 1204->1203
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00F74A1D
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FE41DB
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FE421A
            • RegCloseKey.ADVAPI32(?), ref: 00FE4249
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: QueryValue$CloseOpen
            • String ID: Include$Software\AutoIt v3\AutoIt
            • API String ID: 1586453840-614718249
            • Opcode ID: 4ada939e8949da37f22841511e06b9c1e678fcea91a3826415584bc16a63191c
            • Instruction ID: 1413b8be959f02a999fb51e82d593fb38bc0b3f55e1cbae92e2ffc0f491038b4
            • Opcode Fuzzy Hash: 4ada939e8949da37f22841511e06b9c1e678fcea91a3826415584bc16a63191c
            • Instruction Fuzzy Hash: A9112C71A0010DBEEB05ABA4CD86DBF7BACEF04354F104059B506D6191EAB4AE02EB60
            Function 00F736B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1219 f736b8-f73728 CreateWindowExW * 2 ShowWindow * 2
            APIs
            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F736E6
            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F73707
            • ShowWindow.USER32(00000000,?,?,?,?,00F73AA3,?), ref: 00F7371B
            • ShowWindow.USER32(00000000,?,?,?,?,00F73AA3,?), ref: 00F73724
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$CreateShow
            • String ID: AutoIt v3$edit
            • API String ID: 1584632944-3779509399
            • Opcode ID: 82d44e05595c839945132a65213bb07e02c409b262716b8159585d7bc6edd8d7
            • Instruction ID: 659cab160d6c4962583e77905d48aa7d752089ab660fc19da8a8fa72a0c0a9e1
            • Opcode Fuzzy Hash: 82d44e05595c839945132a65213bb07e02c409b262716b8159585d7bc6edd8d7
            • Instruction Fuzzy Hash: 7DF0B7716402947AE6315697AC48E777E7ED7CAF20F00401ABA48A62A4C6BA0895DBB0
            Function 017248A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1324 17248a8-17249f5 call 17224f8 call 1724798 CreateFileW 1331 17249f7 1324->1331 1332 17249fc-1724a0c 1324->1332 1333 1724aac-1724ab1 1331->1333 1335 1724a13-1724a2d VirtualAlloc 1332->1335 1336 1724a0e 1332->1336 1337 1724a31-1724a48 ReadFile 1335->1337 1338 1724a2f 1335->1338 1336->1333 1339 1724a4a 1337->1339 1340 1724a4c-1724a86 call 17247d8 call 1723798 1337->1340 1338->1333 1339->1333 1345 1724aa2-1724aaa ExitProcess 1340->1345 1346 1724a88-1724a9d call 1724828 1340->1346 1345->1333 1346->1345
            APIs
              • Part of subcall function 01724798: Sleep.KERNELBASE(000001F4), ref: 017247A9
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017249EB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1716575812.0000000001722000.00000040.00000020.00020000.00000000.sdmp, Offset: 01722000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1722000_PO#001498.jbxd
            Similarity
            • API ID: CreateFileSleep
            • String ID: SRF7JMMDYTDXXTA3H90JKEYRON3DP
            • API String ID: 2694422964-194945937
            • Opcode ID: 0551cf0715837eb938e11a6daf7f7d37deb578c65c726f2f0e750cbf1a5e8098
            • Instruction ID: 1b23e5b8a5ca2abec7e1dde5c1464c972fd3b8bc11bae354231eba5c0c05761b
            • Opcode Fuzzy Hash: 0551cf0715837eb938e11a6daf7f7d37deb578c65c726f2f0e750cbf1a5e8098
            • Instruction Fuzzy Hash: DD61A270D04298DAEF11DBF8C848BEEBBB4AF15304F044199E6597B2C1C7B90B49CBA5
            Function 00F751AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00F7522F
            • _wcscpy.LIBCMT ref: 00F75283
            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F75293
            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FE3CB0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: IconLoadNotifyShell_String_memset_wcscpy
            • String ID: Line:
            • API String ID: 1053898822-1585850449
            • Opcode ID: c557d850e016128ce3db1a937d33a3ef4b144389aa9d018ffe6d8161b0c10dc4
            • Instruction ID: 1c3b1f0ac97dcb106959dac5377f1c345900d8207b079b93101deb3e48d90474
            • Opcode Fuzzy Hash: c557d850e016128ce3db1a937d33a3ef4b144389aa9d018ffe6d8161b0c10dc4
            • Instruction Fuzzy Hash: DE318E715087406AD330EB60DC46FDAB7DCAB48710F00891FF58996092DBB8A508EB97
            Function 00F74139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F741A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00F739FE,?,00000001), ref: 00F741DB
            • _free.LIBCMT ref: 00FE36B7
            • _free.LIBCMT ref: 00FE36FE
              • Part of subcall function 00F7C833: __wsplitpath.LIBCMT ref: 00F7C93E
              • Part of subcall function 00F7C833: _wcscpy.LIBCMT ref: 00F7C953
              • Part of subcall function 00F7C833: _wcscat.LIBCMT ref: 00F7C968
              • Part of subcall function 00F7C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00F7C978
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
            • API String ID: 805182592-1757145024
            • Opcode ID: 398508807d5cbfbbc1b5a1be7b5b888359701fd540f986efbbbf9d6e6a55d24c
            • Instruction ID: 83ca58192fec28be21c849d59f55221e841b00eecbf2452d02326515c124f361
            • Opcode Fuzzy Hash: 398508807d5cbfbbc1b5a1be7b5b888359701fd540f986efbbbf9d6e6a55d24c
            • Instruction Fuzzy Hash: 0B918271910259EFCF04EFA5CC599EDB7B4BF09310F14842AF416AB291DB78AA04EF91
            Function 00F74A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F75374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01031148,?,00F761FF,?,00000000,00000001,00000000), ref: 00F75392
              • Part of subcall function 00F749FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00F74A1D
            • _wcscat.LIBCMT ref: 00FE2D80
            • _wcscat.LIBCMT ref: 00FE2DB5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _wcscat$FileModuleNameOpen
            • String ID: \$\Include\
            • API String ID: 3592542968-2640467822
            • Opcode ID: de89542633eb415445747ff2a87bcc6d2a8a6914b763e22601cc4858b649b6d5
            • Instruction ID: fdab3bdf981161263788c3047d00a0120e69984ac1952e9fa559a2906e32f11f
            • Opcode Fuzzy Hash: de89542633eb415445747ff2a87bcc6d2a8a6914b763e22601cc4858b649b6d5
            • Instruction Fuzzy Hash: AE5183794043409FC724EF56EA8185AB3FCFFA9310B40892FF6C893244EB799548DB52
            Function 00F934AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
            Download Yara Rule
            APIs
            • __getstream.LIBCMT ref: 00F934FE
              • Part of subcall function 00F97C0E: __getptd_noexit.LIBCMT ref: 00F97C0E
            • @_EH4_CallFilterFunc@8.LIBCMT ref: 00F93539
            • __wopenfile.LIBCMT ref: 00F93549
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
            • String ID: <G
            • API String ID: 1820251861-2138716496
            • Opcode ID: 04abf438d5417f046dcf3089521adf2b0ee86788d1a8886417c1bf0b109b7e15
            • Instruction ID: 219868c3aae14707b20a1bb3d6990a010f144fffd98c8a610c67404e7cd2d576
            • Opcode Fuzzy Hash: 04abf438d5417f046dcf3089521adf2b0ee86788d1a8886417c1bf0b109b7e15
            • Instruction Fuzzy Hash: DD11CA71E00316DBFF22FF758C4276F36A4AF45760B1A8525E815DB181EB38DA01BBA1
            Function 00F8D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F8D28B,SwapMouseButtons,00000004,?), ref: 00F8D2BC
            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F8D28B,SwapMouseButtons,00000004,?,?,?,?,00F8C865), ref: 00F8D2DD
            • RegCloseKey.KERNELBASE(00000000,?,?,00F8D28B,SwapMouseButtons,00000004,?,?,?,?,00F8C865), ref: 00F8D2FF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: Control Panel\Mouse
            • API String ID: 3677997916-824357125
            • Opcode ID: 4b3b5642636954274801785d2abb69de5fd2f516dcf09a1826aa73f77a673dca
            • Instruction ID: 3d142dd42d8c87eb4b38ab3c8f8ed6df170878c53ffacc252a0933db1d5305e2
            • Opcode Fuzzy Hash: 4b3b5642636954274801785d2abb69de5fd2f516dcf09a1826aa73f77a673dca
            • Instruction Fuzzy Hash: 4F112775A11208BFDF20AFA4CC84EEE7BBCEF44754B104469B805D7150E671AE41AB60
            Function 01723798 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 01723F53
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01723FE9
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0172400B
            Memory Dump Source
            • Source File: 00000000.00000002.1716575812.0000000001722000.00000040.00000020.00020000.00000000.sdmp, Offset: 01722000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1722000_PO#001498.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
            • Instruction ID: 2f2c04f26155c13f06a6e7de48f03e0004b899172a833f643589888877415133
            • Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
            • Instruction Fuzzy Hash: E5620B30A14258DBEB24CFA4C844BDEB772FF58300F1091A9D21DEB295E7799E81CB59
            Function 00FBC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F74517: _fseek.LIBCMT ref: 00F7452F
              • Part of subcall function 00FBC56D: _wcscmp.LIBCMT ref: 00FBC65D
              • Part of subcall function 00FBC56D: _wcscmp.LIBCMT ref: 00FBC670
            • _free.LIBCMT ref: 00FBC4DD
            • _free.LIBCMT ref: 00FBC4E4
            • _free.LIBCMT ref: 00FBC54F
              • Part of subcall function 00F91C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00F97A85), ref: 00F91CB1
              • Part of subcall function 00F91C9D: GetLastError.KERNEL32(00000000,?,00F97A85), ref: 00F91CC3
            • _free.LIBCMT ref: 00FBC557
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
            • String ID:
            • API String ID: 1552873950-0
            • Opcode ID: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
            • Instruction ID: 11647f7debe9b752434cdb1875b74de9525185b344162860343749246a862e06
            • Opcode Fuzzy Hash: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
            • Instruction Fuzzy Hash: 64516EB1904219AFDF249F64DC81BEEBBB9FF48300F1040AEB65DA3241DB755A809F59
            Function 00F8EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00F8EBB2
              • Part of subcall function 00F751AF: _memset.LIBCMT ref: 00F7522F
              • Part of subcall function 00F751AF: _wcscpy.LIBCMT ref: 00F75283
              • Part of subcall function 00F751AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F75293
            • KillTimer.USER32(?,00000001,?,?), ref: 00F8EC07
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F8EC16
            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FE3C88
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
            • String ID:
            • API String ID: 1378193009-0
            • Opcode ID: 32e0a045f45165567f6d3495ebbd9d4516fb65675f817ba362e912102d6bb1f5
            • Instruction ID: df28ad26b50f781f6910e4166fb0677c07d7e91332b0f37119dec62c0461117e
            • Opcode Fuzzy Hash: 32e0a045f45165567f6d3495ebbd9d4516fb65675f817ba362e912102d6bb1f5
            • Instruction Fuzzy Hash: 4621D771D04794AFE7329B28885DBE7BBEC9F06318F14048DE68E57241C7B46A84EB51
            Function 00F740E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FE3725
            • GetOpenFileNameW.COMDLG32 ref: 00FE376F
              • Part of subcall function 00F7660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F753B1,?,?,00F761FF,?,00000000,00000001,00000000), ref: 00F7662F
              • Part of subcall function 00F740A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F740C6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Name$Path$FileFullLongOpen_memset
            • String ID: X
            • API String ID: 3777226403-3081909835
            • Opcode ID: ea31ac086cd1502503a17c7f3b5d9b353dc94e522bad1bf32fa20bce297d386c
            • Instruction ID: 3fcdd9e1e2b2810e29b11c64d7692985eb2c23ece2b5045cd6737432fea4ca50
            • Opcode Fuzzy Hash: ea31ac086cd1502503a17c7f3b5d9b353dc94e522bad1bf32fa20bce297d386c
            • Instruction Fuzzy Hash: 7B21DB71A101989FDF01DF94CC45BDE7BF99F49300F00805AE449EB241DFB856899F62
            Function 00FBC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?), ref: 00FBC72F
            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00FBC746
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Temp$FileNamePath
            • String ID: aut
            • API String ID: 3285503233-3010740371
            • Opcode ID: 382613b6709cdf31ee0748dba742e59d4a1e003d25eb93f23d4d887bf8ce156b
            • Instruction ID: 4996058b5e5d246606bf7d3c9af27e220441016e57edee9a79068cb7342ec08e
            • Opcode Fuzzy Hash: 382613b6709cdf31ee0748dba742e59d4a1e003d25eb93f23d4d887bf8ce156b
            • Instruction Fuzzy Hash: B7D05E7150030EABDB10AB90DC0EF9A776CAB04704F0001A0B694F90B1DAB5E699CB94
            Function 00FCF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 50b1a2f5cd2fe507decc0f23b502072231c11b2dd8b8191d86e1254f8667e487
            • Instruction ID: 102dffe9953309831e6f65b023047e445f784b5fb19fdfdc30f81576b121fed4
            • Opcode Fuzzy Hash: 50b1a2f5cd2fe507decc0f23b502072231c11b2dd8b8191d86e1254f8667e487
            • Instruction Fuzzy Hash: 48F14A71A043029FC710DF24C981B6AF7E5BF88314F14892EF9999B352D734E949DB82
            Function 00F74FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00F75022
            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F750CB
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: IconNotifyShell__memset
            • String ID:
            • API String ID: 928536360-0
            • Opcode ID: 92b75a4c35364bfdbe4b71168bacdecc4a2ca17e96a5860728260aee29e74ccc
            • Instruction ID: a2fddf4d55db979875d81a3b1b7f2b51ddec49fdcb24565a1859e8284f1f5cb4
            • Opcode Fuzzy Hash: 92b75a4c35364bfdbe4b71168bacdecc4a2ca17e96a5860728260aee29e74ccc
            • Instruction Fuzzy Hash: A431BAB1A04701CFD720DF24D844A9BBBE8FF48718F00092EF59E83240E7B6A944DB92
            Function 00F9395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • __FF_MSGBANNER.LIBCMT ref: 00F93973
              • Part of subcall function 00F981C2: __NMSG_WRITE.LIBCMT ref: 00F981E9
              • Part of subcall function 00F981C2: __NMSG_WRITE.LIBCMT ref: 00F981F3
            • __NMSG_WRITE.LIBCMT ref: 00F9397A
              • Part of subcall function 00F9821F: GetModuleFileNameW.KERNEL32(00000000,01030312,00000104,00000000,00000001,00000000), ref: 00F982B1
              • Part of subcall function 00F9821F: ___crtMessageBoxW.LIBCMT ref: 00F9835F
              • Part of subcall function 00F91145: ___crtCorExitProcess.LIBCMT ref: 00F9114B
              • Part of subcall function 00F91145: ExitProcess.KERNEL32 ref: 00F91154
              • Part of subcall function 00F97C0E: __getptd_noexit.LIBCMT ref: 00F97C0E
            • RtlAllocateHeap.NTDLL(01510000,00000000,00000001,00000001,00000000,?,?,00F8F507,?,0000000E), ref: 00F9399F
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
            • String ID:
            • API String ID: 1372826849-0
            • Opcode ID: a8a065ee5a36f03d07cbb76a6d78aedab9838ed1d09d2d12a915b697fd19303f
            • Instruction ID: 6c550eefe0ccc92813985bbb10f9bdd46fc48f755573fe7604dd4f40725972a2
            • Opcode Fuzzy Hash: a8a065ee5a36f03d07cbb76a6d78aedab9838ed1d09d2d12a915b697fd19303f
            • Instruction Fuzzy Hash: 1801B5367453119AFF213B28DC42B2A339D9F82B74F210026F505DB185DFB9DD41A6A0
            Function 00FBC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00FBC385,?,?,?,?,?,00000004), ref: 00FBC6F2
            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00FBC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00FBC708
            • CloseHandle.KERNEL32(00000000,?,00FBC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FBC70F
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: File$CloseCreateHandleTime
            • String ID:
            • API String ID: 3397143404-0
            • Opcode ID: 50d1336ac4e5779d28dbabad6bb5037939af57dc6259ae1d035a6975296028f3
            • Instruction ID: 886523841790ba42d310b88d3b7d4f3b1fbc265db17fa654660dfd0f8bca89f7
            • Opcode Fuzzy Hash: 50d1336ac4e5779d28dbabad6bb5037939af57dc6259ae1d035a6975296028f3
            • Instruction Fuzzy Hash: 11E08632140218B7E7211B54AC0DFDE7B1DAF05B74F104110FB14690E097B12521EB98
            Function 00FBBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00FBBB72
              • Part of subcall function 00F91C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00F97A85), ref: 00F91CB1
              • Part of subcall function 00F91C9D: GetLastError.KERNEL32(00000000,?,00F97A85), ref: 00F91CC3
            • _free.LIBCMT ref: 00FBBB83
            • _free.LIBCMT ref: 00FBBB95
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
            • Instruction ID: 74a68daf9f91ccb87490ebe8f1d5c4e9ab22984e59c6948c27f49efb8c110d16
            • Opcode Fuzzy Hash: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
            • Instruction Fuzzy Hash: FCE05BA1B4174247EE34657AAE44EF733CC5F44371714082DB559E7146CF68F840ADB4
            Function 00F72322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F722A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F724F1), ref: 00F72303
            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F725A1
            • CoInitialize.OLE32(00000000), ref: 00F72618
            • CloseHandle.KERNEL32(00000000), ref: 00FE503A
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Handle$CloseInitializeMessageRegisterWindow
            • String ID:
            • API String ID: 3815369404-0
            • Opcode ID: 7d3dbe2c3e9aebcad43ef55f88afca83d20f9104be9276b1a5fd988c2e3aa91e
            • Instruction ID: 9c79017a86f98cec280f2b082eb6ab90e181c1b97ec31f2bc28719d9c169ca7b
            • Opcode Fuzzy Hash: 7d3dbe2c3e9aebcad43ef55f88afca83d20f9104be9276b1a5fd988c2e3aa91e
            • Instruction Fuzzy Hash: 4C71CCF4901281CBC328EF6AE594498BBADFB9D340784822ED4D9C739ACB3E4421DF55
            Function 00F73A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • IsThemeActive.UXTHEME ref: 00F73A73
              • Part of subcall function 00F91405: __lock.LIBCMT ref: 00F9140B
              • Part of subcall function 00F73ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F73AF3
              • Part of subcall function 00F73ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F73B08
              • Part of subcall function 00F73D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00F73AA3,?), ref: 00F73D45
              • Part of subcall function 00F73D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00F73AA3,?), ref: 00F73D57
              • Part of subcall function 00F73D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,01031148,01031130,?,?,?,?,00F73AA3,?), ref: 00F73DC8
              • Part of subcall function 00F73D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00F73AA3,?), ref: 00F73E48
            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F73AB3
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
            • String ID:
            • API String ID: 924797094-0
            • Opcode ID: a0ce7192c69d2beb5517f9c1fb6957f5a909edb9117b04d7ca3c3bb5dd39034f
            • Instruction ID: 78008aa08b68c40beaf41cda1f5458ded20d5b805c8277b8e449b7ff4eeae4fd
            • Opcode Fuzzy Hash: a0ce7192c69d2beb5517f9c1fb6957f5a909edb9117b04d7ca3c3bb5dd39034f
            • Instruction Fuzzy Hash: E911CD71A083419BC320EF29EC4591AFBE9FF99310F00891FF488872A1DBB99544DF92
            Function 00F9E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___lock_fhandle.LIBCMT ref: 00F9EA29
            • __close_nolock.LIBCMT ref: 00F9EA42
              • Part of subcall function 00F97BDA: __getptd_noexit.LIBCMT ref: 00F97BDA
              • Part of subcall function 00F97C0E: __getptd_noexit.LIBCMT ref: 00F97C0E
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __getptd_noexit$___lock_fhandle__close_nolock
            • String ID:
            • API String ID: 1046115767-0
            • Opcode ID: 44752444a7ff3607e734f3936f49ebe86aef2eb47de31bd428f339295dc971e1
            • Instruction ID: 829da6e091946f2503e5d573bbc43bcb2ec45840fc06588d612db0c08caaacf0
            • Opcode Fuzzy Hash: 44752444a7ff3607e734f3936f49ebe86aef2eb47de31bd428f339295dc971e1
            • Instruction Fuzzy Hash: AD117C729197109AFF22FF688C423587A616F82331F264340E4609F1F6CBBD9D41BBA5
            Function 00F8F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F9395C: __FF_MSGBANNER.LIBCMT ref: 00F93973
              • Part of subcall function 00F9395C: __NMSG_WRITE.LIBCMT ref: 00F9397A
              • Part of subcall function 00F9395C: RtlAllocateHeap.NTDLL(01510000,00000000,00000001,00000001,00000000,?,?,00F8F507,?,0000000E), ref: 00F9399F
            • std::exception::exception.LIBCMT ref: 00F8F51E
            • __CxxThrowException@8.LIBCMT ref: 00F8F533
              • Part of subcall function 00F96805: RaiseException.KERNEL32(?,?,0000000E,01026A30,?,?,?,00F8F538,0000000E,01026A30,?,00000001), ref: 00F96856
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
            • String ID:
            • API String ID: 3902256705-0
            • Opcode ID: 37402bd9d59aca96ccbcf05f7699c3c4d6d567545536903910e51498a9cd6e07
            • Instruction ID: 8269abd4c886a26e1a1155a661950aa15188b28484ae97e133e7038c40236c13
            • Opcode Fuzzy Hash: 37402bd9d59aca96ccbcf05f7699c3c4d6d567545536903910e51498a9cd6e07
            • Instruction Fuzzy Hash: 4BF0F43140021EABEB04FF98DC029EE77A8AF04324F204066FA04D6182CBB59745B7A5
            Function 00F935E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00F97C0E: __getptd_noexit.LIBCMT ref: 00F97C0E
            • __lock_file.LIBCMT ref: 00F93629
              • Part of subcall function 00F94E1C: __lock.LIBCMT ref: 00F94E3F
            • __fclose_nolock.LIBCMT ref: 00F93634
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
            • String ID:
            • API String ID: 2800547568-0
            • Opcode ID: b818bee254ea671a32164d8faba7d03c6b1a803a7b3233fa4a538bb607d3f0cb
            • Instruction ID: d75ccd8c2a81b1ad06516154a8da745f07dacabea1f95ed00e7010cbda65cb85
            • Opcode Fuzzy Hash: b818bee254ea671a32164d8faba7d03c6b1a803a7b3233fa4a538bb607d3f0cb
            • Instruction Fuzzy Hash: CEF0B432801304AAFF21BFA58C02B6E7AA06F41730F258108E421EB2C1CB7C9A01BF55
            Function 01723795 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 01723F53
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01723FE9
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0172400B
            Memory Dump Source
            • Source File: 00000000.00000002.1716575812.0000000001722000.00000040.00000020.00020000.00000000.sdmp, Offset: 01722000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1722000_PO#001498.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
            • Instruction ID: 2141109aa8cf78dd9f32814588b1c5a1c831ad37ecf4a4aee2dc297975e8864b
            • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
            • Instruction Fuzzy Hash: 8A12BD24E18658C6EB24DF64D8507DEB232FF68300F1091E9D10DEB7A5E77A4E81CB5A
            Function 00F92957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
            Download Yara Rule
            APIs
            • __flush.LIBCMT ref: 00F92A0B
              • Part of subcall function 00F97C0E: __getptd_noexit.LIBCMT ref: 00F97C0E
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __flush__getptd_noexit
            • String ID:
            • API String ID: 4101623367-0
            • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
            • Instruction ID: 6eb0debeef2cc4bd30e72d87f78ca9adfe81ddff4f69bd5d625ffd1a097ac128
            • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
            • Instruction Fuzzy Hash: E4419332B00706BFFF6C9EA9C8805AE77A6AF45370B24852DE855C7240EB78DD45BB44
            Function 00F8ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID:
            • API String ID: 544645111-0
            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction ID: 7f6a172a0242513d185162a45c3c55b2544a8a988367d0735fe4a6d64d78fd58
            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction Fuzzy Hash: 0931FA72A00105DBC718EF58C480AA9FBB6FF59350B6486A5E809CB355DB30EDC5EBC0
            Function 00FD040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: 6b62b6d7e1df3c859b92eb33e71f94bc0091dec7ad13ba27f4f4c4737714e696
            • Instruction ID: 523265ef97113df25d5ff8f832e256ea70b8d96b84871762aa6464cb1036b72d
            • Opcode Fuzzy Hash: 6b62b6d7e1df3c859b92eb33e71f94bc0091dec7ad13ba27f4f4c4737714e696
            • Instruction Fuzzy Hash: E9317276104514DFCB01EF10D4917AE77B2FF49320F18845AEA951B385DB74A905EF92
            Function 00FE9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: 6f02a59e19a9f93395ea55818643982b150e0842e3ae5c010df22feeee6c27ee
            • Instruction ID: 646a9f3d9330731d6f364fd4f01a20d66a8f9a668c7819883f20c42c92dfcc92
            • Opcode Fuzzy Hash: 6f02a59e19a9f93395ea55818643982b150e0842e3ae5c010df22feeee6c27ee
            • Instruction Fuzzy Hash: 9341BE70904641CFDB24DF14C484B5ABBE0BF45318F19899CE89A4B362C776F886EF52
            Function 00F741A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F74214: FreeLibrary.KERNEL32(00000000,?), ref: 00F74247
            • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00F739FE,?,00000001), ref: 00F741DB
              • Part of subcall function 00F74291: FreeLibrary.KERNEL32(00000000), ref: 00F742C4
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Library$Free$Load
            • String ID:
            • API String ID: 2391024519-0
            • Opcode ID: b87a5617b0f3f6fdfbdf3388779c54351a10d044daaf56a3fe1eddd368576363
            • Instruction ID: fe0787e1bee49c1f192612e2e372b5dfa8bb7c78f1ed75aa60ee445f264642e8
            • Opcode Fuzzy Hash: b87a5617b0f3f6fdfbdf3388779c54351a10d044daaf56a3fe1eddd368576363
            • Instruction Fuzzy Hash: 80119431600205AADF10AF65DC06BAE77A99F40700F10C42AB59AEA182DB78AA10FB61
            Function 00FE9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: 16d31fc609a0bfb9970e6cb331207dffd93e93710adec165455128703fad5fba
            • Instruction ID: 057f06d6f7fcc8dac343866a728d598226a3647080730985b4027be305e2b4ff
            • Opcode Fuzzy Hash: 16d31fc609a0bfb9970e6cb331207dffd93e93710adec165455128703fad5fba
            • Instruction Fuzzy Hash: 13216975508601CFDB24EF64C844B5ABBE1BF89304F18496CF99A4B262CB35F849EF52
            Function 00F9AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___lock_fhandle.LIBCMT ref: 00F9AFC0
              • Part of subcall function 00F97BDA: __getptd_noexit.LIBCMT ref: 00F97BDA
              • Part of subcall function 00F97C0E: __getptd_noexit.LIBCMT ref: 00F97C0E
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __getptd_noexit$___lock_fhandle
            • String ID:
            • API String ID: 1144279405-0
            • Opcode ID: 0f8fac851272187e4076ccd702c2574597faa5b6decf0a5be4c3aa97aced5711
            • Instruction ID: 4e56713cba19c93aac7f7cf7aaf4e3fdaaaf876f1cd0dde5db6b8e6de4e22262
            • Opcode Fuzzy Hash: 0f8fac851272187e4076ccd702c2574597faa5b6decf0a5be4c3aa97aced5711
            • Instruction Fuzzy Hash: 0211BF728197009BFF227FA4AD023593A60AF81331F264240E4744F1E6DBBD8D00BBA1
            Function 00F739DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
            • Instruction ID: 7c61900bd22170b0926317abec94f1bc84e3eee27997474e608ae7b195263629
            • Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
            • Instruction Fuzzy Hash: 3301863150014AAEDF05EF64CC828EEBB78EF10304F00C066B52697195EB34AA49EF61
            Function 00F92AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
            Download Yara Rule
            APIs
            • __lock_file.LIBCMT ref: 00F92AED
              • Part of subcall function 00F97C0E: __getptd_noexit.LIBCMT ref: 00F97C0E
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __getptd_noexit__lock_file
            • String ID:
            • API String ID: 2597487223-0
            • Opcode ID: a9449db936d06fe262204d72ae684b216f891c08ebd6eeea71ce5785df7f93df
            • Instruction ID: 63b59af2e8c02a6b6931ef55948a9949bd95026f46563ae458fb88a183a700c0
            • Opcode Fuzzy Hash: a9449db936d06fe262204d72ae684b216f891c08ebd6eeea71ce5785df7f93df
            • Instruction Fuzzy Hash: A9F06D32900205BAFF72BF658C0679F3AA5BF40320F158415F8149A1A1D77D8A56FB51
            Function 00F74252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(?,?,?,?,?,00F739FE,?,00000001), ref: 00F74286
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID:
            • API String ID: 3664257935-0
            • Opcode ID: 9e3922bd079c34c0996999708dd1b2777eb750d135bee3f57aa93028d4729e65
            • Instruction ID: 199fe341eae79e683ed90621bf7e3158c0e4f33523b789fa25e0b3a86032f9a2
            • Opcode Fuzzy Hash: 9e3922bd079c34c0996999708dd1b2777eb750d135bee3f57aa93028d4729e65
            • Instruction Fuzzy Hash: 25F01C71905702DFCB359F64D890816B7E5AF05325324CA2FF1DA82511C731A860EB56
            Function 00F740A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F740C6
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: LongNamePath
            • String ID:
            • API String ID: 82841172-0
            • Opcode ID: 00dc81ca068832a7f660a7f83cbe53068510e73632a7df1204d3f203b9132a42
            • Instruction ID: 08364e02cab84134d13ae6ca8c8316aaa810a622f5cc182c9b31463043f1ab4b
            • Opcode Fuzzy Hash: 00dc81ca068832a7f660a7f83cbe53068510e73632a7df1204d3f203b9132a42
            • Instruction Fuzzy Hash: 52E0CD365001245BD7119754CC46FFA779DDF88690F054075F909D7244D968D981A690
            Function 01724798 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000001F4), ref: 017247A9
            Memory Dump Source
            • Source File: 00000000.00000002.1716575812.0000000001722000.00000040.00000020.00020000.00000000.sdmp, Offset: 01722000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1722000_PO#001498.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction ID: 9bc58bb18dd195c0685e8ffa42a66ee79ef2fb5d8c5ce1fffd251cbcca9abe7d
            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction Fuzzy Hash: 8BE0E67494010DEFDB00DFB4D54969D7BB4EF04701F100261FD01D2281D6309D508A62

            Non-executed Functions

            Function 00FDF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F8B35F
            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00FDF87D
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FDF8DC
            • GetWindowLongW.USER32(?,000000F0), ref: 00FDF919
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FDF940
            • SendMessageW.USER32 ref: 00FDF966
            • _wcsncpy.LIBCMT ref: 00FDF9D2
            • GetKeyState.USER32(00000011), ref: 00FDF9F3
            • GetKeyState.USER32(00000009), ref: 00FDFA00
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FDFA16
            • GetKeyState.USER32(00000010), ref: 00FDFA20
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FDFA4F
            • SendMessageW.USER32 ref: 00FDFA72
            • SendMessageW.USER32(?,00001030,?,00FDE059), ref: 00FDFB6F
            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00FDFB85
            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FDFB96
            • SetCapture.USER32(?), ref: 00FDFB9F
            • ClientToScreen.USER32(?,?), ref: 00FDFC03
            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FDFC0F
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00FDFC29
            • ReleaseCapture.USER32 ref: 00FDFC34
            • GetCursorPos.USER32(?), ref: 00FDFC69
            • ScreenToClient.USER32(?,?), ref: 00FDFC76
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00FDFCD8
            • SendMessageW.USER32 ref: 00FDFD02
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00FDFD41
            • SendMessageW.USER32 ref: 00FDFD6C
            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FDFD84
            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FDFD8F
            • GetCursorPos.USER32(?), ref: 00FDFDB0
            • ScreenToClient.USER32(?,?), ref: 00FDFDBD
            • GetParent.USER32(?), ref: 00FDFDD9
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00FDFE3F
            • SendMessageW.USER32 ref: 00FDFE6F
            • ClientToScreen.USER32(?,?), ref: 00FDFEC5
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FDFEF1
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00FDFF19
            • SendMessageW.USER32 ref: 00FDFF3C
            • ClientToScreen.USER32(?,?), ref: 00FDFF86
            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FDFFB6
            • GetWindowLongW.USER32(?,000000F0), ref: 00FE004B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
            • String ID: @GUI_DRAGID$F
            • API String ID: 2516578528-4164748364
            • Opcode ID: de742afa6b1ac85cf79da55647c2aec507e28b8b5b7312af151e47af24e45060
            • Instruction ID: 120d21e46d372c7e6352c5908cc994821b9746a6c4876c0482d8ffbbd8aa6ac9
            • Opcode Fuzzy Hash: de742afa6b1ac85cf79da55647c2aec507e28b8b5b7312af151e47af24e45060
            • Instruction Fuzzy Hash: EB32B070904245AFDB10CF64C884F6ABBAAFF49364F18062AF596873A1C731DD49FB52
            Function 00FDAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00FDB1CD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: %d/%02d/%02d
            • API String ID: 3850602802-328681919
            • Opcode ID: 7a3c75129e8e108d927172d3445ae3061cf705e61a5e7042425898c59352c0e0
            • Instruction ID: 4c30b7d1dbd08fd19a45a203ba639e479b42bd4ef8d1766c04c2de66b13dd338
            • Opcode Fuzzy Hash: 7a3c75129e8e108d927172d3445ae3061cf705e61a5e7042425898c59352c0e0
            • Instruction Fuzzy Hash: 2712E071900208AFEB249F64CC59FAE7BBAFF45720F18411AF919DB2D1DBB48901EB11
            Function 00F8EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(00000000,00000000), ref: 00F8EB4A
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FE3AEA
            • IsIconic.USER32(000000FF), ref: 00FE3AF3
            • ShowWindow.USER32(000000FF,00000009), ref: 00FE3B00
            • SetForegroundWindow.USER32(000000FF), ref: 00FE3B0A
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FE3B20
            • GetCurrentThreadId.KERNEL32 ref: 00FE3B27
            • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00FE3B33
            • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00FE3B44
            • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00FE3B4C
            • AttachThreadInput.USER32(00000000,?,00000001), ref: 00FE3B54
            • SetForegroundWindow.USER32(000000FF), ref: 00FE3B57
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE3B6C
            • keybd_event.USER32(00000012,00000000), ref: 00FE3B77
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE3B81
            • keybd_event.USER32(00000012,00000000), ref: 00FE3B86
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE3B8F
            • keybd_event.USER32(00000012,00000000), ref: 00FE3B94
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE3B9E
            • keybd_event.USER32(00000012,00000000), ref: 00FE3BA3
            • SetForegroundWindow.USER32(000000FF), ref: 00FE3BA6
            • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00FE3BCD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
            • String ID: Shell_TrayWnd
            • API String ID: 4125248594-2988720461
            • Opcode ID: bac19f6562a6ae574b2eb4fa3aaad504595c6c5a70669e2b8284c73afae5a1af
            • Instruction ID: 6b03956c30c7a459a3d70faffa50a8611dc39417607e141d5aaa10f560578213
            • Opcode Fuzzy Hash: bac19f6562a6ae574b2eb4fa3aaad504595c6c5a70669e2b8284c73afae5a1af
            • Instruction Fuzzy Hash: CD315072A4021CBBEB216B668C4DF7E7E6DEF84B50F144025FA05EB1D1D6B15900FAA1
            Function 00FAACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FAB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FAB180
              • Part of subcall function 00FAB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FAB1AD
              • Part of subcall function 00FAB134: GetLastError.KERNEL32 ref: 00FAB1BA
            • _memset.LIBCMT ref: 00FAAD08
            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00FAAD5A
            • CloseHandle.KERNEL32(?), ref: 00FAAD6B
            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FAAD82
            • GetProcessWindowStation.USER32 ref: 00FAAD9B
            • SetProcessWindowStation.USER32(00000000), ref: 00FAADA5
            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FAADBF
              • Part of subcall function 00FAAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FAACC0), ref: 00FAAB99
              • Part of subcall function 00FAAB84: CloseHandle.KERNEL32(?,?,00FAACC0), ref: 00FAABAB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
            • String ID: $default$winsta0
            • API String ID: 2063423040-1027155976
            • Opcode ID: 32252b3de11c6db1fbdacb8d7984ba5bf356ce66ba4cc384363ccb270b04a321
            • Instruction ID: 1ffb7a68eddbcaa35d9961e403ea18866d26e94e98e09806122594750d8616e7
            • Opcode Fuzzy Hash: 32252b3de11c6db1fbdacb8d7984ba5bf356ce66ba4cc384363ccb270b04a321
            • Instruction Fuzzy Hash: 14818DB1C0020DAFDF11DFA4CD89AEEBB79EF0A314F044119F914A6161DB358E58EB62
            Function 00FB60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FB5FA6,?), ref: 00FB6ED8
              • Part of subcall function 00FB6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FB5FA6,?), ref: 00FB6EF1
              • Part of subcall function 00FB725E: __wsplitpath.LIBCMT ref: 00FB727B
              • Part of subcall function 00FB725E: __wsplitpath.LIBCMT ref: 00FB728E
              • Part of subcall function 00FB72CB: GetFileAttributesW.KERNEL32(?,00FB6019), ref: 00FB72CC
            • _wcscat.LIBCMT ref: 00FB6149
            • _wcscat.LIBCMT ref: 00FB6167
            • __wsplitpath.LIBCMT ref: 00FB618E
            • FindFirstFileW.KERNEL32(?,?), ref: 00FB61A4
            • _wcscpy.LIBCMT ref: 00FB6209
            • _wcscat.LIBCMT ref: 00FB621C
            • _wcscat.LIBCMT ref: 00FB622F
            • lstrcmpiW.KERNEL32(?,?), ref: 00FB625D
            • DeleteFileW.KERNEL32(?), ref: 00FB626E
            • MoveFileW.KERNEL32(?,?), ref: 00FB6289
            • MoveFileW.KERNEL32(?,?), ref: 00FB6298
            • CopyFileW.KERNEL32(?,?,00000000), ref: 00FB62AD
            • DeleteFileW.KERNEL32(?), ref: 00FB62BE
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FB62E1
            • FindClose.KERNEL32(00000000), ref: 00FB62FD
            • FindClose.KERNEL32(00000000), ref: 00FB630B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
            • String ID: \*.*
            • API String ID: 1917200108-1173974218
            • Opcode ID: 74fa5d3448331f4e93613e3f20d1a11f993b6041a14a0fe3e28444e88d9ede06
            • Instruction ID: c54028c2e78f905716209db1c6aa579976f71be45d2fa937e37b2e529344bb6a
            • Opcode Fuzzy Hash: 74fa5d3448331f4e93613e3f20d1a11f993b6041a14a0fe3e28444e88d9ede06
            • Instruction Fuzzy Hash: 73511F72D0811C6ADF21EB96CC44DEB77BCAF05310F0901E6E585E2141DE3A9789EFA4
            Function 00FC6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(0100DC00), ref: 00FC6B36
            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00FC6B44
            • GetClipboardData.USER32(0000000D), ref: 00FC6B4C
            • CloseClipboard.USER32 ref: 00FC6B58
            • GlobalLock.KERNEL32(00000000), ref: 00FC6B74
            • CloseClipboard.USER32 ref: 00FC6B7E
            • GlobalUnlock.KERNEL32(00000000), ref: 00FC6B93
            • IsClipboardFormatAvailable.USER32(00000001), ref: 00FC6BA0
            • GetClipboardData.USER32(00000001), ref: 00FC6BA8
            • GlobalLock.KERNEL32(00000000), ref: 00FC6BB5
            • GlobalUnlock.KERNEL32(00000000), ref: 00FC6BE9
            • CloseClipboard.USER32 ref: 00FC6CF6
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
            • String ID:
            • API String ID: 3222323430-0
            • Opcode ID: 379b037fd98c0ef84e961bab1f661052e049c63c38d60a13367758dedcd8208f
            • Instruction ID: 9bed55d27bb389d171ffd62f3e3c5e19bd05be458b56e8c18354477374f5e2e1
            • Opcode Fuzzy Hash: 379b037fd98c0ef84e961bab1f661052e049c63c38d60a13367758dedcd8208f
            • Instruction Fuzzy Hash: 34519E71204206ABD310EF64DE86F7E77A9AF88B11F00402DF59AD61E1DF74D805EAA2
            Function 00FBF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00FBF62B
            • FindClose.KERNEL32(00000000), ref: 00FBF67F
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FBF6A4
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FBF6BB
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00FBF6E2
            • __swprintf.LIBCMT ref: 00FBF72E
            • __swprintf.LIBCMT ref: 00FBF767
            • __swprintf.LIBCMT ref: 00FBF7BB
              • Part of subcall function 00F9172B: __woutput_l.LIBCMT ref: 00F91784
            • __swprintf.LIBCMT ref: 00FBF809
            • __swprintf.LIBCMT ref: 00FBF858
            • __swprintf.LIBCMT ref: 00FBF8A7
            • __swprintf.LIBCMT ref: 00FBF8F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
            • API String ID: 835046349-2428617273
            • Opcode ID: c9a1cc97acd02ddae90e9c9b63cf6373459bbc0a27bdac537bc6575f4a647f11
            • Instruction ID: 4d456d30e505bb1e2f4af895b0257aa093857cee525f9b59c5fba0d33851d327
            • Opcode Fuzzy Hash: c9a1cc97acd02ddae90e9c9b63cf6373459bbc0a27bdac537bc6575f4a647f11
            • Instruction Fuzzy Hash: 6EA11F72408344ABC350EBA5CC85DAFB7ECBF99700F404C2EF59586151EB38D949EB62
            Function 00FC1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FC1B50
            • _wcscmp.LIBCMT ref: 00FC1B65
            • _wcscmp.LIBCMT ref: 00FC1B7C
            • GetFileAttributesW.KERNEL32(?), ref: 00FC1B8E
            • SetFileAttributesW.KERNEL32(?,?), ref: 00FC1BA8
            • FindNextFileW.KERNEL32(00000000,?), ref: 00FC1BC0
            • FindClose.KERNEL32(00000000), ref: 00FC1BCB
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00FC1BE7
            • _wcscmp.LIBCMT ref: 00FC1C0E
            • _wcscmp.LIBCMT ref: 00FC1C25
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC1C37
            • SetCurrentDirectoryW.KERNEL32(010239FC), ref: 00FC1C55
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FC1C5F
            • FindClose.KERNEL32(00000000), ref: 00FC1C6C
            • FindClose.KERNEL32(00000000), ref: 00FC1C7C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
            • String ID: *.*
            • API String ID: 1803514871-438819550
            • Opcode ID: 3d9eadd1694840935ae61b1a2e7ec79da2093ee32b391db555f5e0c1d70c956e
            • Instruction ID: 9dec74bceb2c1ff3c9e30627fe5a09c5e833c126b80ff32c0046d2dec70cb2f2
            • Opcode Fuzzy Hash: 3d9eadd1694840935ae61b1a2e7ec79da2093ee32b391db555f5e0c1d70c956e
            • Instruction Fuzzy Hash: 4E31B532A0021A6BDF11EBA0DD4AFEE77ADBF46320F140169F811D2091EB74DE55EE64
            Function 00FC1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FC1CAB
            • _wcscmp.LIBCMT ref: 00FC1CC0
            • _wcscmp.LIBCMT ref: 00FC1CD7
              • Part of subcall function 00FB6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FB6BEF
            • FindNextFileW.KERNEL32(00000000,?), ref: 00FC1D06
            • FindClose.KERNEL32(00000000), ref: 00FC1D11
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00FC1D2D
            • _wcscmp.LIBCMT ref: 00FC1D54
            • _wcscmp.LIBCMT ref: 00FC1D6B
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC1D7D
            • SetCurrentDirectoryW.KERNEL32(010239FC), ref: 00FC1D9B
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FC1DA5
            • FindClose.KERNEL32(00000000), ref: 00FC1DB2
            • FindClose.KERNEL32(00000000), ref: 00FC1DC2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
            • String ID: *.*
            • API String ID: 1824444939-438819550
            • Opcode ID: 4c3769c45d60fd421a57eebcee2b745acdc89201b72e0a92b622d6f19541579c
            • Instruction ID: ef20c9ec34aa242b7d1a6ade5766b5739774fcf7f4283ccef1910a997910c366
            • Opcode Fuzzy Hash: 4c3769c45d60fd421a57eebcee2b745acdc89201b72e0a92b622d6f19541579c
            • Instruction Fuzzy Hash: B531E532A0061B6ADF11AFA0DD0AFEE77ADBF46330F140559E801E6192DB34DA55EA60
            Function 00F77D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _memset
            • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
            • API String ID: 2102423945-2023335898
            • Opcode ID: 8aa5025efb128c58645fbc9dbd940190c4502d199d7a74fb13630d74bfbaa6ed
            • Instruction ID: 81cd468f7f4f457a9d7ca1c2eede1b6d03a8249f2e97f461f1fc615ba759fc2c
            • Opcode Fuzzy Hash: 8aa5025efb128c58645fbc9dbd940190c4502d199d7a74fb13630d74bfbaa6ed
            • Instruction Fuzzy Hash: 5082E472D14259CBCF24CF98C8807ADBBB1FF48320F24816AD859AB351D7749E85EB81
            Function 00FC091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(?), ref: 00FC09DF
            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00FC09EF
            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FC09FB
            • __wsplitpath.LIBCMT ref: 00FC0A59
            • _wcscat.LIBCMT ref: 00FC0A71
            • _wcscat.LIBCMT ref: 00FC0A83
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC0A98
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC0AAC
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC0ADE
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC0AFF
            • _wcscpy.LIBCMT ref: 00FC0B0B
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FC0B4A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
            • String ID: *.*
            • API String ID: 3566783562-438819550
            • Opcode ID: 904e3227bfbee22ca65361b4053605b091e4e9bf7f804b3aa908a587b4ef6d36
            • Instruction ID: 31a70b0622dcc1ea062672edb00b7fd0bd3de623b16550a079ed1fffa5622f1a
            • Opcode Fuzzy Hash: 904e3227bfbee22ca65361b4053605b091e4e9bf7f804b3aa908a587b4ef6d36
            • Instruction Fuzzy Hash: 6C6147725042059FD710EF60C941EAEB3E8FF89324F04891EE999C7252DB35E945DB92
            Function 00FAA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FAABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00FAABD7
              • Part of subcall function 00FAABBB: GetLastError.KERNEL32(?,00FAA69F,?,?,?), ref: 00FAABE1
              • Part of subcall function 00FAABBB: GetProcessHeap.KERNEL32(00000008,?,?,00FAA69F,?,?,?), ref: 00FAABF0
              • Part of subcall function 00FAABBB: HeapAlloc.KERNEL32(00000000,?,00FAA69F,?,?,?), ref: 00FAABF7
              • Part of subcall function 00FAABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00FAAC0E
              • Part of subcall function 00FAAC56: GetProcessHeap.KERNEL32(00000008,00FAA6B5,00000000,00000000,?,00FAA6B5,?), ref: 00FAAC62
              • Part of subcall function 00FAAC56: HeapAlloc.KERNEL32(00000000,?,00FAA6B5,?), ref: 00FAAC69
              • Part of subcall function 00FAAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FAA6B5,?), ref: 00FAAC7A
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FAA6D0
            • _memset.LIBCMT ref: 00FAA6E5
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FAA704
            • GetLengthSid.ADVAPI32(?), ref: 00FAA715
            • GetAce.ADVAPI32(?,00000000,?), ref: 00FAA752
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FAA76E
            • GetLengthSid.ADVAPI32(?), ref: 00FAA78B
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FAA79A
            • HeapAlloc.KERNEL32(00000000), ref: 00FAA7A1
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FAA7C2
            • CopySid.ADVAPI32(00000000), ref: 00FAA7C9
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FAA7FA
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FAA820
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FAA834
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: d765bc4a3245c6281df8de606b338f4ccaae221e93dbd07f0466ce42a0ebbdf7
            • Instruction ID: 9a92278dc27d3dbe1645625f6c94be2c16c48043af567a1600b41362efe2d4f0
            • Opcode Fuzzy Hash: d765bc4a3245c6281df8de606b338f4ccaae221e93dbd07f0466ce42a0ebbdf7
            • Instruction Fuzzy Hash: E9513BB1900209AFDF10DFA5DC45EEEBBB9FF05310F048129F915A7291DB399A09EB61
            Function 00F76F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
            • API String ID: 0-4052911093
            • Opcode ID: 4361aa728585ea3d27e83f8e53c7dfa4515fceca5444a35ae706c8df79f40a57
            • Instruction ID: 5209686ac091a2da209684d464c64bd93558e7ea55e29a47f876636aaef60e2e
            • Opcode Fuzzy Hash: 4361aa728585ea3d27e83f8e53c7dfa4515fceca5444a35ae706c8df79f40a57
            • Instruction Fuzzy Hash: C5728271E14219CBDB24DF58C8807BEB7B5BF04310F24816BE959EB290EB749E41EB91
            Function 00FB63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FB5FA6,?), ref: 00FB6ED8
              • Part of subcall function 00FB72CB: GetFileAttributesW.KERNEL32(?,00FB6019), ref: 00FB72CC
            • _wcscat.LIBCMT ref: 00FB6441
            • __wsplitpath.LIBCMT ref: 00FB645F
            • FindFirstFileW.KERNEL32(?,?), ref: 00FB6474
            • _wcscpy.LIBCMT ref: 00FB64A3
            • _wcscat.LIBCMT ref: 00FB64B8
            • _wcscat.LIBCMT ref: 00FB64CA
            • DeleteFileW.KERNEL32(?), ref: 00FB64DA
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FB64EB
            • FindClose.KERNEL32(00000000), ref: 00FB6506
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
            • String ID: \*.*
            • API String ID: 2643075503-1173974218
            • Opcode ID: bc60b57c67d8cd0aa56ae1408a9d1c09c7178d8529eef2b21a56b2d2d55d473f
            • Instruction ID: 4557a2006758903b9d5b023533734680052914d4b2979c36b12c2a94c7ad642d
            • Opcode Fuzzy Hash: bc60b57c67d8cd0aa56ae1408a9d1c09c7178d8529eef2b21a56b2d2d55d473f
            • Instruction Fuzzy Hash: C43184B2408388AED721DBA58C859DB77DCAF55310F44092EF6D8C3141EA39D50DEBA7
            Function 00FD31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FD3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FD2BB5,?,?), ref: 00FD3C1D
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FD328E
              • Part of subcall function 00F7936C: __swprintf.LIBCMT ref: 00F793AB
              • Part of subcall function 00F7936C: __itow.LIBCMT ref: 00F793DF
            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FD332D
            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FD33C5
            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00FD3604
            • RegCloseKey.ADVAPI32(00000000), ref: 00FD3611
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
            • String ID:
            • API String ID: 1240663315-0
            • Opcode ID: 48afa409240e01dfef3abfc3fab03343f9207ab9e157a2ca81042ed888593dab
            • Instruction ID: e21a472e53a85a0e97247db8e5a00c27d19633467a7ea7e72a487e086d3aebb8
            • Opcode Fuzzy Hash: 48afa409240e01dfef3abfc3fab03343f9207ab9e157a2ca81042ed888593dab
            • Instruction Fuzzy Hash: DBE15D31604200AFCB14DF29CD91E6ABBE9EF89320F08855EF54AD7361DB35E905DB52
            Function 00FB2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 00FB2B5F
            • GetAsyncKeyState.USER32(000000A0), ref: 00FB2BE0
            • GetKeyState.USER32(000000A0), ref: 00FB2BFB
            • GetAsyncKeyState.USER32(000000A1), ref: 00FB2C15
            • GetKeyState.USER32(000000A1), ref: 00FB2C2A
            • GetAsyncKeyState.USER32(00000011), ref: 00FB2C42
            • GetKeyState.USER32(00000011), ref: 00FB2C54
            • GetAsyncKeyState.USER32(00000012), ref: 00FB2C6C
            • GetKeyState.USER32(00000012), ref: 00FB2C7E
            • GetAsyncKeyState.USER32(0000005B), ref: 00FB2C96
            • GetKeyState.USER32(0000005B), ref: 00FB2CA8
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: d52bd017e303e3e1229daf7975044e5aa4db7f48f22a747d8d3a2b462f1a268c
            • Instruction ID: 1b764e475501bbc3d67aa416880fa65de8b3ff5e4760510c4a7d8a2dca961899
            • Opcode Fuzzy Hash: d52bd017e303e3e1229daf7975044e5aa4db7f48f22a747d8d3a2b462f1a268c
            • Instruction Fuzzy Hash: 0241E4B4D047C969FFB19B6189043F9BEA16F11334F088049D5C65A2C1EFA499C8EFA2
            Function 00FC6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
            • String ID:
            • API String ID: 1737998785-0
            • Opcode ID: f0f11316aaca1f7fa039bb5dff6f4968780af50d35379d3a788bf19201c64f3b
            • Instruction ID: a0bc021ba405f109129031f046544cf5cd67e95b979c0ea9e970d1fd67b3da11
            • Opcode Fuzzy Hash: f0f11316aaca1f7fa039bb5dff6f4968780af50d35379d3a788bf19201c64f3b
            • Instruction Fuzzy Hash: 31219C31300215AFDB11AF64DD4AF7DB7A9EF44721F00845AF94ADB2A1DB74E801EBA1
            Function 00FCC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA9ABF: CLSIDFromProgID.OLE32 ref: 00FA9ADC
              • Part of subcall function 00FA9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00FA9AF7
              • Part of subcall function 00FA9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00FA9B05
              • Part of subcall function 00FA9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00FA9B15
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00FCC235
            • _memset.LIBCMT ref: 00FCC242
            • _memset.LIBCMT ref: 00FCC360
            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00FCC38C
            • CoTaskMemFree.OLE32(?), ref: 00FCC397
            Strings
            • NULL Pointer assignment, xrefs: 00FCC3E5
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
            • String ID: NULL Pointer assignment
            • API String ID: 1300414916-2785691316
            • Opcode ID: c40eaa41552585f4fdbfb6694a1487545f2b4dad92ff6699c98350b1d46eeee2
            • Instruction ID: 22187b4880ec4526dd80a71fda8dca22a91c2970279ad976ccfd605bbdbf0c84
            • Opcode Fuzzy Hash: c40eaa41552585f4fdbfb6694a1487545f2b4dad92ff6699c98350b1d46eeee2
            • Instruction Fuzzy Hash: 83914A71D00219ABDB10DF94DD82FEEBBB9EF08710F10811AF919A7281DB749A45DFA0
            Function 00FB79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FAB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FAB180
              • Part of subcall function 00FAB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FAB1AD
              • Part of subcall function 00FAB134: GetLastError.KERNEL32 ref: 00FAB1BA
            • ExitWindowsEx.USER32(?,00000000), ref: 00FB7A0F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
            • String ID: $@$SeShutdownPrivilege
            • API String ID: 2234035333-194228
            • Opcode ID: 96ac9fad81a57cc672ece995182fbd14266909c507f94a6570d975543bff64cb
            • Instruction ID: bfc40ac8222ca3d6662176e43ee035a0a4f43768e6f3d19621ae67d8cfd2ecea
            • Opcode Fuzzy Hash: 96ac9fad81a57cc672ece995182fbd14266909c507f94a6570d975543bff64cb
            • Instruction Fuzzy Hash: 0401F772A583156AF7683676CC4ABFF725C9B41750F140424F943E60E2DAACAE00B9B0
            Function 00FC8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FC8CA8
            • WSAGetLastError.WSOCK32(00000000), ref: 00FC8CB7
            • bind.WSOCK32(00000000,?,00000010), ref: 00FC8CD3
            • listen.WSOCK32(00000000,00000005), ref: 00FC8CE2
            • WSAGetLastError.WSOCK32(00000000), ref: 00FC8CFC
            • closesocket.WSOCK32(00000000,00000000), ref: 00FC8D10
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ErrorLast$bindclosesocketlistensocket
            • String ID:
            • API String ID: 1279440585-0
            • Opcode ID: 3e8b2489c42908415ee4746114bd9d7fae0852564afdcd30448e257a6f7bcf83
            • Instruction ID: c11c2565fcfca80d682498a417c2c8ffe94aa10a110aeca94bb57c9851f025e5
            • Opcode Fuzzy Hash: 3e8b2489c42908415ee4746114bd9d7fae0852564afdcd30448e257a6f7bcf83
            • Instruction Fuzzy Hash: 3121C1316002059FCB10EF28CD45B7EB7A9EF48360F108158F956AB3D2CB34AD02EB51
            Function 00FB6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00FB6554
            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00FB6564
            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00FB6583
            • __wsplitpath.LIBCMT ref: 00FB65A7
            • _wcscat.LIBCMT ref: 00FB65BA
            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00FB65F9
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
            • String ID:
            • API String ID: 1605983538-0
            • Opcode ID: ba7a66d2b32137c89a03e2d97b9cc9756f69689fe491b2c2bd930391e7ac0ec6
            • Instruction ID: c694235f72a8f4d9e69c34234f8a4584ad19728e28503dad080a56a97e95bc1b
            • Opcode Fuzzy Hash: ba7a66d2b32137c89a03e2d97b9cc9756f69689fe491b2c2bd930391e7ac0ec6
            • Instruction Fuzzy Hash: AD219571900219ABEB20ABA5CC88FEDB7BCAF44310F5400A5F505D3141EB759F85EF60
            Function 00FC923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FCA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00FCA84E
            • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00FC9296
            • WSAGetLastError.WSOCK32(00000000,00000000), ref: 00FC92B9
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ErrorLastinet_addrsocket
            • String ID:
            • API String ID: 4170576061-0
            • Opcode ID: a1cec706237c771500e112ed2589cbfb83f932810f072466fc9e9644b882ffd5
            • Instruction ID: 46171cb09cce1c3d8a01d32f803c8cbecb5fc47b63a49feb2418c2b5b7405684
            • Opcode Fuzzy Hash: a1cec706237c771500e112ed2589cbfb83f932810f072466fc9e9644b882ffd5
            • Instruction Fuzzy Hash: F141B071600104AFDB10BB288C46EBE77EDEF44724F14854DF956AB382DBB8AD01AB91
            Function 00FBEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00FBEB8A
            • _wcscmp.LIBCMT ref: 00FBEBBA
            • _wcscmp.LIBCMT ref: 00FBEBCF
            • FindNextFileW.KERNEL32(00000000,?), ref: 00FBEBE0
            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00FBEC0E
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Find$File_wcscmp$CloseFirstNext
            • String ID:
            • API String ID: 2387731787-0
            • Opcode ID: bb68574a5d29857f12649afda58e360cd12aae98c7c815cdcb6e60352d0e9a71
            • Instruction ID: 724150ec98d542f06a3a1d541f703896e010c84e98c6b4db968383ed9a8c6548
            • Opcode Fuzzy Hash: bb68574a5d29857f12649afda58e360cd12aae98c7c815cdcb6e60352d0e9a71
            • Instruction Fuzzy Hash: 8341CD756003029FDB08DF29C890AEAB7E4FF49324F10455EE95A8B3A1DB35B944EF91
            Function 00FD8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$EnabledForegroundIconicVisibleZoomed
            • String ID:
            • API String ID: 292994002-0
            • Opcode ID: c6f948fa16cd1780431ff99e43d2bb850988634e67db6e76a401118e9a5f7e3e
            • Instruction ID: 7791b416e99d450920c80f7e15f084a50e5e447c9d955b00ceb6d6fb1d9f69cf
            • Opcode Fuzzy Hash: c6f948fa16cd1780431ff99e43d2bb850988634e67db6e76a401118e9a5f7e3e
            • Instruction Fuzzy Hash: D611BF327002156BE7216F26DC44E7FBB9EEF557B0B09442AF849D7381CF34A907A6A1
            Function 00F79B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
            • API String ID: 0-1546025612
            • Opcode ID: 86976bb4171df9afe70ae69b54221d6efcf44a1ac67b087909d09399770bab92
            • Instruction ID: a100434d7413b65ebeb2e253e608cbe59ba0b56ebbb0546ac9ee4aa525c61087
            • Opcode Fuzzy Hash: 86976bb4171df9afe70ae69b54221d6efcf44a1ac67b087909d09399770bab92
            • Instruction Fuzzy Hash: 2C929D71E0422ACBDF24CF58C8407BDB7B1BF94324F15859AE91AA7290D7709D81EF92
            Function 00F8E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00F8E014,74DF0AE0,00F8DEF1,0100DC38,?,?), ref: 00F8E02C
            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F8E03E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetNativeSystemInfo$kernel32.dll
            • API String ID: 2574300362-192647395
            • Opcode ID: 219e1b0529d63e714ea81ff14f42dbcd20a105969bc54aee21fb7a673d9b990b
            • Instruction ID: 3ab28fc424ade91a0116d6741294137c282d30b84290e28089440d6744f97407
            • Opcode Fuzzy Hash: 219e1b0529d63e714ea81ff14f42dbcd20a105969bc54aee21fb7a673d9b990b
            • Instruction Fuzzy Hash: D0D0C7709007269FDB315FA5EC0866676DDAF0471DF18481DECD5D2110D7F4D884E750
            Function 00FB13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FB13DC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: ($|
            • API String ID: 1659193697-1631851259
            • Opcode ID: 96ccea322faead9789d40442f43668e730237523c3b1c882fa6fa70181bc58cd
            • Instruction ID: 4942fadafe46fea6e16d0010eef8d8473b4706249c56f2a97129e18174e89128
            • Opcode Fuzzy Hash: 96ccea322faead9789d40442f43668e730237523c3b1c882fa6fa70181bc58cd
            • Instruction Fuzzy Hash: DE321475A00605DFC728DF6AC490AAAB7F0FF48320B55C56EE49ADB3A1E770E941CB44
            Function 00F8B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F8B35F
            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00F8B22F
              • Part of subcall function 00F8B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00F8B5A5
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Proc$LongWindow
            • String ID:
            • API String ID: 2749884682-0
            • Opcode ID: a7bb2addfb36f07e1e593f7118aab8d648a0cbec2f8afc367485d36e5ebb1674
            • Instruction ID: dde1bb0becf953b073a38dbc6964c001437aa6e79d317e1d9e20814d2a785e2d
            • Opcode Fuzzy Hash: a7bb2addfb36f07e1e593f7118aab8d648a0cbec2f8afc367485d36e5ebb1674
            • Instruction Fuzzy Hash: 5CA15971514105BADB3ABB2A6C88FFF396DEB4A360F18411AF442D6195CB299C01F372
            Function 00FC4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FC43BF,00000000), ref: 00FC4FA6
            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00FC4FD2
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Internet$AvailableDataFileQueryRead
            • String ID:
            • API String ID: 599397726-0
            • Opcode ID: bba077975674bac8639893185ff842aa21766ea604d1110093b40c480d432974
            • Instruction ID: 241761f4cfbffc5e71a84ea41fad07b74692c380ce006b4f574ade1d48a3857f
            • Opcode Fuzzy Hash: bba077975674bac8639893185ff842aa21766ea604d1110093b40c480d432974
            • Instruction Fuzzy Hash: E141C67290460BBFEB209E84DE82FBB77BCEB40764F10402EF605A7180D675AE45E650
            Function 00FBE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00FBE20D
            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FBE267
            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00FBE2B4
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ErrorMode$DiskFreeSpace
            • String ID:
            • API String ID: 1682464887-0
            • Opcode ID: 04166c6d965dfc9aa8b2db2fd7ae4151990b56d61870bfb65aa2fad13a710776
            • Instruction ID: 0ffabd89d547cb0e055db81a37df520ef4b0ad2012d31ff160f324d30dff5010
            • Opcode Fuzzy Hash: 04166c6d965dfc9aa8b2db2fd7ae4151990b56d61870bfb65aa2fad13a710776
            • Instruction Fuzzy Hash: 7B218C35A00118EFCB00EFA5D884AEDBBB8FF49314F0480AAE805A7351CB35A905DB50
            Function 00FAB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8F4EA: std::exception::exception.LIBCMT ref: 00F8F51E
              • Part of subcall function 00F8F4EA: __CxxThrowException@8.LIBCMT ref: 00F8F533
            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FAB180
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FAB1AD
            • GetLastError.KERNEL32 ref: 00FAB1BA
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
            • String ID:
            • API String ID: 1922334811-0
            • Opcode ID: 4ce2a6ee7ad8106df600fcd1a4c43063e08284e4ce92e240c03793aa746c48a9
            • Instruction ID: 5617e51036290e5f0e31e9e73d313b1afd9c40601f0eca24d12c4f96ac74930d
            • Opcode Fuzzy Hash: 4ce2a6ee7ad8106df600fcd1a4c43063e08284e4ce92e240c03793aa746c48a9
            • Instruction Fuzzy Hash: AE11BCB2810205AFE718AF64DCC6D6BBBBDEF45320B20852EE05697241DB74FC41DB60
            Function 00FB6685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FB66AF
            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00FB66EC
            • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FB66F5
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle
            • String ID:
            • API String ID: 33631002-0
            • Opcode ID: 2f546de263175200175ce445e14844db785498dfb48b7a4f82eb682d4f2afbcb
            • Instruction ID: 531fbf466a05ef51ccbdf9a0d5d1d9816c49d99f115480ca2f3002fdbcf4d78f
            • Opcode Fuzzy Hash: 2f546de263175200175ce445e14844db785498dfb48b7a4f82eb682d4f2afbcb
            • Instruction Fuzzy Hash: 8E1182B1901228BEE7108BA8DC45FEF77ACEB08758F104555F901E7190C6789E049BA1
            Function 00FB71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
            Download Yara Rule
            APIs
            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00FB7223
            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FB723A
            • FreeSid.ADVAPI32(?), ref: 00FB724A
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AllocateCheckFreeInitializeMembershipToken
            • String ID:
            • API String ID: 3429775523-0
            • Opcode ID: 8c65166ad49612207ae3c697ff64c3e959e2a87cee8721d7170e45c7743d3779
            • Instruction ID: 32a30d27af1ed1c4edb8b33aca1d4e75e322c1a7963452621280aa0eff1395b4
            • Opcode Fuzzy Hash: 8c65166ad49612207ae3c697ff64c3e959e2a87cee8721d7170e45c7743d3779
            • Instruction Fuzzy Hash: 4EF0F476A0420DBBDB04DFE4DD89AEEBBBDEF08201F104869A602E2191E6709A44DB10
            Function 00FBF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00FBF599
            • FindClose.KERNEL32(00000000), ref: 00FBF5C9
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: 7639561b1cb58db99c7f8b2a71e5600640bdf0fa56b9a9a729909bde655c241d
            • Instruction ID: 195eebe3853f91ef43b03a9cfd1053b07bb8e8f2e8a3ecaffdd12a440cfc9a4e
            • Opcode Fuzzy Hash: 7639561b1cb58db99c7f8b2a71e5600640bdf0fa56b9a9a729909bde655c241d
            • Instruction Fuzzy Hash: 8111AD326002049FD710EF29DC45A7EB3E9FF85324F04891EF8AAD7391CB34A9049B81
            Function 00FBCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00FCBE6A,?,?,00000000,?), ref: 00FBCEA7
            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00FCBE6A,?,?,00000000,?), ref: 00FBCEB9
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ErrorFormatLastMessage
            • String ID:
            • API String ID: 3479602957-0
            • Opcode ID: 79d2c20ac5da2348522b24178361b9e8dee731a274deb655fca0560b0c81ab00
            • Instruction ID: 023b32d06a352b33260acdabf9c1f27ef9c9009804303faee110e1c73c074c9e
            • Opcode Fuzzy Hash: 79d2c20ac5da2348522b24178361b9e8dee731a274deb655fca0560b0c81ab00
            • Instruction Fuzzy Hash: 72F0823550022DEBDB109BA4DC89FFA776DBF09361F008165F919D6181D630DA44EBA1
            Function 00FB411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
            Download Yara Rule
            APIs
            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00FB4153
            • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00FB4166
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: InputSendkeybd_event
            • String ID:
            • API String ID: 3536248340-0
            • Opcode ID: b03fa0449bf282484d5440d7cdaeedcf359e3ec6a31aae3e2f471dc1323de2d8
            • Instruction ID: 601aac9c7281ea58880605ffa695f5115a26121adb7d2dea3a6f771765adb021
            • Opcode Fuzzy Hash: b03fa0449bf282484d5440d7cdaeedcf359e3ec6a31aae3e2f471dc1323de2d8
            • Instruction Fuzzy Hash: 67F06D7080424DAFDB068FA5C805BFE7BB4EF00305F048009F96596192D7799616EFA0
            Function 00FAAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FAACC0), ref: 00FAAB99
            • CloseHandle.KERNEL32(?,?,00FAACC0), ref: 00FAABAB
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AdjustCloseHandlePrivilegesToken
            • String ID:
            • API String ID: 81990902-0
            • Opcode ID: db8b7d6013a74929802d0c2d6ef7bb73994c3018391eeb0557fbc643ae2e5551
            • Instruction ID: 54b91fb0775a89f52ba647230f934b1f95de6b1af6deabcec09356f8136f10e8
            • Opcode Fuzzy Hash: db8b7d6013a74929802d0c2d6ef7bb73994c3018391eeb0557fbc643ae2e5551
            • Instruction Fuzzy Hash: 8CE0E675010510AFE7252F54EC09DB777EEEF043207148429F55985470DB625D94EB50
            Function 00F981AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00F96DB3,-0000031A,?,?,00000001), ref: 00F981B1
            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F981BA
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: d118054df09d110532e98678881b456a84fd7c843779c9d0546ce1722a644038
            • Instruction ID: e461c0e2b51428443cb4433a44d1dd81ef0c0513149ad113527c0a02e662ad7d
            • Opcode Fuzzy Hash: d118054df09d110532e98678881b456a84fd7c843779c9d0546ce1722a644038
            • Instruction Fuzzy Hash: 50B0923204860CABDB002BA1EC09B687F6EEF08652F004010F70D440A1CB735410EA96
            Function 00F777B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: 75ca5444aa809758646c0e1f1412b356ca3acf93469b58d28a475fe0e370107f
            • Instruction ID: 07bd7e524000acc2a7298d633a7b22124e879d39a7b06dbb4ad0458369962d61
            • Opcode Fuzzy Hash: 75ca5444aa809758646c0e1f1412b356ca3acf93469b58d28a475fe0e370107f
            • Instruction Fuzzy Hash: 6BA23B71D04219CFDB24DF58C8807ADB7B1FF48324F2581AAD859AB3A1D7349E81EB91
            Function 00F9D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0eb0ae01414d37cfa676f320a2cb54e5410000690b8904ca8cfeb0ed7f5c0a05
            • Instruction ID: 2fe662337617a2f1a0eb4cffb6b4a59fc5bc3eb26256ff30c8624f4bbd94eb4d
            • Opcode Fuzzy Hash: 0eb0ae01414d37cfa676f320a2cb54e5410000690b8904ca8cfeb0ed7f5c0a05
            • Instruction Fuzzy Hash: D3322632D29F014DEB239634C926335A29DAFB73D4F25D737F819B599AEB29C4835200
            Function 00F796C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __itow__swprintf
            • String ID:
            • API String ID: 674341424-0
            • Opcode ID: b6da46163e3208b633c3f1591593eae901918c0fd121910989ebf313b1313ff5
            • Instruction ID: b668385e5919b0fde44e7e7099d1f1f81d721189e408af65f397aa76926f1b46
            • Opcode Fuzzy Hash: b6da46163e3208b633c3f1591593eae901918c0fd121910989ebf313b1313ff5
            • Instruction Fuzzy Hash: 73229A719083419FD724DF24C881BAFB7E5AF84310F10891EF89A97291DBB5E945EB83
            Function 00FA038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0d9dceab2dfa0fd0364727a91500029bf75b33033cfc6a3ca21d257a4094449d
            • Instruction ID: 132d513995fef981a6261be2b3b58dd5f877e73062a877f4a84ba94418c7dbcc
            • Opcode Fuzzy Hash: 0d9dceab2dfa0fd0364727a91500029bf75b33033cfc6a3ca21d257a4094449d
            • Instruction Fuzzy Hash: A9B1F030D2AF414DD3239639883533AB65CAFBB2D5F91D71BFC5A74D16EB2681834680
            Function 00FBB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
            Download Yara Rule
            APIs
            • __time64.LIBCMT ref: 00FBB6DF
              • Part of subcall function 00F9344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00FBBDC3,00000000,?,?,?,?,00FBBF70,00000000,?), ref: 00F93453
              • Part of subcall function 00F9344A: __aulldiv.LIBCMT ref: 00F93473
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Time$FileSystem__aulldiv__time64
            • String ID:
            • API String ID: 2893107130-0
            • Opcode ID: 7634ad1c75aaa2d2c0a0ef7c15d8354880ce396ef8cb5a031d6f4af1f7700d7d
            • Instruction ID: 565906d3275e8afd4b168c978605d66b0e1290c324485ba43e33e0f56a400453
            • Opcode Fuzzy Hash: 7634ad1c75aaa2d2c0a0ef7c15d8354880ce396ef8cb5a031d6f4af1f7700d7d
            • Instruction Fuzzy Hash: 78218172A34510CBC729CF39C481A92B7E5EB95321B248E6DE4E5CF2C0CB78B905DB54
            Function 00FC6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
            Download Yara Rule
            APIs
            • BlockInput.USER32(00000001), ref: 00FC6ACA
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: BlockInput
            • String ID:
            • API String ID: 3456056419-0
            • Opcode ID: ee996663010e729723890b5cd11e9140c04a5c4da9dd85f21903b90b6bedff31
            • Instruction ID: e6aee0120f34b227023fd96fda984c1d2459d3e5e48a493133a4adf2f7e42d01
            • Opcode Fuzzy Hash: ee996663010e729723890b5cd11e9140c04a5c4da9dd85f21903b90b6bedff31
            • Instruction Fuzzy Hash: 9BE0D8362002046FC700EF59D805E96B7ECEF74361F04C41AF905D7351CAB4F8049B90
            Function 00FB74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00FB750A
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: mouse_event
            • String ID:
            • API String ID: 2434400541-0
            • Opcode ID: 3f6348365b3d07bd9141d18fc3d61ba92f3dc738534143a90f4a47a3b7efeb15
            • Instruction ID: edc8b36f5b4c5dcf97b37999958364cd5cca88c23e5fb6249c5d0e07aa132148
            • Opcode Fuzzy Hash: 3f6348365b3d07bd9141d18fc3d61ba92f3dc738534143a90f4a47a3b7efeb15
            • Instruction Fuzzy Hash: C3D017A152C308A8E82A63228C1BFF71508E380792FD84149B206990C0A8946E01B830
            Function 00FAB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
            Download Yara Rule
            APIs
            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00FAAD3E), ref: 00FAB124
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: LogonUser
            • String ID:
            • API String ID: 1244722697-0
            • Opcode ID: 7b1f8d8d0642b947301c148d0df62a99f539cff1caff12ee8e117bb09fcfc5ee
            • Instruction ID: d47dacfe8cd01e392817f088cd907e775e6d333dec99e87559117dc5f75d8e6a
            • Opcode Fuzzy Hash: 7b1f8d8d0642b947301c148d0df62a99f539cff1caff12ee8e117bb09fcfc5ee
            • Instruction Fuzzy Hash: 85D09E321A464EAEDF025FA4DC06EBE3F6AEB04701F448511FA15D50A1C675D531EB54
            Function 00FEB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: NameUser
            • String ID:
            • API String ID: 2645101109-0
            • Opcode ID: 8f3999176373b4bd3bb414bfb0f1e6ca5d19212a623c8ec5e3c1c98ed2ce5474
            • Instruction ID: ed34a8c57948978fbfe39317774cc2be7da6c2e1948b08ea45fda4e54cf80020
            • Opcode Fuzzy Hash: 8f3999176373b4bd3bb414bfb0f1e6ca5d19212a623c8ec5e3c1c98ed2ce5474
            • Instruction Fuzzy Hash: FAC04CB240014DDFC751CBC4C944AEEB7BCAB04301F2040919105F1110DB709B45EB72
            Function 00F98189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F9818F
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 84a419d6e3f90df2cfb39ac20b49bbb5066ce5eafbdd961137eccd73d1aeaa1d
            • Instruction ID: d160cb5a06d97535c299b036784440d8c3aa32d24d84dafa40bd3a0a1972760d
            • Opcode Fuzzy Hash: 84a419d6e3f90df2cfb39ac20b49bbb5066ce5eafbdd961137eccd73d1aeaa1d
            • Instruction Fuzzy Hash: 93A0113200020CAB8F002B82EC088A83F2EEA002A0B000020FA0C000208B23A820AA8A
            Function 00F7E3B0 Relevance: .5, Instructions: 540COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5afecf57e2f0196004cad003e080074bdf75e599dcdad7d43062b9d91a8d14b8
            • Instruction ID: 4555573325a16c426f26312971eba0f6ecc98d592e0c84cffbbddbd5cf59ea27
            • Opcode Fuzzy Hash: 5afecf57e2f0196004cad003e080074bdf75e599dcdad7d43062b9d91a8d14b8
            • Instruction Fuzzy Hash: D922AE75D002058FDB24DF58C880BAAB7B1FF18324F14C1BBD95A9B351E335A985EB92
            Function 00F793F0 Relevance: .5, Instructions: 531COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 778e4c49bf3a7a22a51a92a035ceb678f99efab446ff5287900a27b0acfed4e4
            • Instruction ID: 2539a872af0a1ba59b9be3fecf319664f5ef81c36073c5c89b39ee032a69e31e
            • Opcode Fuzzy Hash: 778e4c49bf3a7a22a51a92a035ceb678f99efab446ff5287900a27b0acfed4e4
            • Instruction Fuzzy Hash: 08128070A04609DFDF14DFA5D981AEEB7F5FF48300F10852AE40AE7254EB7AA910EB51
            Function 00F7AF50 Relevance: .5, Instructions: 514COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Exception@8Throwstd::exception::exception
            • String ID:
            • API String ID: 3728558374-0
            • Opcode ID: 6e9d8b7a4d39e9a3fa3a1c015130282a32d222e4f5c62afa1a2f30b9fa26713b
            • Instruction ID: dd6ce0f6933524442dce3a46fbbe483629f48b51d6ebc6d5375e92e2f9d9a346
            • Opcode Fuzzy Hash: 6e9d8b7a4d39e9a3fa3a1c015130282a32d222e4f5c62afa1a2f30b9fa26713b
            • Instruction Fuzzy Hash: 9902B170A00109DFDF14DF69D981AAEB7B5FF45300F10C06AE80ADB255EB39DA15EB92
            Function 00F902A4 Relevance: .3, Instructions: 345COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
            • Instruction ID: c4ccf220fc53e67451c470503796a6a8e38e8447cc5663ad2da143ebdb517b21
            • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
            • Instruction Fuzzy Hash: 97C1B5726051930EEF2D863E847457EBAA15AA27B131A076DD8B3CB4D5EF24C528E720
            Function 00F906D9 Relevance: .3, Instructions: 341COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
            • Instruction ID: 7d52f6cd1511bf7b83166cb3a5cd41d0ff67bd1c5072d1aa31e8e9be6d1b7f3a
            • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
            • Instruction Fuzzy Hash: EEC103736051A30EEF2D463AC47443EBAA15EA2BB130A076DD4B3CB1D5EF24C528E720
            Function 00F8FE6F Relevance: .3, Instructions: 331COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
            • Instruction ID: 0f81c8d0bda5179b187189a4d07f85e88fa03d338765abaf75ea6196de5a7daf
            • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
            • Instruction Fuzzy Hash: 39C1D3726091930EEF2D463AC47457EFAA15AA27B131A037DD4B3CB4E5EF24C568E720
            Function 00F8FA57 Relevance: .3, Instructions: 323COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
            • Instruction ID: 26bf48e6b623843818404d24815f706e2f57f4246fe11a9c1576e4e2e3df313a
            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
            • Instruction Fuzzy Hash: 22C1B1726090930EDF2D5639C4744BEBAA15AA2BB131A077DD4B3CB5D5EF24C62CE720
            Function 00FCA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00FCA2FE
            • DeleteObject.GDI32(00000000), ref: 00FCA310
            • DestroyWindow.USER32 ref: 00FCA31E
            • GetDesktopWindow.USER32 ref: 00FCA338
            • GetWindowRect.USER32(00000000), ref: 00FCA33F
            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00FCA480
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00FCA490
            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FCA4D8
            • GetClientRect.USER32(00000000,?), ref: 00FCA4E4
            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FCA51E
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FCA540
            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FCA553
            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FCA55E
            • GlobalLock.KERNEL32(00000000), ref: 00FCA567
            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FCA576
            • GlobalUnlock.KERNEL32(00000000), ref: 00FCA57F
            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FCA586
            • GlobalFree.KERNEL32(00000000), ref: 00FCA591
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FCA5A3
            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00FFD9BC,00000000), ref: 00FCA5B9
            • GlobalFree.KERNEL32(00000000), ref: 00FCA5C9
            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00FCA5EF
            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00FCA60E
            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FCA630
            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FCA81D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
            • String ID: $AutoIt v3$DISPLAY$static
            • API String ID: 2211948467-2373415609
            • Opcode ID: 6022b85e68949d4ebdacae7674802355f0ce156a443b49ee0a3bbbcca60fad2e
            • Instruction ID: 5983b88ba512507fc5fdf5f63da6a3e321a5774112de2319017e7de2a4a28395
            • Opcode Fuzzy Hash: 6022b85e68949d4ebdacae7674802355f0ce156a443b49ee0a3bbbcca60fad2e
            • Instruction Fuzzy Hash: 71028E71A00109EFDB14DFA4CD89EAEBBB9FF48314F008159F905AB2A1D775AD01EB61
            Function 00FDD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
            Download Yara Rule
            APIs
            • SetTextColor.GDI32(?,00000000), ref: 00FDD2DB
            • GetSysColorBrush.USER32(0000000F), ref: 00FDD30C
            • GetSysColor.USER32(0000000F), ref: 00FDD318
            • SetBkColor.GDI32(?,000000FF), ref: 00FDD332
            • SelectObject.GDI32(?,00000000), ref: 00FDD341
            • InflateRect.USER32(?,000000FF,000000FF), ref: 00FDD36C
            • GetSysColor.USER32(00000010), ref: 00FDD374
            • CreateSolidBrush.GDI32(00000000), ref: 00FDD37B
            • FrameRect.USER32(?,?,00000000), ref: 00FDD38A
            • DeleteObject.GDI32(00000000), ref: 00FDD391
            • InflateRect.USER32(?,000000FE,000000FE), ref: 00FDD3DC
            • FillRect.USER32(?,?,00000000), ref: 00FDD40E
            • GetWindowLongW.USER32(?,000000F0), ref: 00FDD439
              • Part of subcall function 00FDD575: GetSysColor.USER32(00000012), ref: 00FDD5AE
              • Part of subcall function 00FDD575: SetTextColor.GDI32(?,?), ref: 00FDD5B2
              • Part of subcall function 00FDD575: GetSysColorBrush.USER32(0000000F), ref: 00FDD5C8
              • Part of subcall function 00FDD575: GetSysColor.USER32(0000000F), ref: 00FDD5D3
              • Part of subcall function 00FDD575: GetSysColor.USER32(00000011), ref: 00FDD5F0
              • Part of subcall function 00FDD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FDD5FE
              • Part of subcall function 00FDD575: SelectObject.GDI32(?,00000000), ref: 00FDD60F
              • Part of subcall function 00FDD575: SetBkColor.GDI32(?,00000000), ref: 00FDD618
              • Part of subcall function 00FDD575: SelectObject.GDI32(?,?), ref: 00FDD625
              • Part of subcall function 00FDD575: InflateRect.USER32(?,000000FF,000000FF), ref: 00FDD644
              • Part of subcall function 00FDD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FDD65B
              • Part of subcall function 00FDD575: GetWindowLongW.USER32(00000000,000000F0), ref: 00FDD670
              • Part of subcall function 00FDD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FDD698
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
            • String ID:
            • API String ID: 3521893082-0
            • Opcode ID: e4d933903a72a4dc3f8d0becf45169c5a638a8b25b67449bee66fa9b8268defc
            • Instruction ID: a21c5262988fc50d76de7de306f33c73ba29333ec3fddf35adcbc6399a97258d
            • Opcode Fuzzy Hash: e4d933903a72a4dc3f8d0becf45169c5a638a8b25b67449bee66fa9b8268defc
            • Instruction Fuzzy Hash: 6A91A172408305BFD7109F64DC48E6BBBAEFF89325F180A19F962962E0C771D944EB52
            Function 00F8B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32 ref: 00F8B98B
            • DeleteObject.GDI32(00000000), ref: 00F8B9CD
            • DeleteObject.GDI32(00000000), ref: 00F8B9D8
            • DestroyIcon.USER32(00000000), ref: 00F8B9E3
            • DestroyWindow.USER32(00000000), ref: 00F8B9EE
            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00FED2AA
            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FED2E3
            • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00FED711
              • Part of subcall function 00F8B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F8B759,?,00000000,?,?,?,?,00F8B72B,00000000,?), ref: 00F8BA58
            • SendMessageW.USER32 ref: 00FED758
            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FED76F
            • ImageList_Destroy.COMCTL32(00000000), ref: 00FED785
            • ImageList_Destroy.COMCTL32(00000000), ref: 00FED790
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
            • String ID: 0
            • API String ID: 464785882-4108050209
            • Opcode ID: 2fcbb36dd979bcb91242168a0a1db30e34b2c7fc189ed11747b97d0e5f10322d
            • Instruction ID: bccedfcb3c8a28019f91017764015f2c1c2067ed12fd81490815b43a425d9a6d
            • Opcode Fuzzy Hash: 2fcbb36dd979bcb91242168a0a1db30e34b2c7fc189ed11747b97d0e5f10322d
            • Instruction Fuzzy Hash: 4612AE30604281DFDB25DF25C888BA9BBF5FF45314F184569E989CBAA2C731EC41EB91
            Function 00FBDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00FBDBD6
            • GetDriveTypeW.KERNEL32(?,0100DC54,?,\\.\,0100DC00), ref: 00FBDCC3
            • SetErrorMode.KERNEL32(00000000,0100DC54,?,\\.\,0100DC00), ref: 00FBDE29
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ErrorMode$DriveType
            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
            • API String ID: 2907320926-4222207086
            • Opcode ID: 3a630cff74baf28a40b70bf427b4999d9c1949cb07434f03205d647dd6e4fb0f
            • Instruction ID: ce5d7262cab69d37821b07ef309f51dc65c1b5427bef6414e591b604652f6257
            • Opcode Fuzzy Hash: 3a630cff74baf28a40b70bf427b4999d9c1949cb07434f03205d647dd6e4fb0f
            • Instruction Fuzzy Hash: CB51B031608306AB8610DF17CC82AA9B7A1FB9C715B20491EF5CB9F251EB68D845FF47
            Function 00F7CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
            • API String ID: 1038674560-86951937
            • Opcode ID: 7e15422017e87c3af1ba95277810816d2c940e710c723ddc0b178a8d0a9ed3b8
            • Instruction ID: be8d9a8ecdef6a3f35c3e312f8ea005b74307a524bff3681aae2ff1135c5f3f7
            • Opcode Fuzzy Hash: 7e15422017e87c3af1ba95277810816d2c940e710c723ddc0b178a8d0a9ed3b8
            • Instruction Fuzzy Hash: 558109316402566BDB25BEA5DC43FAE376DAF14310F04803EF9496A182EB75D941F3E2
            Function 00FD638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,0100DC00), ref: 00FD6449
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
            • API String ID: 3964851224-45149045
            • Opcode ID: 900dd577c2b44442c43ca2b0c8ce59393ed6f881c5506be731c4a166a71bc07b
            • Instruction ID: 988af879c17ca7e220a50432900b3372870a0ff7217e8555e3e37911990680bc
            • Opcode Fuzzy Hash: 900dd577c2b44442c43ca2b0c8ce59393ed6f881c5506be731c4a166a71bc07b
            • Instruction Fuzzy Hash: 68C1B7306042058BCB04EF10C951AAE77A6BF95354F08485AF896DB3D7DF24ED4AFB82
            Function 00FDD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000012), ref: 00FDD5AE
            • SetTextColor.GDI32(?,?), ref: 00FDD5B2
            • GetSysColorBrush.USER32(0000000F), ref: 00FDD5C8
            • GetSysColor.USER32(0000000F), ref: 00FDD5D3
            • CreateSolidBrush.GDI32(?), ref: 00FDD5D8
            • GetSysColor.USER32(00000011), ref: 00FDD5F0
            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FDD5FE
            • SelectObject.GDI32(?,00000000), ref: 00FDD60F
            • SetBkColor.GDI32(?,00000000), ref: 00FDD618
            • SelectObject.GDI32(?,?), ref: 00FDD625
            • InflateRect.USER32(?,000000FF,000000FF), ref: 00FDD644
            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FDD65B
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00FDD670
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FDD698
            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FDD6BF
            • InflateRect.USER32(?,000000FD,000000FD), ref: 00FDD6DD
            • DrawFocusRect.USER32(?,?), ref: 00FDD6E8
            • GetSysColor.USER32(00000011), ref: 00FDD6F6
            • SetTextColor.GDI32(?,00000000), ref: 00FDD6FE
            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00FDD712
            • SelectObject.GDI32(?,00FDD2A5), ref: 00FDD729
            • DeleteObject.GDI32(?), ref: 00FDD734
            • SelectObject.GDI32(?,?), ref: 00FDD73A
            • DeleteObject.GDI32(?), ref: 00FDD73F
            • SetTextColor.GDI32(?,?), ref: 00FDD745
            • SetBkColor.GDI32(?,?), ref: 00FDD74F
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
            • String ID:
            • API String ID: 1996641542-0
            • Opcode ID: 0cabaca4efbecf6e50f735ce944951a4caab83a37a744d7ed43b07807cae38f5
            • Instruction ID: 4c4b7435ddf1b72bb12cd8d1a2a97f5349fef0a7b1c67a05c7b506edda7fc321
            • Opcode Fuzzy Hash: 0cabaca4efbecf6e50f735ce944951a4caab83a37a744d7ed43b07807cae38f5
            • Instruction Fuzzy Hash: A9513B72900208BFDF10AFA8DC48EAE7B7AFF09324F144515F915AB2A1D7759A40EF90
            Function 00FDB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FDB7B0
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FDB7C1
            • CharNextW.USER32(0000014E), ref: 00FDB7F0
            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FDB831
            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FDB847
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FDB858
            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00FDB875
            • SetWindowTextW.USER32(?,0000014E), ref: 00FDB8C7
            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00FDB8DD
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FDB90E
            • _memset.LIBCMT ref: 00FDB933
            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00FDB97C
            • _memset.LIBCMT ref: 00FDB9DB
            • SendMessageW.USER32 ref: 00FDBA05
            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00FDBA5D
            • SendMessageW.USER32(?,0000133D,?,?), ref: 00FDBB0A
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00FDBB2C
            • GetMenuItemInfoW.USER32(?), ref: 00FDBB76
            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FDBBA3
            • DrawMenuBar.USER32(?), ref: 00FDBBB2
            • SetWindowTextW.USER32(?,0000014E), ref: 00FDBBDA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
            • String ID: 0
            • API String ID: 1073566785-4108050209
            • Opcode ID: 7012914903e97afa4c121efd830704a7cdf41635ed5af9bc427ad72e853dcd72
            • Instruction ID: 2a2ba80eef203026fedf89d746f1390bbc45fe38e6a26d3e00474ab57aa46d04
            • Opcode Fuzzy Hash: 7012914903e97afa4c121efd830704a7cdf41635ed5af9bc427ad72e853dcd72
            • Instruction Fuzzy Hash: A7E17F75900218EBDF109F61CC84AEE7B7AFF49720F188157F919AA290DB758A41FF60
            Function 00FD764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00FD778A
            • GetDesktopWindow.USER32 ref: 00FD779F
            • GetWindowRect.USER32(00000000), ref: 00FD77A6
            • GetWindowLongW.USER32(?,000000F0), ref: 00FD7808
            • DestroyWindow.USER32(?), ref: 00FD7834
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FD785D
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD787B
            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00FD78A1
            • SendMessageW.USER32(?,00000421,?,?), ref: 00FD78B6
            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00FD78C9
            • IsWindowVisible.USER32(?), ref: 00FD78E9
            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00FD7904
            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00FD7918
            • GetWindowRect.USER32(?,?), ref: 00FD7930
            • MonitorFromPoint.USER32(?,?,00000002), ref: 00FD7956
            • GetMonitorInfoW.USER32 ref: 00FD7970
            • CopyRect.USER32(?,?), ref: 00FD7987
            • SendMessageW.USER32(?,00000412,00000000), ref: 00FD79F2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
            • String ID: ($0$tooltips_class32
            • API String ID: 698492251-4156429822
            • Opcode ID: 6ede28075cf1e3afeb205413ec7f68522b43c26b8e449504e88bab24355125ff
            • Instruction ID: a311ab90e2828ffde52f64a47e2dbb79bb8eab95b53c6acb657540b4adce32c4
            • Opcode Fuzzy Hash: 6ede28075cf1e3afeb205413ec7f68522b43c26b8e449504e88bab24355125ff
            • Instruction Fuzzy Hash: 40B18371608301AFD704EF64C948B6EBBE6FF84310F04891EF5999B291E774E805EB96
            Function 00F8A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F8A939
            • GetSystemMetrics.USER32(00000007), ref: 00F8A941
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F8A96C
            • GetSystemMetrics.USER32(00000008), ref: 00F8A974
            • GetSystemMetrics.USER32(00000004), ref: 00F8A999
            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F8A9B6
            • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00F8A9C6
            • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F8A9F9
            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F8AA0D
            • GetClientRect.USER32(00000000,000000FF), ref: 00F8AA2B
            • GetStockObject.GDI32(00000011), ref: 00F8AA47
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F8AA52
              • Part of subcall function 00F8B63C: GetCursorPos.USER32(000000FF), ref: 00F8B64F
              • Part of subcall function 00F8B63C: ScreenToClient.USER32(00000000,000000FF), ref: 00F8B66C
              • Part of subcall function 00F8B63C: GetAsyncKeyState.USER32(00000001), ref: 00F8B691
              • Part of subcall function 00F8B63C: GetAsyncKeyState.USER32(00000002), ref: 00F8B69F
            • SetTimer.USER32(00000000,00000000,00000028,00F8AB87), ref: 00F8AA79
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
            • String ID: AutoIt v3 GUI
            • API String ID: 1458621304-248962490
            • Opcode ID: 2bc5532abb7c0b37466e6a4e1d60121efd64201024af1b84dac5fadc123887bc
            • Instruction ID: ce8cc0e99159e291574cbfb91339b8a7de0ba8b9134c0290c7567c55a13c53bd
            • Opcode Fuzzy Hash: 2bc5532abb7c0b37466e6a4e1d60121efd64201024af1b84dac5fadc123887bc
            • Instruction Fuzzy Hash: 8DB16F71A0020A9FDB14EFA8DC45BED7BB9FF08324F15411AFA15A7290DB789841EB51
            Function 00F72EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$Foreground
            • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
            • API String ID: 62970417-1919597938
            • Opcode ID: ea3078b53e4b273a7c8e494474799f93880f33a5bc41bc0586d0a652033d9f6d
            • Instruction ID: 28baa37d4f8e7a93bc558647bbf2326df95e1930a2500405f52dea1dc7d39a98
            • Opcode Fuzzy Hash: ea3078b53e4b273a7c8e494474799f93880f33a5bc41bc0586d0a652033d9f6d
            • Instruction Fuzzy Hash: AFD129315082869FDB44EF51CC41A9ABBB8FF54310F00891DF45A935A1EB34E95AFF92
            Function 00FD3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
            Download Yara Rule
            APIs
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FD3735
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0100DC00,00000000,?,00000000,?,?), ref: 00FD37A3
            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00FD37EB
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00FD3874
            • RegCloseKey.ADVAPI32(?), ref: 00FD3B94
            • RegCloseKey.ADVAPI32(00000000), ref: 00FD3BA1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Close$ConnectCreateRegistryValue
            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
            • API String ID: 536824911-966354055
            • Opcode ID: b7202f9522d2efd075497c424e200a726ef5e795dbf792f3a9bc05da6a4ddd2d
            • Instruction ID: 68991ff27112433d7b6daeb3e437f862f4a42fb4d3060407cd222ce294df2425
            • Opcode Fuzzy Hash: b7202f9522d2efd075497c424e200a726ef5e795dbf792f3a9bc05da6a4ddd2d
            • Instruction Fuzzy Hash: 96027E756046019FDB14EF14C855A2EB7EAFF88720F04845EF99A9B361CB74ED01EB82
            Function 00FD6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 00FD6C56
            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FD6D16
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
            • API String ID: 3974292440-719923060
            • Opcode ID: f54ccc335ce357cfef91eefd5488a047ecd849712b90590fb9d566dadfa03d92
            • Instruction ID: 494206af7586f73dac5981108949142564f3d36762670f50476b593ad4542512
            • Opcode Fuzzy Hash: f54ccc335ce357cfef91eefd5488a047ecd849712b90590fb9d566dadfa03d92
            • Instruction Fuzzy Hash: 13A16F316042419BCB14FF14CC51A6AB3A6FF45324F18895EF89A9B3D2DB38EC06EB41
            Function 00FACF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000100), ref: 00FACF91
            • __swprintf.LIBCMT ref: 00FAD032
            • _wcscmp.LIBCMT ref: 00FAD045
            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FAD09A
            • _wcscmp.LIBCMT ref: 00FAD0D6
            • GetClassNameW.USER32(?,?,00000400), ref: 00FAD10D
            • GetDlgCtrlID.USER32(?), ref: 00FAD15F
            • GetWindowRect.USER32(?,?), ref: 00FAD195
            • GetParent.USER32(?), ref: 00FAD1B3
            • ScreenToClient.USER32(00000000), ref: 00FAD1BA
            • GetClassNameW.USER32(?,?,00000100), ref: 00FAD234
            • _wcscmp.LIBCMT ref: 00FAD248
            • GetWindowTextW.USER32(?,?,00000400), ref: 00FAD26E
            • _wcscmp.LIBCMT ref: 00FAD282
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
            • String ID: %s%u
            • API String ID: 3119225716-679674701
            • Opcode ID: ef0657c35b3d866fd36777e8d059c72cfe985c47568ce039c071a3e151b3ed3a
            • Instruction ID: 1db4393bb82562dfe2abb5b989d5477794bde3215960c62840f3460017118450
            • Opcode Fuzzy Hash: ef0657c35b3d866fd36777e8d059c72cfe985c47568ce039c071a3e151b3ed3a
            • Instruction Fuzzy Hash: C8A1F4B1A04306AFD715DF64CC84FAAB7E8FF45360F008529F99AD2580DB30E905EBA1
            Function 00FAD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(00000008,?,00000400), ref: 00FAD8EB
            • _wcscmp.LIBCMT ref: 00FAD8FC
            • GetWindowTextW.USER32(00000001,?,00000400), ref: 00FAD924
            • CharUpperBuffW.USER32(?,00000000), ref: 00FAD941
            • _wcscmp.LIBCMT ref: 00FAD95F
            • _wcsstr.LIBCMT ref: 00FAD970
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00FAD9A8
            • _wcscmp.LIBCMT ref: 00FAD9B8
            • GetWindowTextW.USER32(00000002,?,00000400), ref: 00FAD9DF
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00FADA28
            • _wcscmp.LIBCMT ref: 00FADA38
            • GetClassNameW.USER32(00000010,?,00000400), ref: 00FADA60
            • GetWindowRect.USER32(00000004,?), ref: 00FADAC9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
            • String ID: @$ThumbnailClass
            • API String ID: 1788623398-1539354611
            • Opcode ID: b0170497a45739a9b1dcf8306da4e6a37be28f4c8ac5dbde398b36e6e6040473
            • Instruction ID: 214ea495f264c94c77f449aec1085f716dee766d9d73993df1bf46c7bb97d77d
            • Opcode Fuzzy Hash: b0170497a45739a9b1dcf8306da4e6a37be28f4c8ac5dbde398b36e6e6040473
            • Instruction Fuzzy Hash: FC81D4B14083059FDB01DF10C885FAA7BE8FF85764F04846AFD8A9A096DB34DD45EBA1
            Function 00FAD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
            • API String ID: 1038674560-1810252412
            • Opcode ID: 67075850966cd049fdb92756f51fcb0beb5f6ec79fc83dc78453f8ab85930ce0
            • Instruction ID: 0b8baf2b09930d63193300adc1e20476f6ec15417ac2395303442aef982f349a
            • Opcode Fuzzy Hash: 67075850966cd049fdb92756f51fcb0beb5f6ec79fc83dc78453f8ab85930ce0
            • Instruction Fuzzy Hash: C431B071A44209AAEB19FA91CD43FED73749F21710F60002EF486B54D1EF69AF44F652
            Function 00FAEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000063), ref: 00FAEAB0
            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FAEAC2
            • SetWindowTextW.USER32(?,?), ref: 00FAEAD9
            • GetDlgItem.USER32(?,000003EA), ref: 00FAEAEE
            • SetWindowTextW.USER32(00000000,?), ref: 00FAEAF4
            • GetDlgItem.USER32(?,000003E9), ref: 00FAEB04
            • SetWindowTextW.USER32(00000000,?), ref: 00FAEB0A
            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FAEB2B
            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FAEB45
            • GetWindowRect.USER32(?,?), ref: 00FAEB4E
            • SetWindowTextW.USER32(?,?), ref: 00FAEBB9
            • GetDesktopWindow.USER32 ref: 00FAEBBF
            • GetWindowRect.USER32(00000000), ref: 00FAEBC6
            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00FAEC12
            • GetClientRect.USER32(?,?), ref: 00FAEC1F
            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00FAEC44
            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FAEC6F
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
            • String ID:
            • API String ID: 3869813825-0
            • Opcode ID: d1b4ed997d4e9e81b956087668ffd9be8c7e0c0349a51863a949e109eec1fcfc
            • Instruction ID: 4fcad72f48341949924cf7758b9c50a95d573b674f00fd215f34395d51cc1244
            • Opcode Fuzzy Hash: d1b4ed997d4e9e81b956087668ffd9be8c7e0c0349a51863a949e109eec1fcfc
            • Instruction Fuzzy Hash: 8C513DB1900709EFDB20DFA8CD89F6EBBF9FF44715F004918E596A26A0D774A944EB10
            Function 00FC79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
            Download Yara Rule
            APIs
            • LoadCursorW.USER32(00000000,00007F8A), ref: 00FC79C6
            • LoadCursorW.USER32(00000000,00007F00), ref: 00FC79D1
            • LoadCursorW.USER32(00000000,00007F03), ref: 00FC79DC
            • LoadCursorW.USER32(00000000,00007F8B), ref: 00FC79E7
            • LoadCursorW.USER32(00000000,00007F01), ref: 00FC79F2
            • LoadCursorW.USER32(00000000,00007F81), ref: 00FC79FD
            • LoadCursorW.USER32(00000000,00007F88), ref: 00FC7A08
            • LoadCursorW.USER32(00000000,00007F80), ref: 00FC7A13
            • LoadCursorW.USER32(00000000,00007F86), ref: 00FC7A1E
            • LoadCursorW.USER32(00000000,00007F83), ref: 00FC7A29
            • LoadCursorW.USER32(00000000,00007F85), ref: 00FC7A34
            • LoadCursorW.USER32(00000000,00007F82), ref: 00FC7A3F
            • LoadCursorW.USER32(00000000,00007F84), ref: 00FC7A4A
            • LoadCursorW.USER32(00000000,00007F04), ref: 00FC7A55
            • LoadCursorW.USER32(00000000,00007F02), ref: 00FC7A60
            • LoadCursorW.USER32(00000000,00007F89), ref: 00FC7A6B
            • GetCursorInfo.USER32(?), ref: 00FC7A7B
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Cursor$Load$Info
            • String ID:
            • API String ID: 2577412497-0
            • Opcode ID: 4bbbee51d0357bfa5c105222022e8b43c68f3e2063c069bb56d4875c71c15d87
            • Instruction ID: 702e8ec2f6bacb3f53e5cb2c4455d6ceb8930005b5d4631f7ef981f127186724
            • Opcode Fuzzy Hash: 4bbbee51d0357bfa5c105222022e8b43c68f3e2063c069bb56d4875c71c15d87
            • Instruction Fuzzy Hash: E83116B1D0831A6ADB50AFB68C89D5FBEE8FF04760F50452AA50DE7280DA7CA5009F91
            Function 00F7C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F7C8B7,?,00002000,?,?,00000000,?,00F7419E,?,?,?,0100DC00), ref: 00F8E984
              • Part of subcall function 00F7660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F753B1,?,?,00F761FF,?,00000000,00000001,00000000), ref: 00F7662F
            • __wsplitpath.LIBCMT ref: 00F7C93E
              • Part of subcall function 00F91DFC: __wsplitpath_helper.LIBCMT ref: 00F91E3C
            • _wcscpy.LIBCMT ref: 00F7C953
            • _wcscat.LIBCMT ref: 00F7C968
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00F7C978
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F7CABE
              • Part of subcall function 00F7B337: _wcscpy.LIBCMT ref: 00F7B36F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
            • API String ID: 2258743419-1018226102
            • Opcode ID: 47d368a94d681e8bf2ed653eac45a08b26af980e9d796cc1cc7256ce1e9ebdf9
            • Instruction ID: 8b377ac8d656986b042fdacead441087c0edfa8a390a9ec1ffa15d088012a53f
            • Opcode Fuzzy Hash: 47d368a94d681e8bf2ed653eac45a08b26af980e9d796cc1cc7256ce1e9ebdf9
            • Instruction Fuzzy Hash: 3712AE715083419FC724EF25C885AAFBBE5BF89310F00491EF58997251DB38DA49EB93
            Function 00FDCE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FDCEFB
            • DestroyWindow.USER32(?,?), ref: 00FDCF73
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FDCFF4
            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FDD016
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FDD025
            • DestroyWindow.USER32(?), ref: 00FDD042
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F70000,00000000), ref: 00FDD075
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FDD094
            • GetDesktopWindow.USER32 ref: 00FDD0A9
            • GetWindowRect.USER32(00000000), ref: 00FDD0B0
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FDD0C2
            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FDD0DA
              • Part of subcall function 00F8B526: GetWindowLongW.USER32(?,000000EB), ref: 00F8B537
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
            • String ID: 0$tooltips_class32
            • API String ID: 3877571568-3619404913
            • Opcode ID: 9280c36be8f99db06c1b040bb6ce79516335a02fde81284a822fe06684aa773c
            • Instruction ID: 1604f11cadc2462e622ccfcfcc1fdddd659487d28ecf1deef4b52b522168723b
            • Opcode Fuzzy Hash: 9280c36be8f99db06c1b040bb6ce79516335a02fde81284a822fe06684aa773c
            • Instruction Fuzzy Hash: 7771BC71540205AFE720CF28CC88F6677EAEB88714F08451EF98587395DB75E942EB22
            Function 00FDF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F8B35F
            • DragQueryPoint.SHELL32(?,?), ref: 00FDF37A
              • Part of subcall function 00FDD7DE: ClientToScreen.USER32(?,?), ref: 00FDD807
              • Part of subcall function 00FDD7DE: GetWindowRect.USER32(?,?), ref: 00FDD87D
              • Part of subcall function 00FDD7DE: PtInRect.USER32(?,?,00FDED5A), ref: 00FDD88D
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00FDF3E3
            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FDF3EE
            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FDF411
            • _wcscat.LIBCMT ref: 00FDF441
            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FDF458
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00FDF471
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00FDF488
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00FDF4AA
            • DragFinish.SHELL32(?), ref: 00FDF4B1
            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FDF59C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
            • API String ID: 169749273-3440237614
            • Opcode ID: 4c4b8f28540f481f21cba9e2a1e94fe6d5120153ba35a54c007bd2107bebbb68
            • Instruction ID: b99b742f6e91eeb4c1d0e55ba8b6d3b02eb849a59a5e80d20abf5a7f26fe9c6b
            • Opcode Fuzzy Hash: 4c4b8f28540f481f21cba9e2a1e94fe6d5120153ba35a54c007bd2107bebbb68
            • Instruction Fuzzy Hash: F0615771108304AFC311EF64DC85EABBBE9FF89710F044A1EF595922A1DB749A09EB52
            Function 00FBAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(00000000), ref: 00FBAB3D
            • VariantCopy.OLEAUT32(?,?), ref: 00FBAB46
            • VariantClear.OLEAUT32(?), ref: 00FBAB52
            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FBAC40
            • __swprintf.LIBCMT ref: 00FBAC70
            • VarR8FromDec.OLEAUT32(?,?), ref: 00FBAC9C
            • VariantInit.OLEAUT32(?), ref: 00FBAD4D
            • SysFreeString.OLEAUT32(00000016), ref: 00FBADDF
            • VariantClear.OLEAUT32(?), ref: 00FBAE35
            • VariantClear.OLEAUT32(?), ref: 00FBAE44
            • VariantInit.OLEAUT32(00000000), ref: 00FBAE80
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
            • String ID: %4d%02d%02d%02d%02d%02d$Default
            • API String ID: 3730832054-3931177956
            • Opcode ID: 7aab78fd84c12c13e1e9366018f43fb28b5b19df345c535e0ab76874693638d8
            • Instruction ID: 1e496bf1d9874f89377f866328e716cd7a8a9171500d3df0d73c8bad6faf096f
            • Opcode Fuzzy Hash: 7aab78fd84c12c13e1e9366018f43fb28b5b19df345c535e0ab76874693638d8
            • Instruction Fuzzy Hash: B7D1BD72A04215DBDB20AF6BC885BEAF7BAFF44710F148456E4159B181DB74E840FFA2
            Function 00FD716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 00FD71FC
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FD7247
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
            • API String ID: 3974292440-4258414348
            • Opcode ID: ca48a92d48b91da37cbb56377329a0dade3be528229c9585f15a028f3978d3de
            • Instruction ID: 6af844566506201d97ab7212b63cbcfc78572168b76822b90d445930f54b6ea2
            • Opcode Fuzzy Hash: ca48a92d48b91da37cbb56377329a0dade3be528229c9585f15a028f3978d3de
            • Instruction Fuzzy Hash: 4A9173716087019BCB05FF10C851A6EB7A6BF55310F04885EF89A5B393DB74ED06EB91
            Function 00FDE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FDE5AB
            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00FD9808,?), ref: 00FDE607
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FDE647
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FDE68C
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FDE6C3
            • FreeLibrary.KERNEL32(?,00000004,?,?,?,00FD9808,?), ref: 00FDE6CF
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FDE6DF
            • DestroyIcon.USER32(?), ref: 00FDE6EE
            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FDE70B
            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FDE717
              • Part of subcall function 00F90FA7: __wcsicmp_l.LIBCMT ref: 00F91030
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
            • String ID: .dll$.exe$.icl
            • API String ID: 1212759294-1154884017
            • Opcode ID: a10d8adccae57a87b5eebcab3d7fac9c931c5c60c1ef7aa1823796a6f0abed0f
            • Instruction ID: c243a7579b87666932882966f77ff852000cc5093f0e71c98d6dec51e0fb2788
            • Opcode Fuzzy Hash: a10d8adccae57a87b5eebcab3d7fac9c931c5c60c1ef7aa1823796a6f0abed0f
            • Instruction Fuzzy Hash: 9961CF71910219BAEB14EF64CC46FBE7BADAF08724F144116F915DA2D0EB74D980EBA0
            Function 00FBD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F7936C: __swprintf.LIBCMT ref: 00F793AB
              • Part of subcall function 00F7936C: __itow.LIBCMT ref: 00F793DF
            • CharLowerBuffW.USER32(?,?), ref: 00FBD292
            • GetDriveTypeW.KERNEL32 ref: 00FBD2DF
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FBD327
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FBD35E
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FBD38C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
            • API String ID: 1148790751-4113822522
            • Opcode ID: 5dd971864c7f8af17a288445faa1f9dadf1209635388f3ad0ac2ed14936ce647
            • Instruction ID: 58dbb801d12584967c67a66e7c0b8b143f5d18c699b7b4f83591d44d2a6f5068
            • Opcode Fuzzy Hash: 5dd971864c7f8af17a288445faa1f9dadf1209635388f3ad0ac2ed14936ce647
            • Instruction Fuzzy Hash: E45149715047049FC700EF11C8819AEB3E9FF88718F00886DF8996B251DB75EE05DB82
            Function 00FB26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00FE3973,00000016,0000138C,00000016,?,00000016,0100DDB4,00000000,?), ref: 00FB26F1
            • LoadStringW.USER32(00000000,?,00FE3973,00000016), ref: 00FB26FA
            • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00FE3973,00000016,0000138C,00000016,?,00000016,0100DDB4,00000000,?,00000016), ref: 00FB271C
            • LoadStringW.USER32(00000000,?,00FE3973,00000016), ref: 00FB271F
            • __swprintf.LIBCMT ref: 00FB276F
            • __swprintf.LIBCMT ref: 00FB2780
            • _wprintf.LIBCMT ref: 00FB2829
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FB2840
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: HandleLoadModuleString__swprintf$Message_wprintf
            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
            • API String ID: 618562835-2268648507
            • Opcode ID: 071556eb2d508e1e3651c63d4117da422855c5a7ba4de22cd67824e72bc6136a
            • Instruction ID: fdbe428920e772cfa46a968c58727f184703cbb3e216158715f4303049dd5126
            • Opcode Fuzzy Hash: 071556eb2d508e1e3651c63d4117da422855c5a7ba4de22cd67824e72bc6136a
            • Instruction Fuzzy Hash: 28417172800219AACB14FBD1DD82EEEB378AF15740F50406AF50576092DB786F19EBA1
            Function 00FBD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FBD0D8
            • __swprintf.LIBCMT ref: 00FBD0FA
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00FBD137
            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FBD15C
            • _memset.LIBCMT ref: 00FBD17B
            • _wcsncpy.LIBCMT ref: 00FBD1B7
            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FBD1EC
            • CloseHandle.KERNEL32(00000000), ref: 00FBD1F7
            • RemoveDirectoryW.KERNEL32(?), ref: 00FBD200
            • CloseHandle.KERNEL32(00000000), ref: 00FBD20A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
            • String ID: :$\$\??\%s
            • API String ID: 2733774712-3457252023
            • Opcode ID: ea5402f58c4906ec4cb55eeae6815688c400219333e5d3c75ef40a14ca6e283d
            • Instruction ID: 7262f397002c0d68cdb3dba2f5979d9159dc2f91ee38ec47ebf9e7f71b45d91d
            • Opcode Fuzzy Hash: ea5402f58c4906ec4cb55eeae6815688c400219333e5d3c75ef40a14ca6e283d
            • Instruction Fuzzy Hash: 2D31AEB290010AABEB20DFA5CC49FEB37BDAF88700F1040B6F509D2160EB749644AB25
            Function 00FA87CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
            • String ID:
            • API String ID: 884005220-0
            • Opcode ID: e641e31da6d184f5ee0103660d64e401876377281592cfc0f92e4ae46fee1a76
            • Instruction ID: 0f10ad52c7d7cb8967829c1f6f644f38e61d1ba8129c93f509e1807a2d5f33b7
            • Opcode Fuzzy Hash: e641e31da6d184f5ee0103660d64e401876377281592cfc0f92e4ae46fee1a76
            • Instruction Fuzzy Hash: AC61D4B2901312AFEB206F64DC4176A77A8AF067B0F200525E841EA185DFBDD942F7A5
            Function 00FDE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00FDE754
            • GetFileSize.KERNEL32(00000000,00000000), ref: 00FDE76B
            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00FDE776
            • CloseHandle.KERNEL32(00000000), ref: 00FDE783
            • GlobalLock.KERNEL32(00000000), ref: 00FDE78C
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00FDE79B
            • GlobalUnlock.KERNEL32(00000000), ref: 00FDE7A4
            • CloseHandle.KERNEL32(00000000), ref: 00FDE7AB
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00FDE7BC
            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00FFD9BC,?), ref: 00FDE7D5
            • GlobalFree.KERNEL32(00000000), ref: 00FDE7E5
            • GetObjectW.GDI32(?,00000018,000000FF), ref: 00FDE809
            • CopyImage.USER32(?,00000000,?,?,00002000), ref: 00FDE834
            • DeleteObject.GDI32(00000000), ref: 00FDE85C
            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FDE872
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
            • String ID:
            • API String ID: 3840717409-0
            • Opcode ID: c54ac0fb862c56779160953bfcbcd7cb059926446d83eb0cfb612f204646ce65
            • Instruction ID: 9431810b253543bf4a2987f6f9186c8eeca3dcc9089aefb19370bcb61a1bf99b
            • Opcode Fuzzy Hash: c54ac0fb862c56779160953bfcbcd7cb059926446d83eb0cfb612f204646ce65
            • Instruction Fuzzy Hash: 0E414A75A00208EFDB119F65CC88EAE7BBEEF89725F144059F905DB260D7309D41EB60
            Function 00FC05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • __wsplitpath.LIBCMT ref: 00FC076F
            • _wcscat.LIBCMT ref: 00FC0787
            • _wcscat.LIBCMT ref: 00FC0799
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC07AE
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC07C2
            • GetFileAttributesW.KERNEL32(?), ref: 00FC07DA
            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00FC07F4
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC0806
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
            • String ID: *.*
            • API String ID: 34673085-438819550
            • Opcode ID: 81355b83d3f0f5322c8bc38411fb53e60b1ebd745a176b48e4db87cf7dcc1fdf
            • Instruction ID: 2a8f0c3acea48cfc665103c37966d1fa681f90390a23e72b8a4fb1ec3013fcc0
            • Opcode Fuzzy Hash: 81355b83d3f0f5322c8bc38411fb53e60b1ebd745a176b48e4db87cf7dcc1fdf
            • Instruction Fuzzy Hash: 4C817171904306DFDB24DF24C946E6AB3E8BF85314F14882EF489C7251EB34D956AB52
            Function 00FDEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F8B35F
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FDEF3B
            • GetFocus.USER32 ref: 00FDEF4B
            • GetDlgCtrlID.USER32(00000000), ref: 00FDEF56
            • _memset.LIBCMT ref: 00FDF081
            • GetMenuItemInfoW.USER32 ref: 00FDF0AC
            • GetMenuItemCount.USER32(00000000), ref: 00FDF0CC
            • GetMenuItemID.USER32(?,00000000), ref: 00FDF0DF
            • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00FDF113
            • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00FDF15B
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FDF193
            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00FDF1C8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
            • String ID: 0
            • API String ID: 1296962147-4108050209
            • Opcode ID: 27c28dfa7ed40d1a72ee51e3c51d3a8b839fa496a659c50d9a5821da5c7f5f73
            • Instruction ID: ae0df60e1367fd35faf7e0737019050826c873b560116a1b2a901b33c53302ac
            • Opcode Fuzzy Hash: 27c28dfa7ed40d1a72ee51e3c51d3a8b839fa496a659c50d9a5821da5c7f5f73
            • Instruction Fuzzy Hash: 24815A71508305AFD720DF14C884E6ABBEAFF88324F18492EF99597391D770D909EB92
            Function 00FAA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FAABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00FAABD7
              • Part of subcall function 00FAABBB: GetLastError.KERNEL32(?,00FAA69F,?,?,?), ref: 00FAABE1
              • Part of subcall function 00FAABBB: GetProcessHeap.KERNEL32(00000008,?,?,00FAA69F,?,?,?), ref: 00FAABF0
              • Part of subcall function 00FAABBB: HeapAlloc.KERNEL32(00000000,?,00FAA69F,?,?,?), ref: 00FAABF7
              • Part of subcall function 00FAABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00FAAC0E
              • Part of subcall function 00FAAC56: GetProcessHeap.KERNEL32(00000008,00FAA6B5,00000000,00000000,?,00FAA6B5,?), ref: 00FAAC62
              • Part of subcall function 00FAAC56: HeapAlloc.KERNEL32(00000000,?,00FAA6B5,?), ref: 00FAAC69
              • Part of subcall function 00FAAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FAA6B5,?), ref: 00FAAC7A
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FAA8CB
            • _memset.LIBCMT ref: 00FAA8E0
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FAA8FF
            • GetLengthSid.ADVAPI32(?), ref: 00FAA910
            • GetAce.ADVAPI32(?,00000000,?), ref: 00FAA94D
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FAA969
            • GetLengthSid.ADVAPI32(?), ref: 00FAA986
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FAA995
            • HeapAlloc.KERNEL32(00000000), ref: 00FAA99C
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FAA9BD
            • CopySid.ADVAPI32(00000000), ref: 00FAA9C4
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FAA9F5
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FAAA1B
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FAAA2F
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: 2253be74dd7dbf790625278cd756b0bb60ca19efe1938f0809c3504e6c301f2d
            • Instruction ID: 54f5770028014a53dad9ef46da76883d183181c24d2766d8480932153bbc7759
            • Opcode Fuzzy Hash: 2253be74dd7dbf790625278cd756b0bb60ca19efe1938f0809c3504e6c301f2d
            • Instruction Fuzzy Hash: 45512AB5900209EFDF10DF94DD85AEEBBBAFF05310F048119E915A6290DB359A09EB61
            Function 00FC9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 00FC9E36
            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00FC9E42
            • CreateCompatibleDC.GDI32(?), ref: 00FC9E4E
            • SelectObject.GDI32(00000000,?), ref: 00FC9E5B
            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00FC9EAF
            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00FC9EEB
            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00FC9F0F
            • SelectObject.GDI32(00000006,?), ref: 00FC9F17
            • DeleteObject.GDI32(?), ref: 00FC9F20
            • DeleteDC.GDI32(00000006), ref: 00FC9F27
            • ReleaseDC.USER32(00000000,?), ref: 00FC9F32
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
            • String ID: (
            • API String ID: 2598888154-3887548279
            • Opcode ID: d36cc9c23ca3376c8a39e976409f594053c665de348ac68470b3d6e931531d4a
            • Instruction ID: 7c10e89d275b3014017596b9c9c871288574db9d6d002e2c01e468f36c10af6b
            • Opcode Fuzzy Hash: d36cc9c23ca3376c8a39e976409f594053c665de348ac68470b3d6e931531d4a
            • Instruction Fuzzy Hash: E5513876904209AFDB14CFA8CC89EAEBBB9EF48710F14841DF95AA7210C775A941DB60
            Function 00FBCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: LoadString__swprintf_wprintf
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
            • API String ID: 2889450990-2391861430
            • Opcode ID: a3b4e3931df623ce803d05b5b3f954effb8fa5595799e6895b4ed56e30fc84bb
            • Instruction ID: 0e3cb6c84011ce83312a8aa1cdd2044f3347e92b397c189b429b976e629d1dae
            • Opcode Fuzzy Hash: a3b4e3931df623ce803d05b5b3f954effb8fa5595799e6895b4ed56e30fc84bb
            • Instruction Fuzzy Hash: FE519231900109BADF15EBE1CD42EEEB779EF09300F10416AF50976052EB79AE59EFA1
            Function 00FBCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: LoadString__swprintf_wprintf
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
            • API String ID: 2889450990-3420473620
            • Opcode ID: 306e04cb805df69a672b11f55cd5e08e69d0458156e920d998b3ad0ac261a72c
            • Instruction ID: 2c846f8990007762cdd59af6fa65fa2feb6d96dca930b83b55d4bfd3243283c1
            • Opcode Fuzzy Hash: 306e04cb805df69a672b11f55cd5e08e69d0458156e920d998b3ad0ac261a72c
            • Instruction Fuzzy Hash: F251A571900209AADF15EBE1CD43EEEB778AF09300F10806AF50976052DB796F59EFA1
            Function 00FB55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FB55D7
            • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00FB5664
            • GetMenuItemCount.USER32(01031708), ref: 00FB56ED
            • DeleteMenu.USER32(01031708,00000005,00000000,000000F5,?,?), ref: 00FB577D
            • DeleteMenu.USER32(01031708,00000004,00000000), ref: 00FB5785
            • DeleteMenu.USER32(01031708,00000006,00000000), ref: 00FB578D
            • DeleteMenu.USER32(01031708,00000003,00000000), ref: 00FB5795
            • GetMenuItemCount.USER32(01031708), ref: 00FB579D
            • SetMenuItemInfoW.USER32(01031708,00000004,00000000,00000030), ref: 00FB57D3
            • GetCursorPos.USER32(?), ref: 00FB57DD
            • SetForegroundWindow.USER32(00000000), ref: 00FB57E6
            • TrackPopupMenuEx.USER32(01031708,00000000,?,00000000,00000000,00000000), ref: 00FB57F9
            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FB5805
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
            • String ID:
            • API String ID: 3993528054-0
            • Opcode ID: 1a1be7ba90b96ea4bba300b79099c70fbcf2b60ef71968a8088fb1915ac8ed5e
            • Instruction ID: ebebaf9c2e349243e37d4673cc6205bf5ea625bcdb98887640b1a2fd63db9b12
            • Opcode Fuzzy Hash: 1a1be7ba90b96ea4bba300b79099c70fbcf2b60ef71968a8088fb1915ac8ed5e
            • Instruction Fuzzy Hash: B571F771A40609BEEB219F56CC45FEABF6AFF04B64F244205F5146A1D1C7796C10EF90
            Function 00FAA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FAA1DC
            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FAA211
            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FAA22D
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FAA249
            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FAA273
            • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00FAA29B
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FAA2A6
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FAA2AB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
            • API String ID: 1687751970-22481851
            • Opcode ID: 7d1037c11b78599008799b60f9de2cfc54d70b79ddb170adaf2dd8d81b7eca8f
            • Instruction ID: 59f18f424280117d540775ee57f62290c590633e8044201d56575cfca963e3e7
            • Opcode Fuzzy Hash: 7d1037c11b78599008799b60f9de2cfc54d70b79ddb170adaf2dd8d81b7eca8f
            • Instruction Fuzzy Hash: C2410876C10229ABDB15EBA4DC85DEDB7B8FF04710F40802AF905B7160EB749E19EB91
            Function 00FD3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FD2BB5,?,?), ref: 00FD3C1D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
            • API String ID: 3964851224-909552448
            • Opcode ID: 1037153ce2d37a511ea0fe098ce589fc68dd95ecf27ee018be7b0d4736b62296
            • Instruction ID: 2f33b93551b5fec4577c1c050587d09e65c42269693de4f6d1a3edd44d63178a
            • Opcode Fuzzy Hash: 1037153ce2d37a511ea0fe098ce589fc68dd95ecf27ee018be7b0d4736b62296
            • Instruction Fuzzy Hash: 20416B3190425E8BCF01FF10DC41AEA3367BF22310F14480AED956B796EB74AA0AEF51
            Function 00FB25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FE36F4,00000010,?,Bad directive syntax error,0100DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FB25D6
            • LoadStringW.USER32(00000000,?,00FE36F4,00000010), ref: 00FB25DD
            • _wprintf.LIBCMT ref: 00FB2610
            • __swprintf.LIBCMT ref: 00FB2632
            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FB26A1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: HandleLoadMessageModuleString__swprintf_wprintf
            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
            • API String ID: 1080873982-4153970271
            • Opcode ID: 85975aa37bb09338f031d139846a3d482ae012af3f92c4136b9d5dce95feb003
            • Instruction ID: 1702edbb69d55ed554e9c67c9dd61e388080777426fcdb9070a9821d90c687d3
            • Opcode Fuzzy Hash: 85975aa37bb09338f031d139846a3d482ae012af3f92c4136b9d5dce95feb003
            • Instruction Fuzzy Hash: 2921513180021EAFDF11AB90CC46EEE7739BF19704F04445AF5096A062DA75A528EF51
            Function 00FB7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FB7B42
            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FB7B58
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FB7B69
            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FB7B7B
            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FB7B8C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: SendString
            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
            • API String ID: 890592661-1007645807
            • Opcode ID: 0337ed4aed285f4b698459b4182a8692de1f80ade94d98e436781c18fc1959da
            • Instruction ID: e3a6aa63a9978b87effefa7a38979f8d655b41da5cd1f3c299661c4ec505ea77
            • Opcode Fuzzy Hash: 0337ed4aed285f4b698459b4182a8692de1f80ade94d98e436781c18fc1959da
            • Instruction Fuzzy Hash: B311EFA1A4026979DB20B362CC4ADFFBA7CFFD5B10F00442EB455AA0C1EEA41945DEA1
            Function 00FB778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
            Download Yara Rule
            APIs
            • timeGetTime.WINMM ref: 00FB7794
              • Part of subcall function 00F8DC38: timeGetTime.WINMM(?,75C0B400,00FE58AB), ref: 00F8DC3C
            • Sleep.KERNEL32(0000000A), ref: 00FB77C0
            • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00FB77E4
            • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00FB7806
            • SetActiveWindow.USER32 ref: 00FB7825
            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FB7833
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00FB7852
            • Sleep.KERNEL32(000000FA), ref: 00FB785D
            • IsWindow.USER32 ref: 00FB7869
            • EndDialog.USER32(00000000), ref: 00FB787A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
            • String ID: BUTTON
            • API String ID: 1194449130-3405671355
            • Opcode ID: cee473ce26673e00c789ff4194ec2e6d3ffb4aaf9abf5a42d3c69268d851e2ac
            • Instruction ID: 64b735ff00a111a83a08ba9ba6458f2fe4c506e269dfbba799721deaf8dd6ec3
            • Opcode Fuzzy Hash: cee473ce26673e00c789ff4194ec2e6d3ffb4aaf9abf5a42d3c69268d851e2ac
            • Instruction Fuzzy Hash: 342150B0204309AFE7146B21ECC9BB67F2EFB84758B148014F5468A262CF6A9C00FF21
            Function 00FC02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F7936C: __swprintf.LIBCMT ref: 00F793AB
              • Part of subcall function 00F7936C: __itow.LIBCMT ref: 00F793DF
            • CoInitialize.OLE32(00000000), ref: 00FC034B
            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FC03DE
            • SHGetDesktopFolder.SHELL32(?), ref: 00FC03F2
            • CoCreateInstance.OLE32(00FFDA8C,00000000,00000001,01023CF8,?), ref: 00FC043E
            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FC04AD
            • CoTaskMemFree.OLE32(?,?), ref: 00FC0505
            • _memset.LIBCMT ref: 00FC0542
            • SHBrowseForFolderW.SHELL32(?), ref: 00FC057E
            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FC05A1
            • CoTaskMemFree.OLE32(00000000), ref: 00FC05A8
            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00FC05DF
            • CoUninitialize.OLE32(00000001,00000000), ref: 00FC05E1
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
            • String ID:
            • API String ID: 1246142700-0
            • Opcode ID: 5ceeeae5c22d9dac0300b0d42434794260a7e5560863e03f0c042eae3eab0d06
            • Instruction ID: 77a108f6a6dd9a26f4c9bd90377e831742e6d30d72a30064959f9b8332e0c05e
            • Opcode Fuzzy Hash: 5ceeeae5c22d9dac0300b0d42434794260a7e5560863e03f0c042eae3eab0d06
            • Instruction Fuzzy Hash: 8BB1D875A00209AFDB04DFA4CD89EAEBBB9EF48314B148459E809EB251DB74ED41DF50
            Function 00FB2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 00FB2ED6
            • SetKeyboardState.USER32(?), ref: 00FB2F41
            • GetAsyncKeyState.USER32(000000A0), ref: 00FB2F61
            • GetKeyState.USER32(000000A0), ref: 00FB2F78
            • GetAsyncKeyState.USER32(000000A1), ref: 00FB2FA7
            • GetKeyState.USER32(000000A1), ref: 00FB2FB8
            • GetAsyncKeyState.USER32(00000011), ref: 00FB2FE4
            • GetKeyState.USER32(00000011), ref: 00FB2FF2
            • GetAsyncKeyState.USER32(00000012), ref: 00FB301B
            • GetKeyState.USER32(00000012), ref: 00FB3029
            • GetAsyncKeyState.USER32(0000005B), ref: 00FB3052
            • GetKeyState.USER32(0000005B), ref: 00FB3060
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: 92ef54084ba0ab4751aa789b03d0a78dc173c55eba3a73b00f4bf59adc431eee
            • Instruction ID: 51fae5bafdd00b4bc407551f345c19d310a8f6933a7df9c86c72b750c3ddea36
            • Opcode Fuzzy Hash: 92ef54084ba0ab4751aa789b03d0a78dc173c55eba3a73b00f4bf59adc431eee
            • Instruction Fuzzy Hash: C6512A24E0478829FB35EBB688407EEBFF45F11394F08458DC5C25A1C2DA54AB8CEF62
            Function 00FAED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,00000001), ref: 00FAED1E
            • GetWindowRect.USER32(00000000,?), ref: 00FAED30
            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00FAED8E
            • GetDlgItem.USER32(?,00000002), ref: 00FAED99
            • GetWindowRect.USER32(00000000,?), ref: 00FAEDAB
            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00FAEE01
            • GetDlgItem.USER32(?,000003E9), ref: 00FAEE0F
            • GetWindowRect.USER32(00000000,?), ref: 00FAEE20
            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00FAEE63
            • GetDlgItem.USER32(?,000003EA), ref: 00FAEE71
            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FAEE8E
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00FAEE9B
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$ItemMoveRect$Invalidate
            • String ID:
            • API String ID: 3096461208-0
            • Opcode ID: 5c3002d1b4a468d2d591d36d67804153d57d68cbe5d09f8e9a51da59a7b00031
            • Instruction ID: f2cac1d5900ae6aa608aebbe754401a6a9205446e12dbd57dade0edc7950ec31
            • Opcode Fuzzy Hash: 5c3002d1b4a468d2d591d36d67804153d57d68cbe5d09f8e9a51da59a7b00031
            • Instruction Fuzzy Hash: C4513EB1B00209AFDB18CF68CD99AAEBBBAFF88310F148129F519D7290D7709D00DB10
            Function 00F8B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F8B759,?,00000000,?,?,?,?,00F8B72B,00000000,?), ref: 00F8BA58
            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F8B72B), ref: 00F8B7F6
            • KillTimer.USER32(00000000,?,00000000,?,?,?,?,00F8B72B,00000000,?,?,00F8B2EF,?,?), ref: 00F8B88D
            • DestroyAcceleratorTable.USER32(00000000), ref: 00FED8A6
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F8B72B,00000000,?,?,00F8B2EF,?,?), ref: 00FED8D7
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F8B72B,00000000,?,?,00F8B2EF,?,?), ref: 00FED8EE
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F8B72B,00000000,?,?,00F8B2EF,?,?), ref: 00FED90A
            • DeleteObject.GDI32(00000000), ref: 00FED91C
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
            • String ID:
            • API String ID: 641708696-0
            • Opcode ID: 8fcfd6f86fd515ad4bf60f6d5c8f17315948c88d44834a6475fd14923e22b08a
            • Instruction ID: 084d11317b661324080f7c8eaa053581e6ad0f437e0a2bf4f9b7aea48f0c2a70
            • Opcode Fuzzy Hash: 8fcfd6f86fd515ad4bf60f6d5c8f17315948c88d44834a6475fd14923e22b08a
            • Instruction Fuzzy Hash: 52618B31901740DFDB35AF59DD88BB9B7B9FF98322F140519E08286A64CB79A881FF40
            Function 00F8B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8B526: GetWindowLongW.USER32(?,000000EB), ref: 00F8B537
            • GetSysColor.USER32(0000000F), ref: 00F8B438
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ColorLongWindow
            • String ID:
            • API String ID: 259745315-0
            • Opcode ID: f425b74b7ec978f39101733efaee03f3f71df27b09ff9ef6e77416c7b347ee07
            • Instruction ID: ff15539484e0ca601bfb37b4b103c2ff20f3d0fe35027245a0d630f570990a19
            • Opcode Fuzzy Hash: f425b74b7ec978f39101733efaee03f3f71df27b09ff9ef6e77416c7b347ee07
            • Instruction Fuzzy Hash: C9417031500154AFDB25AF28DC8ABF93B6AAF46731F184265FD658E1E6D7308C42FB21
            Function 00FB690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
            • String ID:
            • API String ID: 136442275-0
            • Opcode ID: 709f0083b301bd96c1dc45bc191b7a3a2369ad3886cec05c7c7083e78c0fb765
            • Instruction ID: 1da4b2b99e5f95f90753f56b51676b7b427858072ef4a4352695bbb85efd8f9b
            • Opcode Fuzzy Hash: 709f0083b301bd96c1dc45bc191b7a3a2369ad3886cec05c7c7083e78c0fb765
            • Instruction Fuzzy Hash: A1411B7684511CAEDF62EB95CC85DDB73BCEF44310F0041A6B659E2051EE38ABE89F50
            Function 00FBD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(0100DC00,0100DC00,0100DC00), ref: 00FBD7CE
            • GetDriveTypeW.KERNEL32(?,01023A70,00000061), ref: 00FBD898
            • _wcscpy.LIBCMT ref: 00FBD8C2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: BuffCharDriveLowerType_wcscpy
            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
            • API String ID: 2820617543-1000479233
            • Opcode ID: a7e58d531d405a18050ed3b7196220b36ef50369923bda850630a154d83bc2c0
            • Instruction ID: 703b72dc54864e50593e8c5ed91950fe1e23092a4804e4fc484f2a9b024482c0
            • Opcode Fuzzy Hash: a7e58d531d405a18050ed3b7196220b36ef50369923bda850630a154d83bc2c0
            • Instruction Fuzzy Hash: 2A5180355082049FC700EF15DC82AEEB7A5FF85324F10882DF5995B2A2EB75E905EB43
            Function 00F7936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
            Download Yara Rule
            APIs
            • __swprintf.LIBCMT ref: 00F793AB
            • __itow.LIBCMT ref: 00F793DF
              • Part of subcall function 00F91557: _xtow@16.LIBCMT ref: 00F91578
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __itow__swprintf_xtow@16
            • String ID: %.15g$0x%p$False$True
            • API String ID: 1502193981-2263619337
            • Opcode ID: 6b45b954e45791f784bdf3618b1bf2fc3752888fd2a88a2863e8a6fab782ef7a
            • Instruction ID: 351fc2701332944278fd9beab42cbc4aa679437a8867f54b5490523201f87b37
            • Opcode Fuzzy Hash: 6b45b954e45791f784bdf3618b1bf2fc3752888fd2a88a2863e8a6fab782ef7a
            • Instruction Fuzzy Hash: F941E6329042059FEB24EF79DD42F6973E8EF48310F20846FE14EDB181EA75A941EB51
            Function 00FDA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FDA259
            • CreateCompatibleDC.GDI32(00000000), ref: 00FDA260
            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FDA273
            • SelectObject.GDI32(00000000,00000000), ref: 00FDA27B
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00FDA286
            • DeleteDC.GDI32(00000000), ref: 00FDA28F
            • GetWindowLongW.USER32(?,000000EC), ref: 00FDA299
            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00FDA2AD
            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00FDA2B9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
            • String ID: static
            • API String ID: 2559357485-2160076837
            • Opcode ID: 80a642ee841d41994c69ce16dbd0f4181e9752b88f5bc03419851106acfeeae0
            • Instruction ID: 844108292a8236bfb94512f7fa4b8f0633bf91f7ce33eef75bbd4de7d84f36f9
            • Opcode Fuzzy Hash: 80a642ee841d41994c69ce16dbd0f4181e9752b88f5bc03419851106acfeeae0
            • Instruction Fuzzy Hash: 71319E31500118ABDF219FA5DC49FEA3B6EFF0D361F140215FA19A61A0C736D811EBA8
            Function 00FB6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
            • String ID: 0.0.0.0
            • API String ID: 2620052-3771769585
            • Opcode ID: d97f5116c71d7db1c6505fa20affa121a412cfd60ef109dab54e8de07ddd65f1
            • Instruction ID: 8244aa1e0c273d4a398e4baf6418bc9149d9938fe78f69ecc6b3d2b8bfdb4af8
            • Opcode Fuzzy Hash: d97f5116c71d7db1c6505fa20affa121a412cfd60ef109dab54e8de07ddd65f1
            • Instruction Fuzzy Hash: E311E772904119AFDB247B65AC0AEFA77ACEF44720F040065F145DA081FF789A85FB50
            Function 00F9500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00F95047
              • Part of subcall function 00F97C0E: __getptd_noexit.LIBCMT ref: 00F97C0E
            • __gmtime64_s.LIBCMT ref: 00F950E0
            • __gmtime64_s.LIBCMT ref: 00F95116
            • __gmtime64_s.LIBCMT ref: 00F95133
            • __allrem.LIBCMT ref: 00F95189
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F951A5
            • __allrem.LIBCMT ref: 00F951BC
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F951DA
            • __allrem.LIBCMT ref: 00F951F1
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F9520F
            • __invoke_watson.LIBCMT ref: 00F95280
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
            • String ID:
            • API String ID: 384356119-0
            • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
            • Instruction ID: 46bff9ee16cc49ad3c2a11b7fdb97034ffd6d679c47fa28ec14bc9d4e47400cb
            • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
            • Instruction Fuzzy Hash: A271D6B2E01B17ABFF15AF78CC41B5AB3A8BF05B64F144229F910D6681E774D940ABD0
            Function 00FB4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FB4DF8
            • GetMenuItemInfoW.USER32(01031708,000000FF,00000000,00000030), ref: 00FB4E59
            • SetMenuItemInfoW.USER32(01031708,00000004,00000000,00000030), ref: 00FB4E8F
            • Sleep.KERNEL32(000001F4), ref: 00FB4EA1
            • GetMenuItemCount.USER32(?), ref: 00FB4EE5
            • GetMenuItemID.USER32(?,00000000), ref: 00FB4F01
            • GetMenuItemID.USER32(?,-00000001), ref: 00FB4F2B
            • GetMenuItemID.USER32(?,?), ref: 00FB4F70
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FB4FB6
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FB4FCA
            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FB4FEB
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
            • String ID:
            • API String ID: 4176008265-0
            • Opcode ID: 3e1606ec554c7b6c08a117afb4bfadc4430028b1c1e7b7db457f1d92829fe897
            • Instruction ID: b0c646b6427a613b3d4a41511dcb38cbc59cfb01d592f5f4ea8a68e1b4b367d9
            • Opcode Fuzzy Hash: 3e1606ec554c7b6c08a117afb4bfadc4430028b1c1e7b7db457f1d92829fe897
            • Instruction Fuzzy Hash: 4E61AD71A00249AFDB20CFA5CA84AFEBBB9EB05314F180159F451A7292D775ED04EF20
            Function 00FD9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FD9C98
            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FD9C9B
            • GetWindowLongW.USER32(?,000000F0), ref: 00FD9CBF
            • _memset.LIBCMT ref: 00FD9CD0
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FD9CE2
            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FD9D5A
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$LongWindow_memset
            • String ID:
            • API String ID: 830647256-0
            • Opcode ID: 0372e10eebcab17a8f382099272a8795756134e80c9a4688f646b33e7d096736
            • Instruction ID: 9a599ed8b11a67109d82fc019b0ab1ea8a11290815eb9844fa00d525084db63b
            • Opcode Fuzzy Hash: 0372e10eebcab17a8f382099272a8795756134e80c9a4688f646b33e7d096736
            • Instruction Fuzzy Hash: 40617B75A00208AFDB20DFA8CC81EEE77B9EF09714F14415AFA54E7391D7B4A941EB60
            Function 00FA94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
            Download Yara Rule
            APIs
            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00FA94FE
            • SafeArrayAllocData.OLEAUT32(?), ref: 00FA9549
            • VariantInit.OLEAUT32(?), ref: 00FA955B
            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00FA957B
            • VariantCopy.OLEAUT32(?,?), ref: 00FA95BE
            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00FA95D2
            • VariantClear.OLEAUT32(?), ref: 00FA95E7
            • SafeArrayDestroyData.OLEAUT32(?), ref: 00FA95F4
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FA95FD
            • VariantClear.OLEAUT32(?), ref: 00FA960F
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FA961A
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
            • String ID:
            • API String ID: 2706829360-0
            • Opcode ID: 0895ac88b00a019681a2b82e0a0ec38e0e7d4ca7b90e011edbe72e14c753b9a0
            • Instruction ID: 818473f1939ca4057b3b0689b56a30b168ccd007b60320a49994e51f30850835
            • Opcode Fuzzy Hash: 0895ac88b00a019681a2b82e0a0ec38e0e7d4ca7b90e011edbe72e14c753b9a0
            • Instruction Fuzzy Hash: CA413D71D0021DAFCB01EFA4DC849EEBBBDFF09354F108065E901A7251DB75AA45EBA1
            Function 00FCADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F7936C: __swprintf.LIBCMT ref: 00F793AB
              • Part of subcall function 00F7936C: __itow.LIBCMT ref: 00F793DF
            • CoInitialize.OLE32 ref: 00FCADF6
            • CoUninitialize.OLE32 ref: 00FCAE01
            • CoCreateInstance.OLE32(?,00000000,00000017,00FFD8FC,?), ref: 00FCAE61
            • IIDFromString.OLE32(?,?), ref: 00FCAED4
            • VariantInit.OLEAUT32(?), ref: 00FCAF6E
            • VariantClear.OLEAUT32(?), ref: 00FCAFCF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
            • API String ID: 834269672-1287834457
            • Opcode ID: 7143bd75c7e66f24db2668f588930984332be4fe67583811ae1afe2f5fb8d497
            • Instruction ID: 8c122d92da80d35b8dded1d857c47e31f46961077bb3aa651c73b68267052efb
            • Opcode Fuzzy Hash: 7143bd75c7e66f24db2668f588930984332be4fe67583811ae1afe2f5fb8d497
            • Instruction Fuzzy Hash: 3661AA716083169FD710EF65C98AF6AB7E8AF88718F00440DF9859B291C774ED48EB93
            Function 00FC8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
            Download Yara Rule
            APIs
            • WSAStartup.WSOCK32(00000101,?), ref: 00FC8168
            • inet_addr.WSOCK32(?,?,?), ref: 00FC81AD
            • gethostbyname.WSOCK32(?), ref: 00FC81B9
            • IcmpCreateFile.IPHLPAPI ref: 00FC81C7
            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FC8237
            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FC824D
            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00FC82C2
            • WSACleanup.WSOCK32 ref: 00FC82C8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
            • String ID: Ping
            • API String ID: 1028309954-2246546115
            • Opcode ID: 6d11c24c7052c6d1fcd23ab4600605e76aaba9f5956ac647031e8bbd0e66ada1
            • Instruction ID: b6c622425df4c00600ac9af26b35ca6e50a2a1d4abebb486a93c60f91fa8fe60
            • Opcode Fuzzy Hash: 6d11c24c7052c6d1fcd23ab4600605e76aaba9f5956ac647031e8bbd0e66ada1
            • Instruction Fuzzy Hash: 585194326047019FD720AF24CD4AF6AB7E5EF44760F04845DF956DB2A1DB74E806EB41
            Function 00FD9E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FD9E5B
            • CreateMenu.USER32 ref: 00FD9E76
            • SetMenu.USER32(?,00000000), ref: 00FD9E85
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FD9F12
            • IsMenu.USER32(?), ref: 00FD9F28
            • CreatePopupMenu.USER32 ref: 00FD9F32
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FD9F63
            • DrawMenuBar.USER32 ref: 00FD9F71
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
            • String ID: 0
            • API String ID: 176399719-4108050209
            • Opcode ID: 8413627d22274d8a847dd580978e90fb93e562380a9fb38c7fbb6743ddb414ee
            • Instruction ID: 6d8e049f329297ce05bf2331e2e8810832f0eaecbb524eeceae838edd4018715
            • Opcode Fuzzy Hash: 8413627d22274d8a847dd580978e90fb93e562380a9fb38c7fbb6743ddb414ee
            • Instruction Fuzzy Hash: 794168B9A00209EFDB10DFA4D844BAABBBAFF48314F18412AF945A7350D771A910EF50
            Function 00FBE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00FBE396
            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FBE40C
            • GetLastError.KERNEL32 ref: 00FBE416
            • SetErrorMode.KERNEL32(00000000,READY), ref: 00FBE483
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Error$Mode$DiskFreeLastSpace
            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
            • API String ID: 4194297153-14809454
            • Opcode ID: 6d030ec5a78780d615c18c07fa286264aa3a1c0d39e9defde9c222906b4fa7cf
            • Instruction ID: 13210ed8a55b82c4ef8b0984ee65b6d593f8ce8d0ba06128e163d4bd86df800e
            • Opcode Fuzzy Hash: 6d030ec5a78780d615c18c07fa286264aa3a1c0d39e9defde9c222906b4fa7cf
            • Instruction Fuzzy Hash: 82318139A00209DFDB01EF66CC45AFEB7B8EF48314F14805AE505DB291DB759901EF91
            Function 00FAB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00FAB98C
            • GetDlgCtrlID.USER32 ref: 00FAB997
            • GetParent.USER32 ref: 00FAB9B3
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FAB9B6
            • GetDlgCtrlID.USER32(?), ref: 00FAB9BF
            • GetParent.USER32(?), ref: 00FAB9DB
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00FAB9DE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent
            • String ID: ComboBox$ListBox
            • API String ID: 1383977212-1403004172
            • Opcode ID: fcb3bd6b859200a10bc3dd9a3bd5247d1af72d82e42d267d9c56d8414ee5eb61
            • Instruction ID: f70c86335e82485315246d96af427c2803bd95dabe3787d2d428f484222f6d8d
            • Opcode Fuzzy Hash: fcb3bd6b859200a10bc3dd9a3bd5247d1af72d82e42d267d9c56d8414ee5eb61
            • Instruction Fuzzy Hash: B521B6B5900108BFDB04ABA4CC95EFEBB79EF4A310F10411AF55597292DB785815FB60
            Function 00FAB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00FABA73
            • GetDlgCtrlID.USER32 ref: 00FABA7E
            • GetParent.USER32 ref: 00FABA9A
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FABA9D
            • GetDlgCtrlID.USER32(?), ref: 00FABAA6
            • GetParent.USER32(?), ref: 00FABAC2
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00FABAC5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent
            • String ID: ComboBox$ListBox
            • API String ID: 1383977212-1403004172
            • Opcode ID: 2cd6d843b5725cf95effa175607570fde8004787b472686f4801cd5f65619a8b
            • Instruction ID: 0f8b907b8bff1391c23ed3e845dfc9f6901741bfc9dec069fa59f04f3dbb4a2b
            • Opcode Fuzzy Hash: 2cd6d843b5725cf95effa175607570fde8004787b472686f4801cd5f65619a8b
            • Instruction Fuzzy Hash: DD21B0B5A00108BFDB00ABA4CC85EFEBB79EF46300F14401AF951A7192DB795919FB60
            Function 00FABAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32 ref: 00FABAE3
            • GetClassNameW.USER32(00000000,?,00000100), ref: 00FABAF8
            • _wcscmp.LIBCMT ref: 00FABB0A
            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FABB85
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ClassMessageNameParentSend_wcscmp
            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
            • API String ID: 1704125052-3381328864
            • Opcode ID: 67d00d295ffc82a9e67d1a608714c2b55d98ca030fa3326cb119c1724a329a09
            • Instruction ID: 09366fe7e2dff953a1d3d8a1677c891a7f7aeabc4d73a2f8cf04f9c43b22ecb5
            • Opcode Fuzzy Hash: 67d00d295ffc82a9e67d1a608714c2b55d98ca030fa3326cb119c1724a329a09
            • Instruction Fuzzy Hash: 0B1106B6608307FEFA206661DC07DA6379DDF623B4B200026F904E84A6FFA56991B524
            Function 00FCB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00FCB2D5
            • CoInitialize.OLE32(00000000), ref: 00FCB302
            • CoUninitialize.OLE32 ref: 00FCB30C
            • GetRunningObjectTable.OLE32(00000000,?), ref: 00FCB40C
            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00FCB539
            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00FCB56D
            • CoGetObject.OLE32(?,00000000,00FFD91C,?), ref: 00FCB590
            • SetErrorMode.KERNEL32(00000000), ref: 00FCB5A3
            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FCB623
            • VariantClear.OLEAUT32(00FFD91C), ref: 00FCB633
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
            • String ID:
            • API String ID: 2395222682-0
            • Opcode ID: a24f06d87ad705040eaa784fbf3559e7c2c1385169ef8c8f1cae75993c2d43df
            • Instruction ID: 17a9588647f2aa344ed95bc8eea7b279f5c1090c2239676aa584a5a44b55eeae
            • Opcode Fuzzy Hash: a24f06d87ad705040eaa784fbf3559e7c2c1385169ef8c8f1cae75993c2d43df
            • Instruction Fuzzy Hash: C2C142B5608306AFC700DF68C986E2BB7E9BF88308F04495DF58A9B251DB70ED05DB52
            Function 00FB67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
            Download Yara Rule
            APIs
            • __swprintf.LIBCMT ref: 00FB67FD
            • __swprintf.LIBCMT ref: 00FB680A
              • Part of subcall function 00F9172B: __woutput_l.LIBCMT ref: 00F91784
            • FindResourceW.KERNEL32(?,?,0000000E), ref: 00FB6834
            • LoadResource.KERNEL32(?,00000000), ref: 00FB6840
            • LockResource.KERNEL32(00000000), ref: 00FB684D
            • FindResourceW.KERNEL32(?,?,00000003), ref: 00FB686D
            • LoadResource.KERNEL32(?,00000000), ref: 00FB687F
            • SizeofResource.KERNEL32(?,00000000), ref: 00FB688E
            • LockResource.KERNEL32(?), ref: 00FB689A
            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00FB68F9
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
            • String ID:
            • API String ID: 1433390588-0
            • Opcode ID: 6338f62c934efb9d9c6835892b3240ad69b76e041c033a366fee635be6e13d40
            • Instruction ID: 190c0658f4131b890ef2847df4d5d089c16635230f8684e03bce1a3a1e380b2e
            • Opcode Fuzzy Hash: 6338f62c934efb9d9c6835892b3240ad69b76e041c033a366fee635be6e13d40
            • Instruction Fuzzy Hash: 84317EB1A0021AABDB119FA1DD45AFFBBADFF08355F108425F906D2140E778DA11EBA0
            Function 00FB4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 00FB4047
            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FB30A5,?,00000001), ref: 00FB405B
            • GetWindowThreadProcessId.USER32(00000000), ref: 00FB4062
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FB30A5,?,00000001), ref: 00FB4071
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FB4083
            • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00FB30A5,?,00000001), ref: 00FB409C
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FB30A5,?,00000001), ref: 00FB40AE
            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FB30A5,?,00000001), ref: 00FB40F3
            • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00FB30A5,?,00000001), ref: 00FB4108
            • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00FB30A5,?,00000001), ref: 00FB4113
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
            • String ID:
            • API String ID: 2156557900-0
            • Opcode ID: e1b682d22610eefb3f64b9ddf234e29e4d61a4da978de944909ebf20a65383f4
            • Instruction ID: a78938a39d029552f18e7e85947aa2d01bf83dcf575a6f5959b4d60e44ebad8f
            • Opcode Fuzzy Hash: e1b682d22610eefb3f64b9ddf234e29e4d61a4da978de944909ebf20a65383f4
            • Instruction Fuzzy Hash: 1E318F71910208ABDB21DB5ADDC5BB977AEFF54361F108006F905DA285CBB9AC80EF60
            Function 00FEDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 00F8B496
            • SetTextColor.GDI32(?,000000FF), ref: 00F8B4A0
            • SetBkMode.GDI32(?,00000001), ref: 00F8B4B5
            • GetStockObject.GDI32(00000005), ref: 00F8B4BD
            • GetClientRect.USER32(?), ref: 00FEDD63
            • SendMessageW.USER32(?,00001328,00000000,?), ref: 00FEDD7A
            • GetWindowDC.USER32(?), ref: 00FEDD86
            • GetPixel.GDI32(00000000,?,?), ref: 00FEDD95
            • ReleaseDC.USER32(?,00000000), ref: 00FEDDA7
            • GetSysColor.USER32(00000005), ref: 00FEDDC5
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
            • String ID:
            • API String ID: 3430376129-0
            • Opcode ID: a890bf6f1d2882afbe183ab7c8cdc812c6cca3267ce4632b58be184700453185
            • Instruction ID: 620c29775ab55012ccf5f849d46481130c40a3726a48be7673137a357d9699e9
            • Opcode Fuzzy Hash: a890bf6f1d2882afbe183ab7c8cdc812c6cca3267ce4632b58be184700453185
            • Instruction Fuzzy Hash: A8114C31500209AFEB216FA4EC09BF97B6AEF05335F148625FA66951E1CB710941FB21
            Function 00FACB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
            Download Yara Rule
            APIs
            • EnumChildWindows.USER32(?,00FACF50), ref: 00FACE90
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ChildEnumWindows
            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
            • API String ID: 3555792229-1603158881
            • Opcode ID: 1968403abe2a8739b73c5ad48d72f07a02d9ba04c2cb0fa6e4a7a3a6071ef1c6
            • Instruction ID: a70edf25789b8017023f2c66d70938a769d6a34d30a2e4be1ab2f21a8353e8ce
            • Opcode Fuzzy Hash: 1968403abe2a8739b73c5ad48d72f07a02d9ba04c2cb0fa6e4a7a3a6071ef1c6
            • Instruction Fuzzy Hash: B591A471A00506ABDF18EFA0C881BEAFB75BF06310F508519E459E7251DF34695AFBE0
            Function 00F73093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F730DC
            • CoUninitialize.OLE32(?,00000000), ref: 00F73181
            • UnregisterHotKey.USER32(?), ref: 00F732A9
            • DestroyWindow.USER32(?), ref: 00FE5079
            • FreeLibrary.KERNEL32(?), ref: 00FE50F8
            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FE5125
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
            • String ID: close all
            • API String ID: 469580280-3243417748
            • Opcode ID: 807ab9f31f5dabd2b50a2032e519a5b0549a27532e3d2a75c3797c08fcdb0402
            • Instruction ID: 6b2aa303ebea225adb3dbc77b789f85ff4c003fe4733f6887720dd0a1d12a9ad
            • Opcode Fuzzy Hash: 807ab9f31f5dabd2b50a2032e519a5b0549a27532e3d2a75c3797c08fcdb0402
            • Instruction Fuzzy Hash: 04913B306002469FC719EF24C895B68F3A4FF05714F5481AEE50AA7262DB34AE16FF52
            Function 00F8CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,000000EB), ref: 00F8CC15
              • Part of subcall function 00F8CCCD: GetClientRect.USER32(?,?), ref: 00F8CCF6
              • Part of subcall function 00F8CCCD: GetWindowRect.USER32(?,?), ref: 00F8CD37
              • Part of subcall function 00F8CCCD: ScreenToClient.USER32(?,?), ref: 00F8CD5F
            • GetDC.USER32 ref: 00FED137
            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FED14A
            • SelectObject.GDI32(00000000,00000000), ref: 00FED158
            • SelectObject.GDI32(00000000,00000000), ref: 00FED16D
            • ReleaseDC.USER32(?,00000000), ref: 00FED175
            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FED200
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
            • String ID: U
            • API String ID: 4009187628-3372436214
            • Opcode ID: a85755ec09c5d4bf0f148ee096c1f9feb81432cf273559940f14432daa8a0ca0
            • Instruction ID: 74adfd0235f3c4e3f2088a506ab779b892c6c033ac7af44be6c8060cd6f984cc
            • Opcode Fuzzy Hash: a85755ec09c5d4bf0f148ee096c1f9feb81432cf273559940f14432daa8a0ca0
            • Instruction Fuzzy Hash: 4D71F331800289DFDF21EF65CC80AEA3BB6FF49360F18426AED555A6A5C7358841FF60
            Function 00FC45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FC45FF
            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FC462B
            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00FC466D
            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FC4682
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FC468F
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00FC46BF
            • InternetCloseHandle.WININET(00000000), ref: 00FC4706
              • Part of subcall function 00FC5052: GetLastError.KERNEL32(?,?,00FC43CC,00000000,00000000,00000001), ref: 00FC5067
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
            • String ID:
            • API String ID: 1241431887-3916222277
            • Opcode ID: 90f7105d24d73f58979bcbdb6c11d9fd28192a43517dee67630a14b6bd75d823
            • Instruction ID: a6148535f5bae93e63d5074d4f5adcadfefd6afce98a00fdb1d14dab24776a6a
            • Opcode Fuzzy Hash: 90f7105d24d73f58979bcbdb6c11d9fd28192a43517dee67630a14b6bd75d823
            • Instruction Fuzzy Hash: 654171B290120ABFEB019F50CD96FBB77ACFF09714F10401AFA059A185D774A944ABA4
            Function 00FCB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0100DC00), ref: 00FCB715
            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0100DC00), ref: 00FCB749
            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FCB8C1
            • SysFreeString.OLEAUT32(?), ref: 00FCB8EB
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Free$FileLibraryModuleNamePathQueryStringType
            • String ID:
            • API String ID: 560350794-0
            • Opcode ID: 14a10996e44024585f4f31b79bd53c18716a1552ea17b076ba7060994085d22e
            • Instruction ID: 6e28dcb48edee3f6de3a7c180d2a8a74186e745d4bdbd9970064a0e765fefb33
            • Opcode Fuzzy Hash: 14a10996e44024585f4f31b79bd53c18716a1552ea17b076ba7060994085d22e
            • Instruction Fuzzy Hash: D2F12A75A0010AEFCF04DF94C986EAEB7B9FF48315F108499F905AB250DB35AD46DB90
            Function 00FD24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FD24F5
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FD2688
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FD26AC
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FD26EC
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FD270E
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FD286F
            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00FD28A1
            • CloseHandle.KERNEL32(?), ref: 00FD28D0
            • CloseHandle.KERNEL32(?), ref: 00FD2947
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
            • String ID:
            • API String ID: 4090791747-0
            • Opcode ID: 7fdb1a38f0b62f549625d088508b15e31fc99dd2a5ba28dcf6df04fd4ec56fa1
            • Instruction ID: ab1ac3da2bf271094c17a34fa4d9e59c227d8e032bc9f92815e23b840abcc2de
            • Opcode Fuzzy Hash: 7fdb1a38f0b62f549625d088508b15e31fc99dd2a5ba28dcf6df04fd4ec56fa1
            • Instruction Fuzzy Hash: C3D1A231604201DFC754EF24C851B6EBBE6AF94320F18845EF8995B3A1DB35DC45EB92
            Function 00FDB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FDB3F4
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: b89ae8961308753cf0e9e20da529f1c93cd1bec617297d64295c979afda1b56e
            • Instruction ID: 1cb46a8342cbfca960b88971f540fd21a0a59f536b80188339915f90493d05b1
            • Opcode Fuzzy Hash: b89ae8961308753cf0e9e20da529f1c93cd1bec617297d64295c979afda1b56e
            • Instruction Fuzzy Hash: 2F518131904204FAEB21EF28DC85BAD3BAAAB05324F6D4117F615E63E1CB75E940FB51
            Function 00F8A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FEDB1B
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FEDB3C
            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FEDB51
            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FEDB6E
            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FEDB95
            • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00F8A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00FEDBA0
            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FEDBBD
            • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00F8A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00FEDBC8
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Icon$DestroyExtractImageLoadMessageSend
            • String ID:
            • API String ID: 1268354404-0
            • Opcode ID: b493ad2c331ec39f69f55c1bded7e389c7affeb948517271d713c2168b62cad2
            • Instruction ID: b47251273764001ae716dc3c9263457b134d2f28dce58f17693c6fe7c499f37c
            • Opcode Fuzzy Hash: b493ad2c331ec39f69f55c1bded7e389c7affeb948517271d713c2168b62cad2
            • Instruction Fuzzy Hash: BC516C71A00209EFEB24EF69CC81FAA77B9EF48760F100519F94697690E774AD90FB50
            Function 00FB7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FB5FA6,?), ref: 00FB6ED8
              • Part of subcall function 00FB6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FB5FA6,?), ref: 00FB6EF1
              • Part of subcall function 00FB72CB: GetFileAttributesW.KERNEL32(?,00FB6019), ref: 00FB72CC
            • lstrcmpiW.KERNEL32(?,?), ref: 00FB75CA
            • _wcscmp.LIBCMT ref: 00FB75E2
            • MoveFileW.KERNEL32(?,?), ref: 00FB75FB
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
            • String ID:
            • API String ID: 793581249-0
            • Opcode ID: 792e25b4a7dda5b771179d3578a6b4a4306c785ea821e3d50ac1f97077213c32
            • Instruction ID: 034ad8ae365f79a4fdda708e9e72cbb5f74c5b4798bf48d6862b05d9315328de
            • Opcode Fuzzy Hash: 792e25b4a7dda5b771179d3578a6b4a4306c785ea821e3d50ac1f97077213c32
            • Instruction Fuzzy Hash: 885130B2A092199EDF60EB95DC819DE73BCAF48320F1040AAF605E3141EA74D6C9DF60
            Function 00F8EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00FEDAD1,00000004,00000000,00000000), ref: 00F8EAEB
            • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00FEDAD1,00000004,00000000,00000000), ref: 00F8EB32
            • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00FEDAD1,00000004,00000000,00000000), ref: 00FEDC86
            • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00FEDAD1,00000004,00000000,00000000), ref: 00FEDCF2
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ShowWindow
            • String ID:
            • API String ID: 1268545403-0
            • Opcode ID: dcfb7bcbf414151d313a4663aac0c549ff9838039544c3575a6a331b32df1148
            • Instruction ID: 488d9a8c214561d1e201f21fdf3d9e8404e23b64007bf2b59e10f05c295e3962
            • Opcode Fuzzy Hash: dcfb7bcbf414151d313a4663aac0c549ff9838039544c3575a6a331b32df1148
            • Instruction Fuzzy Hash: 6E411A72B09280DBDB39772D8D8DBBA7A9ABFD5324F29041DF08786961C675B840F311
            Function 00FABFF0 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FAD342: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FAD362
              • Part of subcall function 00FAD342: GetCurrentThreadId.KERNEL32 ref: 00FAD369
              • Part of subcall function 00FAD342: AttachThreadInput.USER32(00000000,?,00FAC005,?,00000001), ref: 00FAD370
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FAC010
            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FAC02D
            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00FAC030
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FAC039
            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FAC057
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FAC05A
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FAC063
            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FAC07A
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FAC07D
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
            • String ID:
            • API String ID: 2014098862-0
            • Opcode ID: 21f0f86af1bbb4be4c6d816bfbf965f5f6b9601eb05ccf0a98bec524677c6dd9
            • Instruction ID: 469f79ec3fc34871698d656d41d228ba3571d658d8b2fd76e9588ea697472d0a
            • Opcode Fuzzy Hash: 21f0f86af1bbb4be4c6d816bfbf965f5f6b9601eb05ccf0a98bec524677c6dd9
            • Instruction Fuzzy Hash: 1111A1F5540618BEFB106B648C89F7A3F2EEF48755F100415F241EB0A1C9F65C41EAA4
            Function 00FAB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00FAAEF1,00000B00,?,?), ref: 00FAB26C
            • HeapAlloc.KERNEL32(00000000,?,00FAAEF1,00000B00,?,?), ref: 00FAB273
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FAAEF1,00000B00,?,?), ref: 00FAB288
            • GetCurrentProcess.KERNEL32(?,00000000,?,00FAAEF1,00000B00,?,?), ref: 00FAB290
            • DuplicateHandle.KERNEL32(00000000,?,00FAAEF1,00000B00,?,?), ref: 00FAB293
            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00FAAEF1,00000B00,?,?), ref: 00FAB2A3
            • GetCurrentProcess.KERNEL32(00FAAEF1,00000000,?,00FAAEF1,00000B00,?,?), ref: 00FAB2AB
            • DuplicateHandle.KERNEL32(00000000,?,00FAAEF1,00000B00,?,?), ref: 00FAB2AE
            • CreateThread.KERNEL32(00000000,00000000,00FAB2D4,00000000,00000000,00000000), ref: 00FAB2C8
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
            • String ID:
            • API String ID: 1957940570-0
            • Opcode ID: 89e2efa730af4868ed7554c1615d23b991946a6d97dcfb9712f0c5624c10566d
            • Instruction ID: 0e63ed7abea10e6f40a36c2392f93b05648780fede0a913a01e33b89039e67ad
            • Opcode Fuzzy Hash: 89e2efa730af4868ed7554c1615d23b991946a6d97dcfb9712f0c5624c10566d
            • Instruction Fuzzy Hash: E301B6B5240308BFE710ABA5DC89F6B7BADEF89711F018411FA05DB1A1CA759800DB61
            Function 00FCC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID: NULL Pointer assignment$Not an Object type
            • API String ID: 0-572801152
            • Opcode ID: 4d147db8b03cb2bd47617640789c290082fa6d8616b9d9084cc5e30576cd3159
            • Instruction ID: 6f715d57ff15a218176687d01a5436bd5a83ed6f32c17c7087a85b39d872fb31
            • Opcode Fuzzy Hash: 4d147db8b03cb2bd47617640789c290082fa6d8616b9d9084cc5e30576cd3159
            • Instruction Fuzzy Hash: EAE19571E0021A9BDF14DFA4CE82FAE77B5EF48314F14802DE909AB281D7749D45EB90
            Function 00FCBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Variant$ClearInit$_memset
            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
            • API String ID: 2862541840-625585964
            • Opcode ID: f16efecdb149a065060bd8d16d65f69e7daa4d27337de974c6c31d29033edf0d
            • Instruction ID: 344a5fb57be1d4c5ccef0a4c0fd5c21c1fd065151144e847a5b2aead8011765f
            • Opcode Fuzzy Hash: f16efecdb149a065060bd8d16d65f69e7daa4d27337de974c6c31d29033edf0d
            • Instruction Fuzzy Hash: EE919D75E0021AABDF24CF95CD46FAEB7B8EF85720F10815DF516AB280DB709944DBA0
            Function 00FD9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FD9B19
            • SendMessageW.USER32(?,00001036,00000000,?), ref: 00FD9B2D
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FD9B47
            • _wcscat.LIBCMT ref: 00FD9BA2
            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00FD9BB9
            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FD9BE7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$Window_wcscat
            • String ID: SysListView32
            • API String ID: 307300125-78025650
            • Opcode ID: 3ffc465b320adfc3295f68c0b8ddda94d550a30338e0a5c49543856c837a5ee6
            • Instruction ID: 4577005312f5d1b3db061871af15153ac76b42edda2d345218ad37b274b03007
            • Opcode Fuzzy Hash: 3ffc465b320adfc3295f68c0b8ddda94d550a30338e0a5c49543856c837a5ee6
            • Instruction Fuzzy Hash: 2E41B571A04308ABDB219FA4CC85BEE77A9EF48350F14042BF589E7291D7B59D84EB60
            Function 00FD172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00FB6554
              • Part of subcall function 00FB6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00FB6564
              • Part of subcall function 00FB6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00FB65F9
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FD179A
            • GetLastError.KERNEL32 ref: 00FD17AD
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FD17D9
            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00FD1855
            • GetLastError.KERNEL32(00000000), ref: 00FD1860
            • CloseHandle.KERNEL32(00000000), ref: 00FD1895
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
            • String ID: SeDebugPrivilege
            • API String ID: 2533919879-2896544425
            • Opcode ID: 0292208a709b9b82d87e71f34c5f25ea784bdeab9859d8278f70cc822d5e5e4b
            • Instruction ID: 6bdac130ecebfaca434700971faa4282e91566e7696dbbd69b62112cc4b98a17
            • Opcode Fuzzy Hash: 0292208a709b9b82d87e71f34c5f25ea784bdeab9859d8278f70cc822d5e5e4b
            • Instruction Fuzzy Hash: B2419D72600200AFDB15EF54CC95FBEB7A6BF44310F088059F9069F392DB78A900EB91
            Function 00FB5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000000,00007F03), ref: 00FB58B8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: IconLoad
            • String ID: blank$info$question$stop$warning
            • API String ID: 2457776203-404129466
            • Opcode ID: 87ffc3f05ba3540048b889a365a41b4ed0a4116d763f072e465ce28536a11532
            • Instruction ID: a6cc6100ff0ec3682f4777a384431a3399d60d27c2f09104401d90e372d51504
            • Opcode Fuzzy Hash: 87ffc3f05ba3540048b889a365a41b4ed0a4116d763f072e465ce28536a11532
            • Instruction Fuzzy Hash: EF113036709746BEF7115B569C42FEA339DEF19B24B20003EF540ED181F7ACE9406A64
            Function 00FBA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
            Download Yara Rule
            APIs
            • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00FBA806
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ArraySafeVartype
            • String ID:
            • API String ID: 1725837607-0
            • Opcode ID: 9fc3a7abf7134c6c9f2d5e700561e63cf331f69dd5e63ded8dfc64def19364b4
            • Instruction ID: 41e88744e596e116c4337a76ddc0d859fcaa607e841bb2e46f16372dbd2c4b61
            • Opcode Fuzzy Hash: 9fc3a7abf7134c6c9f2d5e700561e63cf331f69dd5e63ded8dfc64def19364b4
            • Instruction Fuzzy Hash: B7C15C75A0421ADFDB04DF99C881BEEB7F8EF08315F24406AE605E7241D738A945EFA1
            Function 00FB6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FB6B63
            • LoadStringW.USER32(00000000), ref: 00FB6B6A
            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FB6B80
            • LoadStringW.USER32(00000000), ref: 00FB6B87
            • _wprintf.LIBCMT ref: 00FB6BAD
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FB6BCB
            Strings
            • %s (%d) : ==> %s: %s %s, xrefs: 00FB6BA8
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message_wprintf
            • String ID: %s (%d) : ==> %s: %s %s
            • API String ID: 3648134473-3128320259
            • Opcode ID: ce0c571e8176032af8aca69fbf91f78a7556145eb0a126d80a3f3850e97b1ef4
            • Instruction ID: f68e55d8e7b1ff682dce0f9b60224ea4e68bc305629b96aceee498004de10414
            • Opcode Fuzzy Hash: ce0c571e8176032af8aca69fbf91f78a7556145eb0a126d80a3f3850e97b1ef4
            • Instruction Fuzzy Hash: 060112F690021CBFEB11A7949D89EFA766CEB08304F044496B745D6041EA749E849F74
            Function 00FD2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FD3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FD2BB5,?,?), ref: 00FD3C1D
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FD2BF6
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: BuffCharConnectRegistryUpper
            • String ID:
            • API String ID: 2595220575-0
            • Opcode ID: 9829d25d0fc18d1865ddc07ef9929dc239b53fea0e8599f815fdaeff7d62bc9c
            • Instruction ID: 7fd07bfbc935fbb298182146e9bbfd3b7a78a26379f8bb32bb507260148d2618
            • Opcode Fuzzy Hash: 9829d25d0fc18d1865ddc07ef9929dc239b53fea0e8599f815fdaeff7d62bc9c
            • Instruction Fuzzy Hash: 6B915B716042019FC750EF14CC91B6EB7E6EF94320F08885EF99A97391DB79E905EB82
            Function 00FC961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON
            Download Yara Rule
            APIs
            • select.WSOCK32 ref: 00FC9691
            • WSAGetLastError.WSOCK32(00000000), ref: 00FC969E
            • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00FC96C8
            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FC96E9
            • WSAGetLastError.WSOCK32(00000000), ref: 00FC96F8
            • inet_ntoa.WSOCK32(?), ref: 00FC9765
            • htons.WSOCK32(?,?,?,00000000,?), ref: 00FC97AA
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ErrorLast$htonsinet_ntoaselect
            • String ID:
            • API String ID: 500251541-0
            • Opcode ID: 231e5bb60c76d64c83eaa5fbd09715a11fed7be793ab3d01fa48c597b79450a0
            • Instruction ID: d7144f9fd61193642d675ba69c0adfa18916851446a9ddb7021fc904d60db0e1
            • Opcode Fuzzy Hash: 231e5bb60c76d64c83eaa5fbd09715a11fed7be793ab3d01fa48c597b79450a0
            • Instruction Fuzzy Hash: 1871EF32508201AFC310EF64CC8AF6BB7E9EF85714F104A1DF5559B191EB74E905EB92
            Function 00F9A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • __mtinitlocknum.LIBCMT ref: 00F9A991
              • Part of subcall function 00F97D7C: __FF_MSGBANNER.LIBCMT ref: 00F97D91
              • Part of subcall function 00F97D7C: __NMSG_WRITE.LIBCMT ref: 00F97D98
              • Part of subcall function 00F97D7C: __malloc_crt.LIBCMT ref: 00F97DB8
            • __lock.LIBCMT ref: 00F9A9A4
            • __lock.LIBCMT ref: 00F9A9F0
            • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,01026DE0,00000018,00FA5E7B,?,00000000,00000109), ref: 00F9AA0C
            • EnterCriticalSection.KERNEL32(8000000C,01026DE0,00000018,00FA5E7B,?,00000000,00000109), ref: 00F9AA29
            • LeaveCriticalSection.KERNEL32(8000000C), ref: 00F9AA39
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
            • String ID:
            • API String ID: 1422805418-0
            • Opcode ID: 5feca98ab35872e1356bff31413690d740fa834d31c99e5f9b7711190d30f4ec
            • Instruction ID: 98b87549c5c45d47a78b5569fb4aba26656e66a169d36f31963306da2b5f4544
            • Opcode Fuzzy Hash: 5feca98ab35872e1356bff31413690d740fa834d31c99e5f9b7711190d30f4ec
            • Instruction Fuzzy Hash: CA412071E00605DBFF20DF69CA44768B7B4AF05334F218219E425AB2C0DB7D9841EBC2
            Function 00FD8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00FD8EE4
            • GetDC.USER32(00000000), ref: 00FD8EEC
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FD8EF7
            • ReleaseDC.USER32(00000000,00000000), ref: 00FD8F03
            • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00FD8F3F
            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FD8F50
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FDBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00FD8F8A
            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FD8FAA
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
            • String ID:
            • API String ID: 3864802216-0
            • Opcode ID: b49074ad318ac01814718852c94a37eaca41c24a7613a1d57646b31cbda10981
            • Instruction ID: 95ec59b07cb4cd5565a07436c960d8f3c42750da20acf43a0b3b51ee9212ee34
            • Opcode Fuzzy Hash: b49074ad318ac01814718852c94a37eaca41c24a7613a1d57646b31cbda10981
            • Instruction Fuzzy Hash: 15314F72100214BFEB118F50CC49FFA3BAEEF49765F084065FE09DA295DAB59842DB74
            Function 00FC16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F7936C: __swprintf.LIBCMT ref: 00F793AB
              • Part of subcall function 00F7936C: __itow.LIBCMT ref: 00F793DF
              • Part of subcall function 00F8C6F4: _wcscpy.LIBCMT ref: 00F8C717
            • _wcstok.LIBCMT ref: 00FC184E
            • _wcscpy.LIBCMT ref: 00FC18DD
            • _memset.LIBCMT ref: 00FC1910
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
            • String ID: X
            • API String ID: 774024439-3081909835
            • Opcode ID: 9dd6d62560d7e862aa0453c137ae0c6e412c8857414d1d09db80174f58a17a07
            • Instruction ID: 3c9f94f0be0c3c5c5b4e8b9dcc40518fa632c837988c353f2ad2ce5bad66f79b
            • Opcode Fuzzy Hash: 9dd6d62560d7e862aa0453c137ae0c6e412c8857414d1d09db80174f58a17a07
            • Instruction Fuzzy Hash: A8C16E315083419FC724EF24CD82E5AB7E4BF86350F00892EF4999B2A2DB74EC15DB82
            Function 00FE0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F8B35F
            • GetSystemMetrics.USER32(0000000F), ref: 00FE016D
            • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00FE038D
            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FE03AB
            • InvalidateRect.USER32(?,00000000,00000001,?), ref: 00FE03D6
            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FE03FF
            • ShowWindow.USER32(00000003,00000000), ref: 00FE0421
            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00FE0440
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
            • String ID:
            • API String ID: 3356174886-0
            • Opcode ID: f24be096bf11a233e3fb1138f94888ee2309d6752674bbceeeed7673dd2f3d6b
            • Instruction ID: a064add807d6c3278e69d499ee6c8b7d9a7597e9b3b499cede6e2fcb6b9e71ad
            • Opcode Fuzzy Hash: f24be096bf11a233e3fb1138f94888ee2309d6752674bbceeeed7673dd2f3d6b
            • Instruction Fuzzy Hash: 72A1E131A00656EFDB18CF69C9857BDBBB1FF48710F048115EC94AB290DBB4AD90EB90
            Function 00F8AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1c0f4dde664a3caaf2196960d5c9ec156a4713f001d6074d4498c069f5d93277
            • Instruction ID: 50fe026c7b4dcddc48218ece94bb7955e687e3f9aec9d92c8ed7cbfb1e315494
            • Opcode Fuzzy Hash: 1c0f4dde664a3caaf2196960d5c9ec156a4713f001d6074d4498c069f5d93277
            • Instruction Fuzzy Hash: E7716BB1900109EFDF04DF98CC89AFEBB79FF85314F24814AFA15A6250C734AA11EB61
            Function 00FD2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FD225A
            • _memset.LIBCMT ref: 00FD2323
            • ShellExecuteExW.SHELL32(?), ref: 00FD2368
              • Part of subcall function 00F7936C: __swprintf.LIBCMT ref: 00F793AB
              • Part of subcall function 00F7936C: __itow.LIBCMT ref: 00F793DF
              • Part of subcall function 00F8C6F4: _wcscpy.LIBCMT ref: 00F8C717
            • CloseHandle.KERNEL32(00000000), ref: 00FD242F
            • FreeLibrary.KERNEL32(00000000), ref: 00FD243E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
            • String ID: @
            • API String ID: 4082843840-2766056989
            • Opcode ID: e9fb092f402973d08e2fb78bd590558cc08772aa1cc353211d5ffa4fa7537813
            • Instruction ID: 44009a2c8303f9a0c1bda92a6fcc8f75cfa7736fcf9dd515a2cf0775ef050e69
            • Opcode Fuzzy Hash: e9fb092f402973d08e2fb78bd590558cc08772aa1cc353211d5ffa4fa7537813
            • Instruction Fuzzy Hash: 55719075A00619DFCF04EFA4C8819AEB7F6FF48310F14845AE859AB351CB38AD41EB90
            Function 00FB3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 00FB3DE7
            • GetKeyboardState.USER32(?), ref: 00FB3DFC
            • SetKeyboardState.USER32(?), ref: 00FB3E5D
            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00FB3E8B
            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00FB3EAA
            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00FB3EF0
            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FB3F13
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 1886a0f4f56424436d1f7b6bf678a00e9a9e214228822f57090302ab3eceea63
            • Instruction ID: b7c5f7c219feb56085649a6bb00fb51b36e924b6ed69d68308da7a7f4e84268f
            • Opcode Fuzzy Hash: 1886a0f4f56424436d1f7b6bf678a00e9a9e214228822f57090302ab3eceea63
            • Instruction Fuzzy Hash: 3A51C2A0E847D539FB36472A8C45BF67EA95B06314F084589E0D5468C2D6A8EE88FF60
            Function 00FB3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 00FB3C02
            • GetKeyboardState.USER32(?), ref: 00FB3C17
            • SetKeyboardState.USER32(?), ref: 00FB3C78
            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FB3CA4
            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FB3CC1
            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FB3D05
            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FB3D26
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 288ff56b25a704542ac1aa175c5b115d58f065cabe9ff3bb2c51253537003b61
            • Instruction ID: f5f7862f53884c7b7c8351998cebe9256653939a0fc369e488dfbf9abb6d8f45
            • Opcode Fuzzy Hash: 288ff56b25a704542ac1aa175c5b115d58f065cabe9ff3bb2c51253537003b61
            • Instruction Fuzzy Hash: 6751E6A09847D93DFB3683668C55BF6BF995B0A310F088588E0D5564C3D694EE84FF50
            Function 00FB7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _wcsncpy$LocalTime
            • String ID:
            • API String ID: 2945705084-0
            • Opcode ID: 435aedfb5339760ecf813ee338ef322cfcdb4417819ae5b8127182f6834f88a8
            • Instruction ID: 9a70e1dbc61abc83a678cb41d4b866bec1709afcc956c4457d370de43583fd61
            • Opcode Fuzzy Hash: 435aedfb5339760ecf813ee338ef322cfcdb4417819ae5b8127182f6834f88a8
            • Instruction Fuzzy Hash: 63418D66D10218BAEF50FBF48C469CFB3ADAF44310F508966E505E3121FA38E61497A9
            Function 00FD3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
            Download Yara Rule
            APIs
            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00FD3DA1
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FD3DCB
            • FreeLibrary.KERNEL32(00000000), ref: 00FD3E80
              • Part of subcall function 00FD3D72: RegCloseKey.ADVAPI32(?), ref: 00FD3DE8
              • Part of subcall function 00FD3D72: FreeLibrary.KERNEL32(?), ref: 00FD3E3A
              • Part of subcall function 00FD3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00FD3E5D
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00FD3E25
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: EnumFreeLibrary$CloseDeleteOpen
            • String ID:
            • API String ID: 395352322-0
            • Opcode ID: 142d6f23e60266d59cb4f55ee6728645f6b34c79b2aa935316ce39e1fc9c1dc1
            • Instruction ID: 940d7cbf57ca15b36ae2b4ca4ccfabc954b26aeaa39fd5bf66c498342aed3ca2
            • Opcode Fuzzy Hash: 142d6f23e60266d59cb4f55ee6728645f6b34c79b2aa935316ce39e1fc9c1dc1
            • Instruction Fuzzy Hash: 6331EFB1D01109BFDB159B94DC85AFFB7BEEF08310F04016AE612E2291DA749F49EB61
            Function 00FD8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FD8FE7
            • GetWindowLongW.USER32(0152E948,000000F0), ref: 00FD901A
            • GetWindowLongW.USER32(0152E948,000000F0), ref: 00FD904F
            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FD9081
            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FD90AB
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00FD90BC
            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FD90D6
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: LongWindow$MessageSend
            • String ID:
            • API String ID: 2178440468-0
            • Opcode ID: 624d7597d5a279f619e0903bb6248bdf17aa5c0d4a3c7dd92a03d4903bf30188
            • Instruction ID: fbbbce290c92c52a6028399a4722e64e97757fd91c71c51da4c26e0f7d751fca
            • Opcode Fuzzy Hash: 624d7597d5a279f619e0903bb6248bdf17aa5c0d4a3c7dd92a03d4903bf30188
            • Instruction Fuzzy Hash: 6F313D35604115DFDB20DFA8EC88F6437AAFB4A724F180165F555CB2A1CBB2A840EB41
            Function 00FB08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FB08F2
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FB0918
            • SysAllocString.OLEAUT32(00000000), ref: 00FB091B
            • SysAllocString.OLEAUT32(?), ref: 00FB0939
            • SysFreeString.OLEAUT32(?), ref: 00FB0942
            • StringFromGUID2.OLE32(?,?,00000028), ref: 00FB0967
            • SysAllocString.OLEAUT32(?), ref: 00FB0975
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: 0f14492fb9620326dced86b1b8a997b05a6a461fd8c796f6f2d59d3067dc393d
            • Instruction ID: c04417d38f416b57e9b54aae02d73a1f54a5972a890146ae5b2e15cf66a1af15
            • Opcode Fuzzy Hash: 0f14492fb9620326dced86b1b8a997b05a6a461fd8c796f6f2d59d3067dc393d
            • Instruction Fuzzy Hash: F9218176A01219AFAB10DFA9CC88DFB73ACEF09370B048125F915DB251DA70ED45EB60
            Function 00FB2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
            • API String ID: 1038674560-2734436370
            • Opcode ID: 56276a3b63a39d575b1f7ef9a0d7345d8864a6c7a2d3b5c57cf72f56fe381587
            • Instruction ID: ee83ab9981ee0aaeda5ae00ee590bd9b9583845ba68d8a535a3d17cf267159fe
            • Opcode Fuzzy Hash: 56276a3b63a39d575b1f7ef9a0d7345d8864a6c7a2d3b5c57cf72f56fe381587
            • Instruction Fuzzy Hash: 3D217932600211BBD731FA76DC02FFB7398EF64320F54402AF4469B082E7699942F7A1
            Function 00FB0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FB09CB
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FB09F1
            • SysAllocString.OLEAUT32(00000000), ref: 00FB09F4
            • SysAllocString.OLEAUT32 ref: 00FB0A15
            • SysFreeString.OLEAUT32 ref: 00FB0A1E
            • StringFromGUID2.OLE32(?,?,00000028), ref: 00FB0A38
            • SysAllocString.OLEAUT32(?), ref: 00FB0A46
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: c02d6771f11356b53a7a253456da2fd7d03815f16a2d7d7ff39f34fd9d132f40
            • Instruction ID: b038853a931ed5953fb71445d02c4bbc44d7c90feec5b5763de6540affd8a555
            • Opcode Fuzzy Hash: c02d6771f11356b53a7a253456da2fd7d03815f16a2d7d7ff39f34fd9d132f40
            • Instruction Fuzzy Hash: D3216275600204AF9B10DBA9DC89DBB77ECEF083607048525F909CB261EA74ED45EB64
            Function 00FDA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F8D1BA
              • Part of subcall function 00F8D17C: GetStockObject.GDI32(00000011), ref: 00F8D1CE
              • Part of subcall function 00F8D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F8D1D8
            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FDA32D
            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FDA33A
            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FDA345
            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FDA354
            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FDA360
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$CreateObjectStockWindow
            • String ID: Msctls_Progress32
            • API String ID: 1025951953-3636473452
            • Opcode ID: ef9bdf3356d0f3ec7c65fa8953896cb840c333a205e7819da4f54448aab03045
            • Instruction ID: ba5918945a49e6469fda02a1ad268054dca1341d149954422313b8e82a5a1ec2
            • Opcode Fuzzy Hash: ef9bdf3356d0f3ec7c65fa8953896cb840c333a205e7819da4f54448aab03045
            • Instruction Fuzzy Hash: FD11D3B1500219BEEF115F60CC85EE77F6EFF08798F014115FA04A6160C6729C21EBA4
            Function 00F8CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
            Download Yara Rule
            APIs
            • GetClientRect.USER32(?,?), ref: 00F8CCF6
            • GetWindowRect.USER32(?,?), ref: 00F8CD37
            • ScreenToClient.USER32(?,?), ref: 00F8CD5F
            • GetClientRect.USER32(?,?), ref: 00F8CE8C
            • GetWindowRect.USER32(?,?), ref: 00F8CEA5
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Rect$Client$Window$Screen
            • String ID:
            • API String ID: 1296646539-0
            • Opcode ID: 8a4957b5ca5cecfd0ca0d5a3d641f14a868993308caed727688fbdcb1415ca77
            • Instruction ID: 7cfecf79b3a4e1912e2a60c64b0dac258f18ee5a8a08b86baa22a01d8cf8a7bc
            • Opcode Fuzzy Hash: 8a4957b5ca5cecfd0ca0d5a3d641f14a868993308caed727688fbdcb1415ca77
            • Instruction Fuzzy Hash: 7BB1707A90064ADBDF10DFA9C4807EDB7B1FF08710F149529ED69EB250DB30A950EBA4
            Function 00FD1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 00FD1C18
            • Process32FirstW.KERNEL32(00000000,?), ref: 00FD1C26
            • __wsplitpath.LIBCMT ref: 00FD1C54
              • Part of subcall function 00F91DFC: __wsplitpath_helper.LIBCMT ref: 00F91E3C
            • _wcscat.LIBCMT ref: 00FD1C69
            • Process32NextW.KERNEL32(00000000,?), ref: 00FD1CDF
            • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00FD1CF1
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
            • String ID:
            • API String ID: 1380811348-0
            • Opcode ID: b85286403b737680141f8a45bbad62b58c58185fc84c4c358cab452e1249bc55
            • Instruction ID: 6141f39a1184d988b087491b2a60cabf5d62db5f679a04282f980f89f31754ec
            • Opcode Fuzzy Hash: b85286403b737680141f8a45bbad62b58c58185fc84c4c358cab452e1249bc55
            • Instruction Fuzzy Hash: C6516C71504304AFD720EF24CC85EABB7EDEF88754F04492EF58997291EB34AA05DB92
            Function 00FD2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FD3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FD2BB5,?,?), ref: 00FD3C1D
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FD30AF
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FD30EF
            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00FD3112
            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FD313B
            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FD317E
            • RegCloseKey.ADVAPI32(00000000), ref: 00FD318B
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
            • String ID:
            • API String ID: 3451389628-0
            • Opcode ID: 9a53ec6fbf80bfeec4bbfbd574543ace667aa138a159ea97094f929991327033
            • Instruction ID: 64ee9d0225d7d968ba8f210a1ec1c2beafa07b5a3638af1ea74c97d12adaa645
            • Opcode Fuzzy Hash: 9a53ec6fbf80bfeec4bbfbd574543ace667aa138a159ea97094f929991327033
            • Instruction Fuzzy Hash: AC514B31504204AFC704EF64CC85E6ABBFAFF89314F04891EF69587291DB75EA05EB52
            Function 00FD84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
            Download Yara Rule
            APIs
            • GetMenu.USER32(?), ref: 00FD8540
            • GetMenuItemCount.USER32(00000000), ref: 00FD8577
            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FD859F
            • GetMenuItemID.USER32(?,?), ref: 00FD860E
            • GetSubMenu.USER32(?,?), ref: 00FD861C
            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00FD866D
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Menu$Item$CountMessagePostString
            • String ID:
            • API String ID: 650687236-0
            • Opcode ID: 734a3622fded4c9b0b6d64429731adf900baaf19d888bfe89b9c491c1d62b31f
            • Instruction ID: ab8fab18d6247e9279e3391f9206572bb6195540f4b3e25318f84471af4c1523
            • Opcode Fuzzy Hash: 734a3622fded4c9b0b6d64429731adf900baaf19d888bfe89b9c491c1d62b31f
            • Instruction Fuzzy Hash: 0F51A175E00119AFCF01EF54C841AAEB7F6EF48360F18445AE915B7351CB74AE42EB91
            Function 00FB4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FB4B10
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FB4B5B
            • IsMenu.USER32(00000000), ref: 00FB4B7B
            • CreatePopupMenu.USER32 ref: 00FB4BAF
            • GetMenuItemCount.USER32(000000FF), ref: 00FB4C0D
            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00FB4C3E
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
            • String ID:
            • API String ID: 3311875123-0
            • Opcode ID: 008bb20879324421d4908b50feb324d2bf17fe8127b43c52c4c03b3033c04290
            • Instruction ID: af35bf15a7523363c6fe774789b3d63b7b9bd51fc0400fa0633ec2453a13fe57
            • Opcode Fuzzy Hash: 008bb20879324421d4908b50feb324d2bf17fe8127b43c52c4c03b3033c04290
            • Instruction Fuzzy Hash: 0751D2B0A01209EBCF20CF6ACA84BEDBFF4BF44724F148159E5259B292D370A944EF51
            Function 00FC8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
            Download Yara Rule
            APIs
            • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0100DC00), ref: 00FC8E7C
            • WSAGetLastError.WSOCK32(00000000), ref: 00FC8E89
            • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00FC8EAD
            • #16.WSOCK32(?,?,00000000,00000000), ref: 00FC8EC5
            • _strlen.LIBCMT ref: 00FC8EF7
            • WSAGetLastError.WSOCK32(00000000), ref: 00FC8F6A
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ErrorLast$_strlenselect
            • String ID:
            • API String ID: 2217125717-0
            • Opcode ID: 2e0c848cbf278803b9c5c40f63f1f8a342f003c428c5187ab21e987287d208b3
            • Instruction ID: b8697871c9674b4ab76ff1aabe0380ee17a925edf100c74aa31d1eb7e49ac646
            • Opcode Fuzzy Hash: 2e0c848cbf278803b9c5c40f63f1f8a342f003c428c5187ab21e987287d208b3
            • Instruction Fuzzy Hash: 2341A272900109ABCB14EBA4CD86FAEB7BAAF48350F10415DF51A97291DF34AE01EB61
            Function 00F8ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F8B35F
            • BeginPaint.USER32(?,?,?), ref: 00F8AC2A
            • GetWindowRect.USER32(?,?), ref: 00F8AC8E
            • ScreenToClient.USER32(?,?), ref: 00F8ACAB
            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F8ACBC
            • EndPaint.USER32(?,?,?,?,?), ref: 00F8AD06
            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00FEE673
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
            • String ID:
            • API String ID: 2592858361-0
            • Opcode ID: fdbc19985616f4550826c73f7dfcd924b9a9dd77a2709285ea00deca1cb200ab
            • Instruction ID: 3b2012f09f6e910efd9ba65feb10132cf04cffdafebaad657ebca64e1cd3473b
            • Opcode Fuzzy Hash: fdbc19985616f4550826c73f7dfcd924b9a9dd77a2709285ea00deca1cb200ab
            • Instruction Fuzzy Hash: EA41D0715002019FD720EF64DC84FBA7BACFF59720F04066AF9A4872A1C775A845FB62
            Function 00FDE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(01031628,00000000,01031628,00000000,00000000,01031628,?,00FEDC5D,00000000,?,00000000,00000000,00000000,?,00FEDAD1,00000004), ref: 00FDE40B
            • EnableWindow.USER32(00000000,00000000), ref: 00FDE42F
            • ShowWindow.USER32(01031628,00000000), ref: 00FDE48F
            • ShowWindow.USER32(00000000,00000004), ref: 00FDE4A1
            • EnableWindow.USER32(00000000,00000001), ref: 00FDE4C5
            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FDE4E8
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$Show$Enable$MessageSend
            • String ID:
            • API String ID: 642888154-0
            • Opcode ID: 6574c84d860d36fe905af4f5e5c43a8eb5d609c34dbe6d56f155ae00eae36d5e
            • Instruction ID: c0c0e08a7b6ec9763228487535af6477d1032243d5d7924daa860bea349b3543
            • Opcode Fuzzy Hash: 6574c84d860d36fe905af4f5e5c43a8eb5d609c34dbe6d56f155ae00eae36d5e
            • Instruction Fuzzy Hash: 0B418538A41144EFDB11EF24C499B947BE2BF06314F1C41A6E9588F3A2C731E841EB51
            Function 00FB98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00FB98D1
              • Part of subcall function 00F8F4EA: std::exception::exception.LIBCMT ref: 00F8F51E
              • Part of subcall function 00F8F4EA: __CxxThrowException@8.LIBCMT ref: 00F8F533
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00FB9908
            • EnterCriticalSection.KERNEL32(?), ref: 00FB9924
            • LeaveCriticalSection.KERNEL32(?), ref: 00FB999E
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00FB99B3
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00FB99D2
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
            • String ID:
            • API String ID: 2537439066-0
            • Opcode ID: 69a6ff1b5e9f4ad3f5718235d704b4cb4ebee1d06c5a91907a40afb5ae49ebda
            • Instruction ID: de7b5a5856deda7ccaabef65b7a3d6af4670520add5e4dde6427ae0179536573
            • Opcode Fuzzy Hash: 69a6ff1b5e9f4ad3f5718235d704b4cb4ebee1d06c5a91907a40afb5ae49ebda
            • Instruction Fuzzy Hash: 03315231A00105EFDB10EF95DC85EAEB779FF45710B1480A9F905AB246D774DE14EBA0
            Function 00FC9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(?,?,?,?,?,?,00FC77F4,?,?,00000000,00000001), ref: 00FC9B53
              • Part of subcall function 00FC6544: GetWindowRect.USER32(?,?), ref: 00FC6557
            • GetDesktopWindow.USER32 ref: 00FC9B7D
            • GetWindowRect.USER32(00000000), ref: 00FC9B84
            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00FC9BB6
              • Part of subcall function 00FB7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FB7AD0
            • GetCursorPos.USER32(?), ref: 00FC9BE2
            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FC9C44
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
            • String ID:
            • API String ID: 4137160315-0
            • Opcode ID: 3999bb15e9ba8e4efbbc12f5c7d8ccb1bcc570ccb2f428c31ca6667d615b86cc
            • Instruction ID: 6002db138e4b1a83197a2ff4551f8b62966a7173db466be7033e17440e9119d5
            • Opcode Fuzzy Hash: 3999bb15e9ba8e4efbbc12f5c7d8ccb1bcc570ccb2f428c31ca6667d615b86cc
            • Instruction Fuzzy Hash: C931CF7250830AABC714DF14DC49FAAB7EEFF89314F04091AF585E7191DA71EA08DB92
            Function 00FAAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FAAFAE
            • OpenProcessToken.ADVAPI32(00000000), ref: 00FAAFB5
            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FAAFC4
            • CloseHandle.KERNEL32(00000004), ref: 00FAAFCF
            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FAAFFE
            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00FAB012
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
            • String ID:
            • API String ID: 1413079979-0
            • Opcode ID: 678dc7dfb774c4b13bb29e8d30fdf99dc561d960c02c1c71cabf15a73c6e6281
            • Instruction ID: 3aad5774c232114fa60d8de98bd1719078e1a2ece86a2cb44f1eaa06e991f3cd
            • Opcode Fuzzy Hash: 678dc7dfb774c4b13bb29e8d30fdf99dc561d960c02c1c71cabf15a73c6e6281
            • Instruction Fuzzy Hash: 332179B250020DAFDB128FA4ED49BAE7BAAAF46314F044015FA01A6161C376DD24FB61
            Function 00FDEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00F8AFE3
              • Part of subcall function 00F8AF83: SelectObject.GDI32(?,00000000), ref: 00F8AFF2
              • Part of subcall function 00F8AF83: BeginPath.GDI32(?), ref: 00F8B009
              • Part of subcall function 00F8AF83: SelectObject.GDI32(?,00000000), ref: 00F8B033
            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00FDEC20
            • LineTo.GDI32(00000000,00000003,?), ref: 00FDEC34
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00FDEC42
            • LineTo.GDI32(00000000,00000000,?), ref: 00FDEC52
            • EndPath.GDI32(00000000), ref: 00FDEC62
            • StrokePath.GDI32(00000000), ref: 00FDEC72
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
            • String ID:
            • API String ID: 43455801-0
            • Opcode ID: 6e2f001eb41177d84b60335c592793d4b6ec252b39ef20fd068eeb601d32cfd7
            • Instruction ID: fb23efe3ac5f4308b3d09b1c35ce9ef600e2b26e0262a8387e60c31470211b84
            • Opcode Fuzzy Hash: 6e2f001eb41177d84b60335c592793d4b6ec252b39ef20fd068eeb601d32cfd7
            • Instruction Fuzzy Hash: 56111B7640014DBFEF129F90DD88EEA7F6EEF08360F048112BE0889164D7719D55EBA0
            Function 00FAE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 00FAE1C0
            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00FAE1D1
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FAE1D8
            • ReleaseDC.USER32(00000000,00000000), ref: 00FAE1E0
            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FAE1F7
            • MulDiv.KERNEL32(000009EC,?,?), ref: 00FAE209
              • Part of subcall function 00FA9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00FA9A05,00000000,00000000,?,00FA9DDB), ref: 00FAA53A
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CapsDevice$ExceptionRaiseRelease
            • String ID:
            • API String ID: 603618608-0
            • Opcode ID: ff628c3d4a68ed7f72bf70575f598598046d1ce1da4af0f3fa9cf7f6756f63ed
            • Instruction ID: a47ea237285aac274ce6479610e9d547e279f9e20a191a071e4b4d5417f4498f
            • Opcode Fuzzy Hash: ff628c3d4a68ed7f72bf70575f598598046d1ce1da4af0f3fa9cf7f6756f63ed
            • Instruction Fuzzy Hash: 730184B5E00218BFEB109BA58C45B5EBFBDEF49751F004066EA04E7390DA709C01DB60
            Function 00F97B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
            Download Yara Rule
            APIs
            • __init_pointers.LIBCMT ref: 00F97B47
              • Part of subcall function 00F9123A: __initp_misc_winsig.LIBCMT ref: 00F9125E
              • Part of subcall function 00F9123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F97F51
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F97F65
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F97F78
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F97F8B
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F97F9E
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F97FB1
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F97FC4
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F97FD7
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F97FEA
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F97FFD
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F98010
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F98023
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F98036
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F98049
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F9805C
              • Part of subcall function 00F9123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00F9806F
            • __mtinitlocks.LIBCMT ref: 00F97B4C
              • Part of subcall function 00F97E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0102AC68,00000FA0,?,?,00F97B51,00F95E77,01026C70,00000014), ref: 00F97E41
            • __mtterm.LIBCMT ref: 00F97B55
              • Part of subcall function 00F97BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F97B5A,00F95E77,01026C70,00000014), ref: 00F97D3F
              • Part of subcall function 00F97BBD: _free.LIBCMT ref: 00F97D46
              • Part of subcall function 00F97BBD: DeleteCriticalSection.KERNEL32(0102AC68,?,?,00F97B5A,00F95E77,01026C70,00000014), ref: 00F97D68
            • __calloc_crt.LIBCMT ref: 00F97B7A
            • GetCurrentThreadId.KERNEL32 ref: 00F97BA3
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
            • String ID:
            • API String ID: 2942034483-0
            • Opcode ID: ed9a1c5086913cc4c90009454e34f23ec7e16c872d99a250255473c8c02d62b5
            • Instruction ID: 8de3fe00d148849e83f87d5e1d59452a6a3c24b1b7b2b264380efe268eb14341
            • Opcode Fuzzy Hash: ed9a1c5086913cc4c90009454e34f23ec7e16c872d99a250255473c8c02d62b5
            • Instruction Fuzzy Hash: 15F0963293D31219FE397F347C0664B3784BF41734B200699F8A4C50DAFF2988417160
            Function 00F727EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
            Download Yara Rule
            APIs
            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F7281D
            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00F72825
            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F72830
            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F7283B
            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00F72843
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F7284B
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Virtual
            • String ID:
            • API String ID: 4278518827-0
            • Opcode ID: fa04682054eb13225b3b4095d891d9bd1dbe52e8b472ac3719083a4b381099cb
            • Instruction ID: d761c84176fca4e90637e8c25b068738039d801b49f94c1a208d224574a4bf89
            • Opcode Fuzzy Hash: fa04682054eb13225b3b4095d891d9bd1dbe52e8b472ac3719083a4b381099cb
            • Instruction Fuzzy Hash: 460167B0902B5EBDE3008F6A8C85B52FFA8FF19354F00411BA15C87A42C7F5A864CBE5
            Function 00FB9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 1423608774-0
            • Opcode ID: ed4c9b2963724ccb6051638351b1eebefa34385f79033d37bacc1856ebd574e3
            • Instruction ID: 67c0132f0c7cb041561dd77f2c52b50110a25bc98a70a3f1151cad20aa22be11
            • Opcode Fuzzy Hash: ed4c9b2963724ccb6051638351b1eebefa34385f79033d37bacc1856ebd574e3
            • Instruction Fuzzy Hash: 4801A432606215ABD7152F59EC88EFF776EFF89711B14042AF603920A0DBB89800FF90
            Function 00FB7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FB7C07
            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FB7C1D
            • GetWindowThreadProcessId.USER32(?,?), ref: 00FB7C2C
            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FB7C3B
            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FB7C45
            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FB7C4C
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
            • String ID:
            • API String ID: 839392675-0
            • Opcode ID: f52927e7b281e41e7bf6c441613ff403404c3b31fbed0f1bc134478eff95ff26
            • Instruction ID: 81a6cbe058747c938fee1333c38262f9136562aab4a74b359ebca1e38e632696
            • Opcode Fuzzy Hash: f52927e7b281e41e7bf6c441613ff403404c3b31fbed0f1bc134478eff95ff26
            • Instruction Fuzzy Hash: A6F0177224215CBBE7215B529C0EEEF7F7DEFC6B15F000018FA01D1151EBA05A41E6B5
            Function 00FB9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,?), ref: 00FB9A33
            • EnterCriticalSection.KERNEL32(?,?,?,?,00FE5DEE,?,?,?,?,?,00F7ED63), ref: 00FB9A44
            • TerminateThread.KERNEL32(?,000001F6,?,?,?,00FE5DEE,?,?,?,?,?,00F7ED63), ref: 00FB9A51
            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00FE5DEE,?,?,?,?,?,00F7ED63), ref: 00FB9A5E
              • Part of subcall function 00FB93D1: CloseHandle.KERNEL32(?,?,00FB9A6B,?,?,?,00FE5DEE,?,?,?,?,?,00F7ED63), ref: 00FB93DB
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00FB9A71
            • LeaveCriticalSection.KERNEL32(?,?,?,?,00FE5DEE,?,?,?,?,?,00F7ED63), ref: 00FB9A78
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 3495660284-0
            • Opcode ID: 5531f29f0eeaa605d3df74389fec0093852499de793bef1753f9094e3e942689
            • Instruction ID: bd54c8ac45763315251ed6c0646f94afd1612c37b976355541abf29f41a80004
            • Opcode Fuzzy Hash: 5531f29f0eeaa605d3df74389fec0093852499de793bef1753f9094e3e942689
            • Instruction Fuzzy Hash: A8F05E32545219ABD7111FA8EC89EFE776EFF85711B140425F603910A0DBB99801FB90
            Function 00F71CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8F4EA: std::exception::exception.LIBCMT ref: 00F8F51E
              • Part of subcall function 00F8F4EA: __CxxThrowException@8.LIBCMT ref: 00F8F533
            • __swprintf.LIBCMT ref: 00F71EA6
            Strings
            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00F71D49
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Exception@8Throw__swprintfstd::exception::exception
            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
            • API String ID: 2125237772-557222456
            • Opcode ID: 33eb6a3ee206abf5a5ab683af0b9b4e22ab4b4b628e6c644d87f22ca1ddc1e69
            • Instruction ID: ee768028203a1b1db99aaabc45f0adbdb6f992ef5c703deebebfa550fd746b4a
            • Opcode Fuzzy Hash: 33eb6a3ee206abf5a5ab683af0b9b4e22ab4b4b628e6c644d87f22ca1ddc1e69
            • Instruction Fuzzy Hash: 34918C725042419FD724EF28CC95C6AB7B4BF85710F04892EF889972A1DB34ED09EB93
            Function 00FCAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00FCB006
            • CharUpperBuffW.USER32(?,?), ref: 00FCB115
            • VariantClear.OLEAUT32(?), ref: 00FCB298
              • Part of subcall function 00FB9DC5: VariantInit.OLEAUT32(00000000), ref: 00FB9E05
              • Part of subcall function 00FB9DC5: VariantCopy.OLEAUT32(?,?), ref: 00FB9E0E
              • Part of subcall function 00FB9DC5: VariantClear.OLEAUT32(?), ref: 00FB9E1A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Variant$ClearInit$BuffCharCopyUpper
            • String ID: AUTOIT.ERROR$Incorrect Parameter format
            • API String ID: 4237274167-1221869570
            • Opcode ID: 16113c6593d408e5813e1e12392cd23891dd663e08c27faf8ebfb931fdad7011
            • Instruction ID: 7639c0c20bfc560b59c531ceb253b4e012ce31cf443a9b5abd08682dda490526
            • Opcode Fuzzy Hash: 16113c6593d408e5813e1e12392cd23891dd663e08c27faf8ebfb931fdad7011
            • Instruction Fuzzy Hash: A9917C756083029FCB10DF24C986E9AB7E4FF89710F04886EF89A9B351DB35E905DB52
            Function 00FB5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8C6F4: _wcscpy.LIBCMT ref: 00F8C717
            • _memset.LIBCMT ref: 00FB5438
            • GetMenuItemInfoW.USER32(?), ref: 00FB5467
            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FB5513
            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FB553D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ItemMenu$Info$Default_memset_wcscpy
            • String ID: 0
            • API String ID: 4152858687-4108050209
            • Opcode ID: 7ebdd1214b475708d86b4f706c92156fa82f40018aa500f306604657eb9ad5b3
            • Instruction ID: 824ec2cb23252229bb08221f85482152b743430e78d0b8641d61459f99c5cbba
            • Opcode Fuzzy Hash: 7ebdd1214b475708d86b4f706c92156fa82f40018aa500f306604657eb9ad5b3
            • Instruction Fuzzy Hash: EA512371A047019BD725DB2AC8407EBB7E9AF85B25F0C052EF895D3190DBB8CD44AF52
            Function 00FB0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FB027B
            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FB02B1
            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FB02C2
            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FB0344
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ErrorMode$AddressCreateInstanceProc
            • String ID: DllGetClassObject
            • API String ID: 753597075-1075368562
            • Opcode ID: 762b36f16adf43c05794aa3f5f8425e46f6855c4b591695a75442c8294e1e971
            • Instruction ID: 6bfdbeaae988693bfe5819f4604b86f16bb820cc9f8aaa0dbca57455edbced14
            • Opcode Fuzzy Hash: 762b36f16adf43c05794aa3f5f8425e46f6855c4b591695a75442c8294e1e971
            • Instruction Fuzzy Hash: 78414D71600204EFDB15CF55C888BAB7BE9EF44314B1880A9E909DF246DBB5D944EFA0
            Function 00FB5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FB5075
            • GetMenuItemInfoW.USER32 ref: 00FB5091
            • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00FB50D7
            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01031708,00000000), ref: 00FB5120
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Menu$Delete$InfoItem_memset
            • String ID: 0
            • API String ID: 1173514356-4108050209
            • Opcode ID: 5d7adbb5b91caabc69b85afc745622689d3c6afaa6eaa75b8f9fccee77fe4a5c
            • Instruction ID: f7d7370bc3b36670c4497db3b08a40f581e79fd8efbb8d66f6a9af04aad84d1c
            • Opcode Fuzzy Hash: 5d7adbb5b91caabc69b85afc745622689d3c6afaa6eaa75b8f9fccee77fe4a5c
            • Instruction Fuzzy Hash: DE41F2712047019FD720DF29DC80BAAB7E8AF89B24F14461EF99597291D778E804DF62
            Function 00FD0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?,?,?), ref: 00FD0587
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: BuffCharLower
            • String ID: cdecl$none$stdcall$winapi
            • API String ID: 2358735015-567219261
            • Opcode ID: 7d7b6b4d2176485345ca2d4b5844d1ce617acc6e434f06dae3f13d4e5617161d
            • Instruction ID: fbb1285d0de1f6113380d24f1e34665e60bd5627849405b6e7b3b9518232c17d
            • Opcode Fuzzy Hash: 7d7b6b4d2176485345ca2d4b5844d1ce617acc6e434f06dae3f13d4e5617161d
            • Instruction Fuzzy Hash: B2318D31900216ABCB00EF68CC51AEEB3B5FF55320B00862AE866A7791DB75E915DB80
            Function 00FAB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FAB88E
            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FAB8A1
            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00FAB8D1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: ComboBox$ListBox
            • API String ID: 3850602802-1403004172
            • Opcode ID: ac9ea365df0b9a14030b7106e9926eced3455634afe707ad10d7e42857c98b4f
            • Instruction ID: edc5c345d8307248ec722b598c90b10ebdf3d9092e0e1549693f6a0cf4144102
            • Opcode Fuzzy Hash: ac9ea365df0b9a14030b7106e9926eced3455634afe707ad10d7e42857c98b4f
            • Instruction Fuzzy Hash: FE21A2B6900108AFDB04ABB8DC869FE777DDF46360B14412DF015A61E1DB7C590AB760
            Function 00FC43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FC4401
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FC4427
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FC4457
            • InternetCloseHandle.WININET(00000000), ref: 00FC449E
              • Part of subcall function 00FC5052: GetLastError.KERNEL32(?,?,00FC43CC,00000000,00000000,00000001), ref: 00FC5067
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
            • String ID:
            • API String ID: 1951874230-3916222277
            • Opcode ID: 23f0afef7aeb50c98e266dea1198f2bb88b9afe877aa4773ca5c6c958556cc6a
            • Instruction ID: afcf480a6ae621c273934d76d6bb3144dc4674b50483c66596406cdc05c171a1
            • Opcode Fuzzy Hash: 23f0afef7aeb50c98e266dea1198f2bb88b9afe877aa4773ca5c6c958556cc6a
            • Instruction Fuzzy Hash: CC21B0B290020ABEE711EF54CD96FBBBAEDEF48B58F20841EF505D6140DA64AD05A770
            Function 00FD90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F8D1BA
              • Part of subcall function 00F8D17C: GetStockObject.GDI32(00000011), ref: 00F8D1CE
              • Part of subcall function 00F8D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F8D1D8
            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FD915C
            • LoadLibraryW.KERNEL32(?), ref: 00FD9163
            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FD9178
            • DestroyWindow.USER32(?), ref: 00FD9180
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
            • String ID: SysAnimate32
            • API String ID: 4146253029-1011021900
            • Opcode ID: b76c58e4dd1cd63f4e39026a59cb70ef39cf4aa274360730a34517ca4598344c
            • Instruction ID: 24fb857ac03fcfbfce79bcaf023bec59c6118754e36e0cc92b2f87148b917c15
            • Opcode Fuzzy Hash: b76c58e4dd1cd63f4e39026a59cb70ef39cf4aa274360730a34517ca4598344c
            • Instruction Fuzzy Hash: 4B219271604206BBEF104FA4DC88EBA37AEEF59374F18061AF95492290C7B1DC41B760
            Function 00FB9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(0000000C), ref: 00FB9588
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FB95B9
            • GetStdHandle.KERNEL32(0000000C), ref: 00FB95CB
            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00FB9605
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: f3d32e817bffaf39d46ce6cf18936e56dba2e9ae77f6393288e2dbc4898d9aaa
            • Instruction ID: c3a7f12657f34132b84023b0c0bce86c7adae6d45a3c5da62ca5dd83ab21af04
            • Opcode Fuzzy Hash: f3d32e817bffaf39d46ce6cf18936e56dba2e9ae77f6393288e2dbc4898d9aaa
            • Instruction Fuzzy Hash: 14219271A44209ABDB219F26DC05ADA77F8AF44720F244A19FAA1D72D0D7B0D940EF60
            Function 00FB9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(000000F6), ref: 00FB9653
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FB9683
            • GetStdHandle.KERNEL32(000000F6), ref: 00FB9694
            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00FB96CE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: d118a310ed1f2d0479c4247ef3ad608bc008fe5f446bd55a5be72353658cf457
            • Instruction ID: 04023a582dc08e48a8083b758033f7333bc803bbca68369a1e8e5ba9043b5c5c
            • Opcode Fuzzy Hash: d118a310ed1f2d0479c4247ef3ad608bc008fe5f446bd55a5be72353658cf457
            • Instruction Fuzzy Hash: 9C218E71A042099BDB209F6A8C05EDA77A9AF54730F200A18EAB1D72D0D7B09841EF50
            Function 00FBDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00FBDB0A
            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FBDB5E
            • __swprintf.LIBCMT ref: 00FBDB77
            • SetErrorMode.KERNEL32(00000000,00000001,00000000,0100DC00), ref: 00FBDBB5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ErrorMode$InformationVolume__swprintf
            • String ID: %lu
            • API String ID: 3164766367-685833217
            • Opcode ID: 615339f00f1b8fecf2d3e419842e9c67592229bfd0be3f1b7775616cb0f24d05
            • Instruction ID: c4a6876a02a0591b11817edb2deaee1613bd0a7b75864994b4ca6a4b6d6a3e3f
            • Opcode Fuzzy Hash: 615339f00f1b8fecf2d3e419842e9c67592229bfd0be3f1b7775616cb0f24d05
            • Instruction Fuzzy Hash: 55219535A00109AFDB10EFA5CD85EEEBBB9EF89704B104069F509D7251DB74EA01EF61
            Function 00FAC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FAC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FAC84A
              • Part of subcall function 00FAC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FAC85D
              • Part of subcall function 00FAC82D: GetCurrentThreadId.KERNEL32 ref: 00FAC864
              • Part of subcall function 00FAC82D: AttachThreadInput.USER32(00000000), ref: 00FAC86B
            • GetFocus.USER32 ref: 00FACA05
              • Part of subcall function 00FAC876: GetParent.USER32(?), ref: 00FAC884
            • GetClassNameW.USER32(?,?,00000100), ref: 00FACA4E
            • EnumChildWindows.USER32(?,00FACAC4), ref: 00FACA76
            • __swprintf.LIBCMT ref: 00FACA90
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
            • String ID: %s%d
            • API String ID: 3187004680-1110647743
            • Opcode ID: 5d13b960036a0bdb3f90b6d1bd5d52284c71822ddcc22ceeceb0cf7fac9c1f2a
            • Instruction ID: 93d45c500e181b777c5294c604546a8c06ba337743442a00b8a2c94c3346bae9
            • Opcode Fuzzy Hash: 5d13b960036a0bdb3f90b6d1bd5d52284c71822ddcc22ceeceb0cf7fac9c1f2a
            • Instruction Fuzzy Hash: D01184B15002097BDF11BFA0CC85FB9377DAF45714F008066FE18AA146CB789945EBB1
            Function 00FD1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
            Download Yara Rule
            APIs
            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FD19F3
            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FD1A26
            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00FD1B49
            • CloseHandle.KERNEL32(?), ref: 00FD1BBF
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Process$CloseCountersHandleInfoMemoryOpen
            • String ID:
            • API String ID: 2364364464-0
            • Opcode ID: 0ea22d3f3a61fffa5676212765f6c04d645874e8941ae2902b6bed6d175693e8
            • Instruction ID: c5dfdc8743ab84165e58fbd362369fb79f79dc2e9911f520391e01fb04d5780b
            • Opcode Fuzzy Hash: 0ea22d3f3a61fffa5676212765f6c04d645874e8941ae2902b6bed6d175693e8
            • Instruction Fuzzy Hash: CD817971600204ABDF10EF64CC96BADB7E6FF44720F14845AF905AF382D7B9A941DB91
            Function 00FB1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00FB1CB4
            • VariantClear.OLEAUT32(00000013), ref: 00FB1D26
            • VariantClear.OLEAUT32(00000000), ref: 00FB1D81
            • VariantClear.OLEAUT32(?), ref: 00FB1DF8
            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FB1E26
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Variant$Clear$ChangeInitType
            • String ID:
            • API String ID: 4136290138-0
            • Opcode ID: d6ecaa7af6f2c327f3acfc6c9b334df41078dcca4715870b09dfd67a479ab105
            • Instruction ID: 7f2b99d975cdf104bcc27786e935770112268d43096cfed7118aca8a0f177bd0
            • Opcode Fuzzy Hash: d6ecaa7af6f2c327f3acfc6c9b334df41078dcca4715870b09dfd67a479ab105
            • Instruction Fuzzy Hash: B75147B5A00209AFDB14CF58C890AAAB7B9FF4D314B158559ED59DB304E330EA51CFA0
            Function 00FD0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F7936C: __swprintf.LIBCMT ref: 00F793AB
              • Part of subcall function 00F7936C: __itow.LIBCMT ref: 00F793DF
            • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00FD06EE
            • GetProcAddress.KERNEL32(00000000,?), ref: 00FD077D
            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00FD079B
            • GetProcAddress.KERNEL32(00000000,?), ref: 00FD07E1
            • FreeLibrary.KERNEL32(00000000,00000004), ref: 00FD07FB
              • Part of subcall function 00F8E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00FBA574,?,?,00000000,00000008), ref: 00F8E675
              • Part of subcall function 00F8E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00FBA574,?,?,00000000,00000008), ref: 00F8E699
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
            • String ID:
            • API String ID: 327935632-0
            • Opcode ID: 8dde383a2f45d5ccbbfe5a76b2b1484909382b5a68b4871af43f929fd22844b2
            • Instruction ID: 4efe5780e54adb59264f1668fbf80d0840c1fd485fcfabd39a075ec26443542f
            • Opcode Fuzzy Hash: 8dde383a2f45d5ccbbfe5a76b2b1484909382b5a68b4871af43f929fd22844b2
            • Instruction Fuzzy Hash: DC513075A00205DFCB00EFA8C881AADB7B6BF59310F08C05AE919AB351DB34ED45EB91
            Function 00FD2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FD3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FD2BB5,?,?), ref: 00FD3C1D
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FD2EEF
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FD2F2E
            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FD2F75
            • RegCloseKey.ADVAPI32(?,?), ref: 00FD2FA1
            • RegCloseKey.ADVAPI32(00000000), ref: 00FD2FAE
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
            • String ID:
            • API String ID: 3740051246-0
            • Opcode ID: 2f0d5dd3aa47070a8493e3aa8ad24ba2b7a6a937a07bd3f4c81b942baaa83339
            • Instruction ID: 8967edd22586815e7d4bd7a23e923319732de01940e286d1fba6cb73f61d4042
            • Opcode Fuzzy Hash: 2f0d5dd3aa47070a8493e3aa8ad24ba2b7a6a937a07bd3f4c81b942baaa83339
            • Instruction Fuzzy Hash: 2B514A72608204AFD704EF54CC81E6AB7FAFF88314F44881EF59997291DB74E905EB92
            Function 00FDCCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d848a0b95edab8c0f00337936e131e772929ae9965ac8239d1fb6e978cf1fc6f
            • Instruction ID: af1c69873dcbc512c2a087cc5883ea9086cc0e1c0cd80d09cac2c899e49aca2b
            • Opcode Fuzzy Hash: d848a0b95edab8c0f00337936e131e772929ae9965ac8239d1fb6e978cf1fc6f
            • Instruction Fuzzy Hash: 9D418676D0010AABD720DF68CC44FA5BB6BEB09320F190266E969E73D1C774AD41F6D0
            Function 00FC1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
            Download Yara Rule
            APIs
            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FC12B4
            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00FC12DD
            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FC131C
              • Part of subcall function 00F7936C: __swprintf.LIBCMT ref: 00F793AB
              • Part of subcall function 00F7936C: __itow.LIBCMT ref: 00F793DF
            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FC1341
            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FC1349
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
            • String ID:
            • API String ID: 1389676194-0
            • Opcode ID: 93187868cf438d3c030264de6134344f0a10319be72722b2fb67cd2082fc6c64
            • Instruction ID: a110282f906edd3c12c9564a88282433e89466e550c2580c508b3c4e681227d3
            • Opcode Fuzzy Hash: 93187868cf438d3c030264de6134344f0a10319be72722b2fb67cd2082fc6c64
            • Instruction Fuzzy Hash: CA410C35A00105DFDB01EF64C981AAEBBF9FF09314B14C099E91AAB362CB75ED11EB51
            Function 00F8B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(000000FF), ref: 00F8B64F
            • ScreenToClient.USER32(00000000,000000FF), ref: 00F8B66C
            • GetAsyncKeyState.USER32(00000001), ref: 00F8B691
            • GetAsyncKeyState.USER32(00000002), ref: 00F8B69F
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AsyncState$ClientCursorScreen
            • String ID:
            • API String ID: 4210589936-0
            • Opcode ID: 524b6abef0d38c3905af1c0b520376eb05bc9bbaa820a12cf8567a8d26e4642f
            • Instruction ID: 7aed61659a6abe2a1241243a287632755d6ec6087a4778a17f0b99d71bc190ef
            • Opcode Fuzzy Hash: 524b6abef0d38c3905af1c0b520376eb05bc9bbaa820a12cf8567a8d26e4642f
            • Instruction Fuzzy Hash: 7B418D31A04149BBCF15DF65CC44AE9BBB5BF05334F20439AE82996290DB30AD90FFA1
            Function 00FAB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00FAB369
            • PostMessageW.USER32(?,00000201,00000001), ref: 00FAB413
            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00FAB41B
            • PostMessageW.USER32(?,00000202,00000000), ref: 00FAB429
            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00FAB431
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessagePostSleep$RectWindow
            • String ID:
            • API String ID: 3382505437-0
            • Opcode ID: e12199e56989d97be4788ed2f47199c1080a9ec1ea12965fc883bb9a48182150
            • Instruction ID: 30c63a7752378e4e0b3061e65deed8acee911f8cb896709127dea6157568453f
            • Opcode Fuzzy Hash: e12199e56989d97be4788ed2f47199c1080a9ec1ea12965fc883bb9a48182150
            • Instruction Fuzzy Hash: FC319FB190021DEBDF04CFA8D949AAE7BB5EF05325F104229F921EA1D2C7B09954EB90
            Function 00FADBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 00FADBD7
            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FADBF4
            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FADC2C
            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FADC52
            • _wcsstr.LIBCMT ref: 00FADC5C
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
            • String ID:
            • API String ID: 3902887630-0
            • Opcode ID: 2b584ccc38a01a432cad466ce3e48e349d91996d12051cb2828db01610a7aa95
            • Instruction ID: 60fbe6ad0d6e1ae1e433fa266a71171ceb25c02f7558486948aaed81b9237fed
            • Opcode Fuzzy Hash: 2b584ccc38a01a432cad466ce3e48e349d91996d12051cb2828db01610a7aa95
            • Instruction Fuzzy Hash: 0821F5B2604104BBEB159B299C49E7B7BADDF46770F104029F80ACA191EEA5DC01F660
            Function 00FDDE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F8B35F
            • GetWindowLongW.USER32(?,000000F0), ref: 00FDDEB0
            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00FDDED4
            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FDDEEC
            • GetSystemMetrics.USER32(00000004), ref: 00FDDF14
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00FC3A1E,00000000), ref: 00FDDF32
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$Long$MetricsSystem
            • String ID:
            • API String ID: 2294984445-0
            • Opcode ID: ad9b50cecf6b295da30e2d71002d0dd9d2ccb86f82da3725e769b09a6c3c46f5
            • Instruction ID: b2c09f9fb37f3485b2f5256ee53f1219b9ae18b8b9806bce773c136d5c49e929
            • Opcode Fuzzy Hash: ad9b50cecf6b295da30e2d71002d0dd9d2ccb86f82da3725e769b09a6c3c46f5
            • Instruction Fuzzy Hash: 7A21B671A11216AFCB205F78CC44B663B9AFF59334F190726F966CB6E0D7309850EB80
            Function 00FABC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FABC90
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FABCC2
            • __itow.LIBCMT ref: 00FABCDA
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FABD00
            • __itow.LIBCMT ref: 00FABD11
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$__itow
            • String ID:
            • API String ID: 3379773720-0
            • Opcode ID: bd94dcde387a9f7602860ec4da5c7d417877185ab4f3153193ec9ecf84e1cf2c
            • Instruction ID: a17fcc2d4b0411b467dd5fb682592547db4d77ac52ee5b56a222b57f00bc154a
            • Opcode Fuzzy Hash: bd94dcde387a9f7602860ec4da5c7d417877185ab4f3153193ec9ecf84e1cf2c
            • Instruction Fuzzy Hash: BB21D8B5B00318BBDB10AF658C46FDE7B69AF4A720F004025F905EB182DBB48905B7A1
            Function 00FB6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F750E6: _wcsncpy.LIBCMT ref: 00F750FA
            • GetFileAttributesW.KERNEL32(?,?,?,?,00FB60C3), ref: 00FB6369
            • GetLastError.KERNEL32(?,?,?,00FB60C3), ref: 00FB6374
            • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00FB60C3), ref: 00FB6388
            • _wcsrchr.LIBCMT ref: 00FB63AA
              • Part of subcall function 00FB6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00FB60C3), ref: 00FB63E0
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
            • String ID:
            • API String ID: 3633006590-0
            • Opcode ID: 057c407b868fe6377019060d128203c8d7752b99b76f8970674f5874445e0381
            • Instruction ID: 3a5b3b033361f76ff650abd35966b6fbdd19c1f38fc9ed5f07810d9c0d244d6a
            • Opcode Fuzzy Hash: 057c407b868fe6377019060d128203c8d7752b99b76f8970674f5874445e0381
            • Instruction Fuzzy Hash: 6721C3319042199AEB15AB79AC46FEA33ECAF09360F180465F045D72C1EA68D984BE65
            Function 00FC8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FCA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00FCA84E
            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FC8BD3
            • WSAGetLastError.WSOCK32(00000000), ref: 00FC8BE2
            • connect.WSOCK32(00000000,?,00000010), ref: 00FC8BFE
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ErrorLastconnectinet_addrsocket
            • String ID:
            • API String ID: 3701255441-0
            • Opcode ID: cd56df7ad4f8c8c3b0becc0f2a5ce7f9d6900654efc14f72c0d599af4ea881d3
            • Instruction ID: e4c55439315c85b2ccf7d4f5dd9656b6727130aa6abe387257354dfa673b30ee
            • Opcode Fuzzy Hash: cd56df7ad4f8c8c3b0becc0f2a5ce7f9d6900654efc14f72c0d599af4ea881d3
            • Instruction Fuzzy Hash: C2219F322001159FCB10EB68CD46FBE77ADAF44760F04444DF9569B392CB78AC02AB61
            Function 00FC8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(00000000), ref: 00FC8441
            • GetForegroundWindow.USER32 ref: 00FC8458
            • GetDC.USER32(00000000), ref: 00FC8494
            • GetPixel.GDI32(00000000,?,00000003), ref: 00FC84A0
            • ReleaseDC.USER32(00000000,00000003), ref: 00FC84DB
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$ForegroundPixelRelease
            • String ID:
            • API String ID: 4156661090-0
            • Opcode ID: 0a21399ba4838e6f61b674d29ae0ab83e88e10869f635ae20cc1be07270ab1b0
            • Instruction ID: 3a2d413e013ed22fbff0e0aee0ba51325e39441d145f56a6e7b81e8ce43e5cfd
            • Opcode Fuzzy Hash: 0a21399ba4838e6f61b674d29ae0ab83e88e10869f635ae20cc1be07270ab1b0
            • Instruction Fuzzy Hash: D721A136A00205AFD704EFA5CD89AAEBBF9EF48341F048479E849D7351CB74AC01EB60
            Function 00F8AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
            Download Yara Rule
            APIs
            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00F8AFE3
            • SelectObject.GDI32(?,00000000), ref: 00F8AFF2
            • BeginPath.GDI32(?), ref: 00F8B009
            • SelectObject.GDI32(?,00000000), ref: 00F8B033
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: 489d8a86e9991392aa7aab8551f055562f69d23d4ffe09a8a55739cb8fd44ff6
            • Instruction ID: 9855ef74e72d24faddc48ea0fddbc43b38e6f3deab95e3ef28c235098fd7da96
            • Opcode Fuzzy Hash: 489d8a86e9991392aa7aab8551f055562f69d23d4ffe09a8a55739cb8fd44ff6
            • Instruction Fuzzy Hash: 1821CCB4800208EFEB20AF95EC48BEA3B6DBB1C365F14431AE46092194D37A4851FBA0
            Function 00F9217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
            Download Yara Rule
            APIs
            • __calloc_crt.LIBCMT ref: 00F921A9
            • CreateThread.KERNEL32(?,?,00F922DF,00000000,?,?), ref: 00F921ED
            • GetLastError.KERNEL32 ref: 00F921F7
            • _free.LIBCMT ref: 00F92200
            • __dosmaperr.LIBCMT ref: 00F9220B
              • Part of subcall function 00F97C0E: __getptd_noexit.LIBCMT ref: 00F97C0E
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
            • String ID:
            • API String ID: 2664167353-0
            • Opcode ID: 2cd8e08ed34221408c4af3d6b376e84aac91bdeb519b972b05c6098934e97b22
            • Instruction ID: 88d7dc98a0c187209edeccc253745e03bb5fe326f7d82f1e0f7742e65fc1af8d
            • Opcode Fuzzy Hash: 2cd8e08ed34221408c4af3d6b376e84aac91bdeb519b972b05c6098934e97b22
            • Instruction Fuzzy Hash: 92110433504306BFBF21BFA5DC41DAB3B99EF01770B100029FA14C6192EB35D851BAA1
            Function 00FAABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
            Download Yara Rule
            APIs
            • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00FAABD7
            • GetLastError.KERNEL32(?,00FAA69F,?,?,?), ref: 00FAABE1
            • GetProcessHeap.KERNEL32(00000008,?,?,00FAA69F,?,?,?), ref: 00FAABF0
            • HeapAlloc.KERNEL32(00000000,?,00FAA69F,?,?,?), ref: 00FAABF7
            • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00FAAC0E
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
            • String ID:
            • API String ID: 842720411-0
            • Opcode ID: ad5c00c6b7157130b89eb52ed7e22c2352ae8435d3d8c8db1b09b0d6bba62b14
            • Instruction ID: 921cc022d4c1500f9594b3ac03cc6b3f88ce2d4db09eb0945969e69ade8372d6
            • Opcode Fuzzy Hash: ad5c00c6b7157130b89eb52ed7e22c2352ae8435d3d8c8db1b09b0d6bba62b14
            • Instruction Fuzzy Hash: 430119B1600208BFEB114FA9DC48DBB3BAEEF8A7657100429F949C3260DB71DD54EB61
            Function 00FA9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
            Download Yara Rule
            APIs
            • CLSIDFromProgID.OLE32 ref: 00FA9ADC
            • ProgIDFromCLSID.OLE32(?,00000000), ref: 00FA9AF7
            • lstrcmpiW.KERNEL32(?,00000000), ref: 00FA9B05
            • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00FA9B15
            • CLSIDFromString.OLE32(?,?), ref: 00FA9B21
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: From$Prog$FreeStringTasklstrcmpi
            • String ID:
            • API String ID: 3897988419-0
            • Opcode ID: a0255c32a009f81e18180c63c1b9d2fc448ff4633c417ebee81dc1a9c267b05c
            • Instruction ID: a450be6fffccb492450659535da755bd83435018e0ef00e228e29d8a1e74e9a8
            • Opcode Fuzzy Hash: a0255c32a009f81e18180c63c1b9d2fc448ff4633c417ebee81dc1a9c267b05c
            • Instruction Fuzzy Hash: DD012CB6A00219AFDB114F54ED44BAA7AEEEF857A2F244035F905D2210D7B4DE40EBB0
            Function 00FB7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FB7A74
            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00FB7A82
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FB7A8A
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00FB7A94
            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FB7AD0
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: PerformanceQuery$CounterSleep$Frequency
            • String ID:
            • API String ID: 2833360925-0
            • Opcode ID: 8125dd56bd6b830425bef555ad51bc959e4e4a9fd80346ac6d24298c4b609ab4
            • Instruction ID: eb62861aad7cd876fbe132d2c9b1023abfaa0c601f6425c6662b5d1e651ba0e0
            • Opcode Fuzzy Hash: 8125dd56bd6b830425bef555ad51bc959e4e4a9fd80346ac6d24298c4b609ab4
            • Instruction Fuzzy Hash: 30010532D0861DABDF00AFE6DC48AEDBB7DFF48711F000496E502B2160DB389650EBA1
            Function 00FAAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FAAADA
            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FAAAE4
            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FAAAF3
            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FAAAFA
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FAAB10
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: ac0cf2345708275a01e39c8d31b07f3edba77b603956a1e9c2752e8d99374b8e
            • Instruction ID: d79187a76be365626666e66d5f5b8c354e1da220ad96f4027ebf73526bbe133d
            • Opcode Fuzzy Hash: ac0cf2345708275a01e39c8d31b07f3edba77b603956a1e9c2752e8d99374b8e
            • Instruction Fuzzy Hash: AFF04F716002086FEB120FA4EC88E773B6EFF867A8F00002AF941C7190CB609805EA71
            Function 00FAAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FAAA79
            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FAAA83
            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FAAA92
            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FAAA99
            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FAAAAF
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 23d9829e5abc2825dbc9188227a37181029279cd8d467e85ece82b5c4d29443b
            • Instruction ID: 0cc86a1383d1ca04b31fee17fa63f831481032cf49415d8fa2687a6284e1040c
            • Opcode Fuzzy Hash: 23d9829e5abc2825dbc9188227a37181029279cd8d467e85ece82b5c4d29443b
            • Instruction Fuzzy Hash: CFF04F71600208AFEB115FA4EC89E773BADFF4A764F004419F941C7190DB659C45EA61
            Function 00FAEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003E9), ref: 00FAEC94
            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00FAECAB
            • MessageBeep.USER32(00000000), ref: 00FAECC3
            • KillTimer.USER32(?,0000040A), ref: 00FAECDF
            • EndDialog.USER32(?,00000001), ref: 00FAECF9
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: BeepDialogItemKillMessageTextTimerWindow
            • String ID:
            • API String ID: 3741023627-0
            • Opcode ID: 206e4962123551bd2c6d65a58157fc331f0b25d07fe6b8afb913a56f44daddd2
            • Instruction ID: 85eb433ee0161153eddd924909f57bec4006e2b822360b01a448c75c70f65de3
            • Opcode Fuzzy Hash: 206e4962123551bd2c6d65a58157fc331f0b25d07fe6b8afb913a56f44daddd2
            • Instruction Fuzzy Hash: 6A01A471900708ABEB246B10DE4EBA677BDFF01B15F040559B583A54E1DBF4AA44EB50
            Function 00F8B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
            Download Yara Rule
            APIs
            • EndPath.GDI32(?), ref: 00F8B0BA
            • StrokeAndFillPath.GDI32(?,?,00FEE680,00000000,?,?,?), ref: 00F8B0D6
            • SelectObject.GDI32(?,00000000), ref: 00F8B0E9
            • DeleteObject.GDI32 ref: 00F8B0FC
            • StrokePath.GDI32(?), ref: 00F8B117
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Path$ObjectStroke$DeleteFillSelect
            • String ID:
            • API String ID: 2625713937-0
            • Opcode ID: 8bdcc3c54db31fdc85ee99fd6ffba91bf979ec144ba7b6f7c08d1b21fbe3319b
            • Instruction ID: 950e3e80ad4c0655b6a872d0f6a787c02b4de26908aa455366a5ccbb224350c5
            • Opcode Fuzzy Hash: 8bdcc3c54db31fdc85ee99fd6ffba91bf979ec144ba7b6f7c08d1b21fbe3319b
            • Instruction Fuzzy Hash: B6F0C934100648EFDB21AFA5E90D7A53B69AB19362F088315E4A5491F4CB3A8965FF60
            Function 00FBF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 00FBF2DA
            • CoCreateInstance.OLE32(00FFDA7C,00000000,00000001,00FFD8EC,?), ref: 00FBF2F2
            • CoUninitialize.OLE32 ref: 00FBF555
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CreateInitializeInstanceUninitialize
            • String ID: .lnk
            • API String ID: 948891078-24824748
            • Opcode ID: 3a944de2088531214a6a8ad39c68a0e991ca6f806e38ac25aba1a5f8d8258a8f
            • Instruction ID: e73c11df14f0818b1dc3a82659e6c5fddc6e1933f1e32b78afa03e60e8a8e49d
            • Opcode Fuzzy Hash: 3a944de2088531214a6a8ad39c68a0e991ca6f806e38ac25aba1a5f8d8258a8f
            • Instruction Fuzzy Hash: 0BA11A71104201AFD300EF64CC81DAFB7E8EF99714F00895DF559971A2DB74EA09DBA2
            Function 00FBE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F7660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F753B1,?,?,00F761FF,?,00000000,00000001,00000000), ref: 00F7662F
            • CoInitialize.OLE32(00000000), ref: 00FBE85D
            • CoCreateInstance.OLE32(00FFDA7C,00000000,00000001,00FFD8EC,?), ref: 00FBE876
            • CoUninitialize.OLE32 ref: 00FBE893
              • Part of subcall function 00F7936C: __swprintf.LIBCMT ref: 00F793AB
              • Part of subcall function 00F7936C: __itow.LIBCMT ref: 00F793DF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
            • String ID: .lnk
            • API String ID: 2126378814-24824748
            • Opcode ID: 4af00eb0c448f066c825c0655d52f854db3ffdef849c225ffa89dc7a663d0443
            • Instruction ID: de0b5194e71bd4b86528d999ba7531d765cad81cfccb71a1903a90fc5b2687d6
            • Opcode Fuzzy Hash: 4af00eb0c448f066c825c0655d52f854db3ffdef849c225ffa89dc7a663d0443
            • Instruction Fuzzy Hash: FFA147356043019FCB10DF15C8849AEBBEAFF89320F148949F9999B3A1CB35EC45DB92
            Function 00F9325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
            Download Yara Rule
            APIs
            • __startOneArgErrorHandling.LIBCMT ref: 00F932ED
              • Part of subcall function 00F9E0D0: __87except.LIBCMT ref: 00F9E10B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ErrorHandling__87except__start
            • String ID: pow
            • API String ID: 2905807303-2276729525
            • Opcode ID: dc6429f22a8cd253235a189a3cdfde172490e0d4321675526589e0f21ef32c3f
            • Instruction ID: 9f24175e3c9107acd3beb4f650da24db920f054b9fd5d1f5ecfffc1244be972f
            • Opcode Fuzzy Hash: dc6429f22a8cd253235a189a3cdfde172490e0d4321675526589e0f21ef32c3f
            • Instruction Fuzzy Hash: 85514732E0820196FF22FB14C94577A3B949B40730F308D69F4D582299DF3A8ED8BB46
            Function 00FB4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0100DC50,?,0000000F,0000000C,00000016,0100DC50,?), ref: 00FB4645
              • Part of subcall function 00F7936C: __swprintf.LIBCMT ref: 00F793AB
              • Part of subcall function 00F7936C: __itow.LIBCMT ref: 00F793DF
            • CharUpperBuffW.USER32(?,?,00000000,?), ref: 00FB46C5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: BuffCharUpper$__itow__swprintf
            • String ID: REMOVE$THIS
            • API String ID: 3797816924-776492005
            • Opcode ID: 1ac3f3e44d7f2c1f18a26ba9db7fec6c19e8d68d2de2f5141523938609ec756f
            • Instruction ID: 0a2d7609ba459cc25f0bf3eb69fa576236f3ff32aa1545177adbb886b2320da2
            • Opcode Fuzzy Hash: 1ac3f3e44d7f2c1f18a26ba9db7fec6c19e8d68d2de2f5141523938609ec756f
            • Instruction Fuzzy Hash: 5D41B134A002099FCF00EF65C981AEDB7B5FF49314F148059E91AAB292DB38EC05EF51
            Function 00FAC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FABC08,?,?,00000034,00000800,?,00000034), ref: 00FB4335
            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FAC1D3
              • Part of subcall function 00FB42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FABC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00FB4300
              • Part of subcall function 00FB422F: GetWindowThreadProcessId.USER32(?,?), ref: 00FB425A
              • Part of subcall function 00FB422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FABBCC,00000034,?,?,00001004,00000000,00000000), ref: 00FB426A
              • Part of subcall function 00FB422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FABBCC,00000034,?,?,00001004,00000000,00000000), ref: 00FB4280
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FAC240
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FAC28D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
            • String ID: @
            • API String ID: 4150878124-2766056989
            • Opcode ID: de043986a8ebedc80aadf90a0cf9bde4b4c5a9f9a94476a2009fddea92910d0f
            • Instruction ID: 1981ba23688f43bf5593f099c16504072f3dc17727744eb04ab2c598f1164e81
            • Opcode Fuzzy Hash: de043986a8ebedc80aadf90a0cf9bde4b4c5a9f9a94476a2009fddea92910d0f
            • Instruction Fuzzy Hash: D84138B2A00218AEDB10DBA4CD81BEEB7B8EF09710F044095FA45B7181DA756E45EBA1
            Function 00FDA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
            Download Yara Rule
            APIs
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0100DC00,00000000,?,?,?,?), ref: 00FDA6D8
            • GetWindowLongW.USER32 ref: 00FDA6F5
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FDA705
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$Long
            • String ID: SysTreeView32
            • API String ID: 847901565-1698111956
            • Opcode ID: 56e64c13f78a46fd818ce9fadbfb1748466ea80ffe09aa9a9c6de24217277d1f
            • Instruction ID: 8978f462d166667c81d0571d3dfb347bcf53828680146c6b6c55ef87dc415e67
            • Opcode Fuzzy Hash: 56e64c13f78a46fd818ce9fadbfb1748466ea80ffe09aa9a9c6de24217277d1f
            • Instruction Fuzzy Hash: FC31B031500209ABDB119F78CC41BEA7BAAFF49334F284716F875932E0D774E850AB55
            Function 00FDA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FDA15E
            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FDA172
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FDA196
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$Window
            • String ID: SysMonthCal32
            • API String ID: 2326795674-1439706946
            • Opcode ID: 83e241dd3ad8e1c26ad7b2449d5c0e828eb9e2948b43710123f306e97ea59b67
            • Instruction ID: 781fb1cdebe99b0bef8fe6d4a5b421ae7f7d8dc2feb49b45c9e0b1074f7a8f9c
            • Opcode Fuzzy Hash: 83e241dd3ad8e1c26ad7b2449d5c0e828eb9e2948b43710123f306e97ea59b67
            • Instruction Fuzzy Hash: FC21D132500218ABEF119F94CC42FEA3B7AEF48724F140215FE55AB2D0D6B5AC51EB94
            Function 00FDA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FDA941
            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FDA94F
            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FDA956
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$DestroyWindow
            • String ID: msctls_updown32
            • API String ID: 4014797782-2298589950
            • Opcode ID: 8d6907f6f344c605b32d8d822e1fd00d61b47bebfe86faf6c8f0b9b01ea2acc0
            • Instruction ID: 2183233cc440388695ad048415ae1d4cacd3f75940b8217f8088afbc5af65c5e
            • Opcode Fuzzy Hash: 8d6907f6f344c605b32d8d822e1fd00d61b47bebfe86faf6c8f0b9b01ea2acc0
            • Instruction Fuzzy Hash: 4B2160B5600209AFEB11DF58CC91D7737AEEF5A3A4B09015AFA049B351CB35EC11EB62
            Function 00FD99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FD9A30
            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FD9A40
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FD9A65
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$MoveWindow
            • String ID: Listbox
            • API String ID: 3315199576-2633736733
            • Opcode ID: 41e0c0ee273c63aad9043c365b8315531441f52a241b761510c3d410949497cd
            • Instruction ID: 8b3b1c9ef5bfbc0a340383af976c28de57b0747a73d3c4d737e3c7f0b2df3830
            • Opcode Fuzzy Hash: 41e0c0ee273c63aad9043c365b8315531441f52a241b761510c3d410949497cd
            • Instruction Fuzzy Hash: B821C832614118BFDB118F94CC85FBB376FEF89764F054119F9549B290C6B59C11E790
            Function 00FDA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FDA46D
            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FDA482
            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FDA48F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: msctls_trackbar32
            • API String ID: 3850602802-1010561917
            • Opcode ID: c2f857f64c7c2354618d509faf309a540fab9cc6a1441ce9c0e7f5ec3706a484
            • Instruction ID: 565fc8c8ccd9024b74c21a4dd7d8b75d0b11dbcdc70e5b09c0b948cd25649d57
            • Opcode Fuzzy Hash: c2f857f64c7c2354618d509faf309a540fab9cc6a1441ce9c0e7f5ec3706a484
            • Instruction Fuzzy Hash: 04113A71600208BEEF219F64CC09FEB376EEF89768F05011DFA45961E1D2B6E811EB24
            Function 00F92287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00F92350,?), ref: 00F922A1
            • GetProcAddress.KERNEL32(00000000), ref: 00F922A8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: RoInitialize$combase.dll
            • API String ID: 2574300362-340411864
            • Opcode ID: 752bc7655eecbf8a2fc1c38dca071f412ca8963389f2b509c4a003a8b49f0801
            • Instruction ID: 649c033bd6b5c738a8d19a0b488de318da70fe4999fc5b00a9876692cb590c4f
            • Opcode Fuzzy Hash: 752bc7655eecbf8a2fc1c38dca071f412ca8963389f2b509c4a003a8b49f0801
            • Instruction Fuzzy Hash: 38E01A74A95304ABEB705F70EC89B24366AAB01716F1040A0F282D6098CBBE8040EF08
            Function 00F9235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F92276), ref: 00F92376
            • GetProcAddress.KERNEL32(00000000), ref: 00F9237D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: RoUninitialize$combase.dll
            • API String ID: 2574300362-2819208100
            • Opcode ID: 4bf552ed2963167d3d8d7176cdb7f5325c6a8f136fbeda8dfec265850910ec86
            • Instruction ID: 27f7662a7f9d1d6eaa61cffa1c3713ab3be1a7598bc268a85f891c11414091aa
            • Opcode Fuzzy Hash: 4bf552ed2963167d3d8d7176cdb7f5325c6a8f136fbeda8dfec265850910ec86
            • Instruction Fuzzy Hash: 0EE0B670646304EBEB706F62ED0DF243A7ABB00706F100414F289D25A8CBBE9410FB15
            Function 00FEAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: LocalTime__swprintf
            • String ID: %.3d$WIN_XPe
            • API String ID: 2070861257-2409531811
            • Opcode ID: 4efe4963e314d84ee0f5259b43722a0b840081e012ac12c5ce501c72d4bbc065
            • Instruction ID: afd30e7faf564b2fa5474f4eff08efa2615c3eeab0775401589016f25fc0ab5b
            • Opcode Fuzzy Hash: 4efe4963e314d84ee0f5259b43722a0b840081e012ac12c5ce501c72d4bbc065
            • Instruction Fuzzy Hash: 6CE0EC728046699BCA109B968D45AF9737CAB04741F6004D2F906A1000D635EB84BA13
            Function 00F742F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00F742EC,?,00F742AA,?), ref: 00F74304
            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F74316
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-1355242751
            • Opcode ID: 86fff18ab572c965980a9c3a83b76be3ebdfb3ded509abbf4a3cf12ac2ee0168
            • Instruction ID: 9bddd49e0f3482700574008f4f681b364a48c5586c7e27f483145baf2e14ef97
            • Opcode Fuzzy Hash: 86fff18ab572c965980a9c3a83b76be3ebdfb3ded509abbf4a3cf12ac2ee0168
            • Instruction Fuzzy Hash: 91D0A730900B22AFD7204F61F80C61276DCAF04315B00841EE989D2120D770D880FA11
            Function 00FD2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00FD21FB,?,00FD23EF), ref: 00FD2213
            • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00FD2225
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetProcessId$kernel32.dll
            • API String ID: 2574300362-399901964
            • Opcode ID: 3acf1efb3611a6d4bcde3179ff1144cf02a69be0c6e65531ea929e5a9f398353
            • Instruction ID: 85dbebe24f34b93481c6a48634d807149f3ad5a10186761ea648e87ebdf16792
            • Opcode Fuzzy Hash: 3acf1efb3611a6d4bcde3179ff1144cf02a69be0c6e65531ea929e5a9f398353
            • Instruction Fuzzy Hash: 94D0A7348007269FE7214F71F80871176DEEF14325B04441EFCD5E2210D770D880F690
            Function 00F7434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,00F741BB,00F74341,?,00F7422F,?,00F741BB,?,?,?,?,00F739FE,?,00000001), ref: 00F74359
            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F7436B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-3689287502
            • Opcode ID: d50d10117ed9c062b8c8b8b598bcb53e1ebf6d4b9207dbee3eee9a7b016bce68
            • Instruction ID: e5f7fa5a99f28f7b5f868c18d4040fbba5a2f1e153b415c2b2af0c49a0e8bcde
            • Opcode Fuzzy Hash: d50d10117ed9c062b8c8b8b598bcb53e1ebf6d4b9207dbee3eee9a7b016bce68
            • Instruction Fuzzy Hash: 86D0A7309407229FE7214F71E84861176DCAF18729B00851EE8C9D2110D770E880F611
            Function 00FB0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00FB052F,?,00FB06D7), ref: 00FB0572
            • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00FB0584
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: UnRegisterTypeLibForUser$oleaut32.dll
            • API String ID: 2574300362-1587604923
            • Opcode ID: 53394b02244977e696bea5507843436a3bd8c32e5ae8a747bf178d47317c7cb3
            • Instruction ID: e09630f8651d7e31154d916b16592963c20c0aee0cef8e025c208a9dfd5a8bbd
            • Opcode Fuzzy Hash: 53394b02244977e696bea5507843436a3bd8c32e5ae8a747bf178d47317c7cb3
            • Instruction Fuzzy Hash: A9D09E709047269AE7605F66E808E56B7D9AF04615B14852DE89592510DA70D480DE60
            Function 00FB0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(oleaut32.dll,?,00FB051D,?,00FB05FE), ref: 00FB0547
            • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00FB0559
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: RegisterTypeLibForUser$oleaut32.dll
            • API String ID: 2574300362-1071820185
            • Opcode ID: fbd8d88f6b80601b34e911f50e5bdf5602e798b6b8f3cd3e2ca1e2ca9ed4740d
            • Instruction ID: dd996b30142d563ee7e7afd8bd3f3f55f793f9067ac6a72c7ac9f90e3d4f3f91
            • Opcode Fuzzy Hash: fbd8d88f6b80601b34e911f50e5bdf5602e798b6b8f3cd3e2ca1e2ca9ed4740d
            • Instruction Fuzzy Hash: 19D0A7308007269FD7308F62EC08A5276D8AF04315B14C42DF486D2510DA70C880DE10
            Function 00FCECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00FCECBE,?,00FCEBBB), ref: 00FCECD6
            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FCECE8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetSystemWow64DirectoryW$kernel32.dll
            • API String ID: 2574300362-1816364905
            • Opcode ID: aff6321057c474738f8b10fe120f070536d766c511b9cd2c0d83e7bde2386da9
            • Instruction ID: 9ed761bb906ea61d698d4f2b8662f992146c1c1cba770f662a9ba4146a57f9d0
            • Opcode Fuzzy Hash: aff6321057c474738f8b10fe120f070536d766c511b9cd2c0d83e7bde2386da9
            • Instruction Fuzzy Hash: DCD0C771900737DFDB209F65E949B5676EDAF04755B10841DFC95D2111DF70D880F650
            Function 00FCBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00FCBAD3,00000001,00FCB6EE,?,0100DC00), ref: 00FCBAEB
            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FCBAFD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetModuleHandleExW$kernel32.dll
            • API String ID: 2574300362-199464113
            • Opcode ID: 50b8dbeec133f2d7dc2d62a92255c6b9f67e5b30a280557e0c9dd65c1448fc3d
            • Instruction ID: ce72e23ae7953b3581fbfc9b017a27263cac4b51be44ff7212985ef4c42ec7cf
            • Opcode Fuzzy Hash: 50b8dbeec133f2d7dc2d62a92255c6b9f67e5b30a280557e0c9dd65c1448fc3d
            • Instruction Fuzzy Hash: 13D05E74C007239ED7305F61B84AF2176D8AF00314F00441DE883D2110D770C880EA10
            Function 00FD3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(advapi32.dll,?,00FD3BD1,?,00FD3E06), ref: 00FD3BE9
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FD3BFB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 2574300362-4033151799
            • Opcode ID: e03409a80b5d398e87caa5420b01dc7ee808438fecf217fdbf5f6d0489ece722
            • Instruction ID: 947807b48e8aed613dbe3eabca552efd79dad217922ed8a75330cfb49f72540f
            • Opcode Fuzzy Hash: e03409a80b5d398e87caa5420b01dc7ee808438fecf217fdbf5f6d0489ece722
            • Instruction Fuzzy Hash: A6D0C770910766DFD7305F65E80C657BAFAAF04729B14442EE595E2210D7B0D480EE52
            Function 00FA9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d00598e76a1627d63c869e0c3eafc59c916ac2cdd6c79555f00ea72faaabf0fd
            • Instruction ID: 40e0f788181a4fca384d22ab848065754f820d8aa2efd6cae20164771de432d2
            • Opcode Fuzzy Hash: d00598e76a1627d63c869e0c3eafc59c916ac2cdd6c79555f00ea72faaabf0fd
            • Instruction Fuzzy Hash: 7FC15FB5A0421AEFCB14CF94C884AAEB7B5FF49710F1045A8E915EB291D770DE41EBA0
            Function 00FCAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 00FCAAB4
            • CoUninitialize.OLE32 ref: 00FCAABF
              • Part of subcall function 00FB0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FB027B
            • VariantInit.OLEAUT32(?), ref: 00FCAACA
            • VariantClear.OLEAUT32(?), ref: 00FCAD9D
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
            • String ID:
            • API String ID: 780911581-0
            • Opcode ID: 40a1f8fb172cb8acdc3ebf8c869d1625f399069a242c8d613eacfafe073c015a
            • Instruction ID: e609ea2b58b9e0e9487e67c68ef1f6b8077135db0881f99702f033b7500f6d7e
            • Opcode Fuzzy Hash: 40a1f8fb172cb8acdc3ebf8c869d1625f399069a242c8d613eacfafe073c015a
            • Instruction Fuzzy Hash: A6A137356046069FD710EF14C982B5AB7E5BF88324F04844DF99A9B3A2CB74FD44EB86
            Function 00FA91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Variant$AllocClearCopyInitString
            • String ID:
            • API String ID: 2808897238-0
            • Opcode ID: d66da08ad4243565542ce523ffe5222de41595d67e232c33807556b38e820fc6
            • Instruction ID: 1681d34a561e7f8666e527ae8a40657bc34d71db81c34b33089a0153359b90f9
            • Opcode Fuzzy Hash: d66da08ad4243565542ce523ffe5222de41595d67e232c33807556b38e820fc6
            • Instruction Fuzzy Hash: 1A5178B1A183069BDF249F66D89176EB3F9EF46310F20883FE546CB2D1DBB49840A715
            Function 00F9365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
            • String ID:
            • API String ID: 3877424927-0
            • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
            • Instruction ID: 04436d8f41cf48ffe70c0c1bd0506a37b06e546682a86bf73e1455c00e96de56
            • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
            • Instruction Fuzzy Hash: 125194B1E04305ABFF249FA98885A6E77A1AF40330F248729F835962D0D7759F50EF51
            Function 00FDC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(01536D40,?), ref: 00FDC544
            • ScreenToClient.USER32(?,00000002), ref: 00FDC574
            • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00FDC5DA
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$ClientMoveRectScreen
            • String ID:
            • API String ID: 3880355969-0
            • Opcode ID: 5dd12de00061d7d0093d8d5e82d49a8ca8e6026009a0f9deb6ab25b8ea667d0b
            • Instruction ID: 7d79e774f374e124ef51799865b7fa2ff8cac0bc5435f8eff665b6858e2bec71
            • Opcode Fuzzy Hash: 5dd12de00061d7d0093d8d5e82d49a8ca8e6026009a0f9deb6ab25b8ea667d0b
            • Instruction Fuzzy Hash: 2B512E75900109EFCF20DF68D880AAE77B6EF59320F18865AF95997390D734ED41EB90
            Function 00FAC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00FAC462
            • __itow.LIBCMT ref: 00FAC49C
              • Part of subcall function 00FAC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00FAC753
            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00FAC505
            • __itow.LIBCMT ref: 00FAC55A
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend$__itow
            • String ID:
            • API String ID: 3379773720-0
            • Opcode ID: 50d2bc1098bc04f9cd956e1705fb7aac35ed3f2cc65fd72c6dae02e5934ecc00
            • Instruction ID: 317170e54453cfa4169b240c6a5cc819c972b6941b75641a6d2085728bd93fb4
            • Opcode Fuzzy Hash: 50d2bc1098bc04f9cd956e1705fb7aac35ed3f2cc65fd72c6dae02e5934ecc00
            • Instruction Fuzzy Hash: 68410A71A002086FDF15EF54CC51FEE7BB9AF4A710F044019F909A7281DBB4AA45EBE2
            Function 00FB390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00FB3966
            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00FB3982
            • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00FB39EF
            • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00FB3A4D
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: b12832410291e21b00d6b3a3fcdfecceef010495a80d277234e1341a7ad0ea99
            • Instruction ID: 7079432328cc781a8cdad0a301466a5fc3ca1b4d785d6b4d70de2f8e3eef42bc
            • Opcode Fuzzy Hash: b12832410291e21b00d6b3a3fcdfecceef010495a80d277234e1341a7ad0ea99
            • Instruction Fuzzy Hash: D7410971E84248AAEF208B6788057FDBBBA9F55320F08015AE4C1921C1C7B89E85FF65
            Function 00FBE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
            Download Yara Rule
            APIs
            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FBE742
            • GetLastError.KERNEL32(?,00000000), ref: 00FBE768
            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FBE78D
            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FBE7B9
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CreateHardLink$DeleteErrorFileLast
            • String ID:
            • API String ID: 3321077145-0
            • Opcode ID: 25c5911ffba3f30c86e604e5eddb458bc83cc064fa235f142591e20c38c8e469
            • Instruction ID: 112f91ac65c2d3b2eaee8f52141f4af6f038a71e60b712510bbb9806cca15aa5
            • Opcode Fuzzy Hash: 25c5911ffba3f30c86e604e5eddb458bc83cc064fa235f142591e20c38c8e469
            • Instruction Fuzzy Hash: EA413A39600610DFCB11EF15C84599DBBEABF59720B19C089E91A9B362CB74FC00EF92
            Function 00FDB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FDB5D1
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: 6b65220f3d911ab568825b1e1b9bd2e38f37b5b95b9341fd9820154afa20ddcf
            • Instruction ID: 9650713f1417d13804caab8c59677ef4dc9947a1545ae41464f9f8abb7c8dcd5
            • Opcode Fuzzy Hash: 6b65220f3d911ab568825b1e1b9bd2e38f37b5b95b9341fd9820154afa20ddcf
            • Instruction Fuzzy Hash: D231D035A00108EBEB208F59DC85FAC776BAB0A360F6E4543F651D63E5CB34E940BB51
            Function 00FDD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
            Download Yara Rule
            APIs
            • ClientToScreen.USER32(?,?), ref: 00FDD807
            • GetWindowRect.USER32(?,?), ref: 00FDD87D
            • PtInRect.USER32(?,?,00FDED5A), ref: 00FDD88D
            • MessageBeep.USER32(00000000), ref: 00FDD8FE
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Rect$BeepClientMessageScreenWindow
            • String ID:
            • API String ID: 1352109105-0
            • Opcode ID: b80456b8687253232b63ebd791ea716f261c55f33931c61834b7fcadec2eb5a3
            • Instruction ID: c83456e64baf997568696a271725952a078bc02926b4b883cc98554fd224571a
            • Opcode Fuzzy Hash: b80456b8687253232b63ebd791ea716f261c55f33931c61834b7fcadec2eb5a3
            • Instruction Fuzzy Hash: BB417C71A00218DFCB22DF98D884B6D7BBABF49360F1C81AAE4559B354D731E945FB40
            Function 00FB3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00FB3AB8
            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00FB3AD4
            • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00FB3B34
            • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00FB3B92
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: c8c20a204495d2937b2b738021f9f5a74d6a9596d5d62105ad7417c7df53cba4
            • Instruction ID: 4cfb4e9aa7de89b3097e1f6747e227420c6199c0bab66f6567880e5f8cef21e0
            • Opcode Fuzzy Hash: c8c20a204495d2937b2b738021f9f5a74d6a9596d5d62105ad7417c7df53cba4
            • Instruction Fuzzy Hash: 74314831E80258AEEF209B66CC197FE7BAA9F85320F04421AE481931D5C7789F45FF61
            Function 00FA4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FA4038
            • __isleadbyte_l.LIBCMT ref: 00FA4066
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00FA4094
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00FA40CA
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
            • String ID:
            • API String ID: 3058430110-0
            • Opcode ID: e5711bf54bc756cb12821ca985e0de415a40e40e89024ac4236ea248ab4f607f
            • Instruction ID: 503850df695be7aa9d94d1e2ca5d2311b4df61536e41142906bfc1a18d902b48
            • Opcode Fuzzy Hash: e5711bf54bc756cb12821ca985e0de415a40e40e89024ac4236ea248ab4f607f
            • Instruction Fuzzy Hash: E531A171A00206AFDB219F74C845B7A7BA5BF82320F15C428E66587191E7B1E891FB90
            Function 00FD7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 00FD7CB9
              • Part of subcall function 00FB5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FB5F6F
              • Part of subcall function 00FB5F55: GetCurrentThreadId.KERNEL32 ref: 00FB5F76
              • Part of subcall function 00FB5F55: AttachThreadInput.USER32(00000000,?,00FB781F), ref: 00FB5F7D
            • GetCaretPos.USER32(?), ref: 00FD7CCA
            • ClientToScreen.USER32(00000000,?), ref: 00FD7D03
            • GetForegroundWindow.USER32 ref: 00FD7D09
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
            • String ID:
            • API String ID: 2759813231-0
            • Opcode ID: 0d4933bff5161d0b4a91f845a1db906a1e4c5ec3829a48f5795e5cd0fbbb3af2
            • Instruction ID: dac724bd1705dcc99a90d6ed10414da710fa6a8fb48d7161af516feef371e57e
            • Opcode Fuzzy Hash: 0d4933bff5161d0b4a91f845a1db906a1e4c5ec3829a48f5795e5cd0fbbb3af2
            • Instruction Fuzzy Hash: E131BA72900108AFDB10EFA5DC459FFBBF9EF59314B10846AE815E7211DB35AA05ABA0
            Function 00FDF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F8B35F
            • GetCursorPos.USER32(?), ref: 00FDF211
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FEE4C0,?,?,?,?,?), ref: 00FDF226
            • GetCursorPos.USER32(?), ref: 00FDF270
            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FEE4C0,?,?,?), ref: 00FDF2A6
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Cursor$LongMenuPopupProcTrackWindow
            • String ID:
            • API String ID: 2864067406-0
            • Opcode ID: 7feb0ba72dbcb07ea5bcde3969390759ec01693ce1ec87d966779dd10e0e6b88
            • Instruction ID: e39df6efd98d63564546cc96a0fc31df3c321d216809b2b0ac7d1445f8fa10ee
            • Opcode Fuzzy Hash: 7feb0ba72dbcb07ea5bcde3969390759ec01693ce1ec87d966779dd10e0e6b88
            • Instruction Fuzzy Hash: 95219139900018AFCB259F94C858EFE7BBAEF49721F0C406AF9068B2A5D3359D55FB50
            Function 00FC431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FC4358
              • Part of subcall function 00FC43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FC4401
              • Part of subcall function 00FC43E2: InternetCloseHandle.WININET(00000000), ref: 00FC449E
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Internet$CloseConnectHandleOpen
            • String ID:
            • API String ID: 1463438336-0
            • Opcode ID: 6eeaf940b9b02a7161f4660d8f4e1076b279e55dfcfd45f493e9e99007a7ff9d
            • Instruction ID: 1266c5a1344cc1ed512f1224243bc83b6a6d4bc3f63fdf9c008fc9ff5f0c230e
            • Opcode Fuzzy Hash: 6eeaf940b9b02a7161f4660d8f4e1076b279e55dfcfd45f493e9e99007a7ff9d
            • Instruction Fuzzy Hash: 6A21D432600606BBDB159F609D12F7BBBADFF84710F10411EBA1596550D771A821B794
            Function 00FC8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
            Download Yara Rule
            APIs
            • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00FC8AE0
            • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00FC8AF2
            • accept.WSOCK32(00000000,00000000,00000000), ref: 00FC8AFF
            • WSAGetLastError.WSOCK32(00000000), ref: 00FC8B16
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ErrorLastacceptselect
            • String ID:
            • API String ID: 385091864-0
            • Opcode ID: 5601cc1944f3a9f82f08d8a3efb392a1079bfe59905e0797cbf8707953f15255
            • Instruction ID: cd223378791a45aa7025c2cabc44c9688d41aa3021fdc26d5ecbb282a8dbd27d
            • Opcode Fuzzy Hash: 5601cc1944f3a9f82f08d8a3efb392a1079bfe59905e0797cbf8707953f15255
            • Instruction Fuzzy Hash: FA215472A001249FC7119F69CD85AAEBBEDEF4A360F00416AF849D7251DB749D41DF90
            Function 00FD8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000EC), ref: 00FD8AA6
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FD8AC0
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FD8ACE
            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FD8ADC
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$Long$AttributesLayered
            • String ID:
            • API String ID: 2169480361-0
            • Opcode ID: a9f524ac00ad19a08cfd706164219e7012e874573702934a411e7ee28309ad28
            • Instruction ID: 60b98d8f567e430f52f607e8bfdb2e2651991c6a775ecb14485fb874f53e0f08
            • Opcode Fuzzy Hash: a9f524ac00ad19a08cfd706164219e7012e874573702934a411e7ee28309ad28
            • Instruction Fuzzy Hash: B9117F31205115AFD705AB14CC05FBA77AEAF85360F18811AF91AC73E2CB78AD01E795
            Function 00FB0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00FB0ABB,?,?,?,00FB187A,00000000,000000EF,00000119,?,?), ref: 00FB1E77
              • Part of subcall function 00FB1E68: lstrcpyW.KERNEL32(00000000,?,?,00FB0ABB,?,?,?,00FB187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FB1E9D
              • Part of subcall function 00FB1E68: lstrcmpiW.KERNEL32(00000000,?,00FB0ABB,?,?,?,00FB187A,00000000,000000EF,00000119,?,?), ref: 00FB1ECE
            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00FB187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FB0AD4
            • lstrcpyW.KERNEL32(00000000,?,?,00FB187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FB0AFA
            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00FB187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FB0B2E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: lstrcmpilstrcpylstrlen
            • String ID: cdecl
            • API String ID: 4031866154-3896280584
            • Opcode ID: 3997148d2048f849769d0b8906c6a5e1935346aae0dc8980a1e4876c22f8888a
            • Instruction ID: 22453361cca9d1b9607b7855c84793e18359f60f541329ae8cc1f25993671760
            • Opcode Fuzzy Hash: 3997148d2048f849769d0b8906c6a5e1935346aae0dc8980a1e4876c22f8888a
            • Instruction Fuzzy Hash: 4A119336200305AFDB25AF25DC55DBA77A9FF85364B90806AE806CB250EF71D950EBA0
            Function 00FA2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00FA2FB5
              • Part of subcall function 00F9395C: __FF_MSGBANNER.LIBCMT ref: 00F93973
              • Part of subcall function 00F9395C: __NMSG_WRITE.LIBCMT ref: 00F9397A
              • Part of subcall function 00F9395C: RtlAllocateHeap.NTDLL(01510000,00000000,00000001,00000001,00000000,?,?,00F8F507,?,0000000E), ref: 00F9399F
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: AllocateHeap_free
            • String ID:
            • API String ID: 614378929-0
            • Opcode ID: 3892694ef48f8852b851d66afdd4968a634335b58d84346ed766a60c86ff1f2c
            • Instruction ID: aaba4bc6179884b005755751f4b4575129c2f7349b35e49d954a37627a12616d
            • Opcode Fuzzy Hash: 3892694ef48f8852b851d66afdd4968a634335b58d84346ed766a60c86ff1f2c
            • Instruction Fuzzy Hash: 4211CA72A09316AFEF313B78AC057693B98AF06374F208525F94996155DB39CD40BB90
            Function 00FB058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00FB05AC
            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FB05C7
            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FB05DD
            • FreeLibrary.KERNEL32(?), ref: 00FB0632
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Type$FileFreeLibraryLoadModuleNameRegister
            • String ID:
            • API String ID: 3137044355-0
            • Opcode ID: 07922f3e4a5b61dc46ef366f1df832e74b5ad34b776cf22e6343ed2b7000c825
            • Instruction ID: f984af113d4f78e4f5c671b8548c36ac922b12f757230e0bd7cb2122f36a2926
            • Opcode Fuzzy Hash: 07922f3e4a5b61dc46ef366f1df832e74b5ad34b776cf22e6343ed2b7000c825
            • Instruction Fuzzy Hash: 74214F71900219EFDB209F96DC88AEBBBBDEF40704F0084A9E51696150DB74EA55EF50
            Function 00FB6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00FB6733
            • _memset.LIBCMT ref: 00FB6754
            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00FB67A6
            • CloseHandle.KERNEL32(00000000), ref: 00FB67AF
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle_memset
            • String ID:
            • API String ID: 1157408455-0
            • Opcode ID: c85e1cb043262296354b11128f944ef78962e32dff3402e7a7c11eed93a226fd
            • Instruction ID: 23681c3e86beb7ea09ab77496857c807a04164d07d593a0e85e90ad7640f6e60
            • Opcode Fuzzy Hash: c85e1cb043262296354b11128f944ef78962e32dff3402e7a7c11eed93a226fd
            • Instruction Fuzzy Hash: 2011A3769012287AE7209BA5AC4DFEBBABCEF44764F10419AF504E7190DA744E80DBA4
            Function 00FAB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FAAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FAAA79
              • Part of subcall function 00FAAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FAAA83
              • Part of subcall function 00FAAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FAAA92
              • Part of subcall function 00FAAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FAAA99
              • Part of subcall function 00FAAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FAAAAF
            • GetLengthSid.ADVAPI32(?,00000000,00FAADE4,?,?), ref: 00FAB21B
            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FAB227
            • HeapAlloc.KERNEL32(00000000), ref: 00FAB22E
            • CopySid.ADVAPI32(?,00000000,?), ref: 00FAB247
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
            • String ID:
            • API String ID: 4217664535-0
            • Opcode ID: b3925c9ad931b81cc4a02c0605db600e2e9fadbb91c563b45834bbb01d518fb7
            • Instruction ID: 1a20529d6225af94b88f12b44eae6ec8cb16cef8370ee87eeacf5b037bf8f479
            • Opcode Fuzzy Hash: b3925c9ad931b81cc4a02c0605db600e2e9fadbb91c563b45834bbb01d518fb7
            • Instruction Fuzzy Hash: 56114FB1A00209EFDB159F94DC85BBEB7EDEF86314B14802EE94297211D735AE44EB10
            Function 00FAB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00FAB498
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FAB4AA
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FAB4C0
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FAB4DB
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 007f0e200ef923dec31bc15f6c9a2f6c0e40fbfd27ac57da0060657f1ff90856
            • Instruction ID: dae7dc73e1be0825533569c6ed3c2b38dee97e15a335222c4fce53e4bf15a74c
            • Opcode Fuzzy Hash: 007f0e200ef923dec31bc15f6c9a2f6c0e40fbfd27ac57da0060657f1ff90856
            • Instruction Fuzzy Hash: 8811187A900218FFDB11DFA9C985E9DBBB8FB09710F204091EA04B7295D771AE11EB94
            Function 00F8B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F8B35F
            • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00F8B5A5
            • GetClientRect.USER32(?,?), ref: 00FEE69A
            • GetCursorPos.USER32(?), ref: 00FEE6A4
            • ScreenToClient.USER32(?,?), ref: 00FEE6AF
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Client$CursorLongProcRectScreenWindow
            • String ID:
            • API String ID: 4127811313-0
            • Opcode ID: 42b3b6498cc3622914ba670c85c05feb68a4ffa2ca2b42bbc3f127a7c1270a5d
            • Instruction ID: 341c37f07cdbd8a9e0ab0c289190f55a416be649c88640ec041c541b70e808ee
            • Opcode Fuzzy Hash: 42b3b6498cc3622914ba670c85c05feb68a4ffa2ca2b42bbc3f127a7c1270a5d
            • Instruction Fuzzy Hash: 4B11063290002ABBDB10EF94EC499FE77BDEF09314F140455E951E7240D734AA91EBA5
            Function 00FB732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 00FB7352
            • MessageBoxW.USER32(?,?,?,?), ref: 00FB7385
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FB739B
            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FB73A2
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
            • String ID:
            • API String ID: 2880819207-0
            • Opcode ID: 2dc453b4499f9c8f6aa7832be2fd8a2dabf9d291c7f2248e8c46605216d8a3df
            • Instruction ID: 7b31d9c376e54e598d7543dbb5ac79c07ae4990f5b62b91b77a37e5b11ea0617
            • Opcode Fuzzy Hash: 2dc453b4499f9c8f6aa7832be2fd8a2dabf9d291c7f2248e8c46605216d8a3df
            • Instruction Fuzzy Hash: 96110872A04208BFD7019B6DDC45EEE7BEEAF85320F144315F921D3251D6748D00EBA1
            Function 00F8D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F8D1BA
            • GetStockObject.GDI32(00000011), ref: 00F8D1CE
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F8D1D8
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CreateMessageObjectSendStockWindow
            • String ID:
            • API String ID: 3970641297-0
            • Opcode ID: 18ace3d861e7618158c73a4ef4e7526be74ad980ce977db4923f013ccc962bba
            • Instruction ID: d421295e1e6e646ca8a893928ea097a97f79707915c8d72fb36d7f9d0897ab92
            • Opcode Fuzzy Hash: 18ace3d861e7618158c73a4ef4e7526be74ad980ce977db4923f013ccc962bba
            • Instruction Fuzzy Hash: 2B11AD7250190DBFEB126F909C58EEABB6EFF08368F040102FA0492190CB319C60FBA0
            Function 00FA4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
            • String ID:
            • API String ID: 3016257755-0
            • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
            • Instruction ID: 862fc3ac6b1b534d4c7f188ce16fcaee6ec4f3739f8e5236a93a6f1503e38382
            • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
            • Instruction Fuzzy Hash: 44017BB240014ABBCF125F84DC918EE3F37BB5A760B488415FE2859030D376EAB1BB85
            Function 00F97452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00F97A0D: __getptd_noexit.LIBCMT ref: 00F97A0E
            • __lock.LIBCMT ref: 00F9748F
            • InterlockedDecrement.KERNEL32(?), ref: 00F974AC
            • _free.LIBCMT ref: 00F974BF
            • InterlockedIncrement.KERNEL32(01523B70), ref: 00F974D7
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
            • String ID:
            • API String ID: 2704283638-0
            • Opcode ID: 4d7f91fe8a9ad3df9eafb7b561eda29455b2af0d98232264a6ce54aef6477ffc
            • Instruction ID: fb8656704900c4e06b4f83b3da4a2708adc6f4d9f21b7ed73a0f30ea7eba897e
            • Opcode Fuzzy Hash: 4d7f91fe8a9ad3df9eafb7b561eda29455b2af0d98232264a6ce54aef6477ffc
            • Instruction Fuzzy Hash: 0101C432E19726E7EF22FF29980579DBB60BF04720F244005F854A7682CB786940EFC1
            Function 00FDDFDE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00FDDFF7
            • ScreenToClient.USER32(?,?), ref: 00FDE00F
            • ScreenToClient.USER32(?,?), ref: 00FDE033
            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FDE04E
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ClientRectScreen$InvalidateWindow
            • String ID:
            • API String ID: 357397906-0
            • Opcode ID: f91aacbb5e48f0ee8aff598995336490c36c2d2552c016066d1aba8d9409dbf1
            • Instruction ID: 358da7a1da10dfd5d5e277cf02539f06e639d37d03d28b849d42f7ce103f637d
            • Opcode Fuzzy Hash: f91aacbb5e48f0ee8aff598995336490c36c2d2552c016066d1aba8d9409dbf1
            • Instruction Fuzzy Hash: D2111AB9D0020DAFDB41DFA8C8849EEBBF9FF08210F108166E925E3210D735AA55DF51
            Function 00F97A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • __lock.LIBCMT ref: 00F97AD8
              • Part of subcall function 00F97CF4: __mtinitlocknum.LIBCMT ref: 00F97D06
              • Part of subcall function 00F97CF4: EnterCriticalSection.KERNEL32(00000000,?,00F97ADD,0000000D), ref: 00F97D1F
            • InterlockedIncrement.KERNEL32(?), ref: 00F97AE5
            • __lock.LIBCMT ref: 00F97AF9
            • ___addlocaleref.LIBCMT ref: 00F97B17
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
            • String ID:
            • API String ID: 1687444384-0
            • Opcode ID: 9738b5ba10779e60694ef5769101a22831dbe484f0e1d76ac564e55314014dfb
            • Instruction ID: 6fd1aa92dc290958af514d5f8ab08a10842973bdffda62d90b51f7033bf30169
            • Opcode Fuzzy Hash: 9738b5ba10779e60694ef5769101a22831dbe484f0e1d76ac564e55314014dfb
            • Instruction Fuzzy Hash: 7F016D71505B01EFEB31EF76C90574AB7F0AF80325F20890EE49AD76A1CB78A680DB05
            Function 00FDE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FDE33D
            • _memset.LIBCMT ref: 00FDE34C
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01033D00,01033D44), ref: 00FDE37B
            • CloseHandle.KERNEL32 ref: 00FDE38D
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _memset$CloseCreateHandleProcess
            • String ID:
            • API String ID: 3277943733-0
            • Opcode ID: 9318f671b7a63ffb186e17c3fb4d3336f804dfe817292cf6baf18d4b875d0eb8
            • Instruction ID: 1e044924adeededac31db0b1de6a29404c5ba26fe38dc7f4bddd936e2ce699a5
            • Opcode Fuzzy Hash: 9318f671b7a63ffb186e17c3fb4d3336f804dfe817292cf6baf18d4b875d0eb8
            • Instruction Fuzzy Hash: B4F05EF1640304BEF6203A65BC89F7B7E5CEB05754F004421BE88DE192DB7A9C0097A8
            Function 00FDEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00F8AFE3
              • Part of subcall function 00F8AF83: SelectObject.GDI32(?,00000000), ref: 00F8AFF2
              • Part of subcall function 00F8AF83: BeginPath.GDI32(?), ref: 00F8B009
              • Part of subcall function 00F8AF83: SelectObject.GDI32(?,00000000), ref: 00F8B033
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00FDEA8E
            • LineTo.GDI32(00000000,?,?), ref: 00FDEA9B
            • EndPath.GDI32(00000000), ref: 00FDEAAB
            • StrokePath.GDI32(00000000), ref: 00FDEAB9
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
            • String ID:
            • API String ID: 1539411459-0
            • Opcode ID: ba9b28e32903ad9f7c602e8a517f548340159890ec958670d6ab826edfc5c645
            • Instruction ID: d515ed0c524ab82584fb646b02ef866390248af682eea5d830331f5fb6de63b0
            • Opcode Fuzzy Hash: ba9b28e32903ad9f7c602e8a517f548340159890ec958670d6ab826edfc5c645
            • Instruction Fuzzy Hash: 24F08231045259BBEB12AF94AD0DFDE3F1EAF0A321F084102FA11651E18B795551FBA5
            Function 00FAC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
            Download Yara Rule
            APIs
            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FAC84A
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FAC85D
            • GetCurrentThreadId.KERNEL32 ref: 00FAC864
            • AttachThreadInput.USER32(00000000), ref: 00FAC86B
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
            • String ID:
            • API String ID: 2710830443-0
            • Opcode ID: 76dc9eea90b8d5c52509dc20860875a607edf232ae4c3d87d325ffc255272ee1
            • Instruction ID: 72fd90e5c2735e2a25100e05c97cb4393266a08d51c99f82a903da60e8d30b1e
            • Opcode Fuzzy Hash: 76dc9eea90b8d5c52509dc20860875a607edf232ae4c3d87d325ffc255272ee1
            • Instruction Fuzzy Hash: 0DE039B154122CBAEB201BA2DC0DFEB7F5DEF067A1F008021B609C4460C6B58580EBE0
            Function 00FAB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThread.KERNEL32 ref: 00FAB0D6
            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00FAAC9D), ref: 00FAB0DD
            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FAAC9D), ref: 00FAB0EA
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00FAAC9D), ref: 00FAB0F1
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CurrentOpenProcessThreadToken
            • String ID:
            • API String ID: 3974789173-0
            • Opcode ID: 73846d67ed967ed1fbe64ed4f76be9e3ddfc2464af7fb317108dd408d6225205
            • Instruction ID: 4066073df60c524c8be4d762dc18d6d97011192e04e660b53344a1b7bdd8480f
            • Opcode Fuzzy Hash: 73846d67ed967ed1fbe64ed4f76be9e3ddfc2464af7fb317108dd408d6225205
            • Instruction Fuzzy Hash: 7EE08672A01215ABD7201FB15C0CB5B3BADEF567A2F01C818F241D6044DB348401E760
            Function 00F8B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 00F8B496
            • SetTextColor.GDI32(?,000000FF), ref: 00F8B4A0
            • SetBkMode.GDI32(?,00000001), ref: 00F8B4B5
            • GetStockObject.GDI32(00000005), ref: 00F8B4BD
            • GetWindowDC.USER32(?,00000000), ref: 00FEDE2B
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00FEDE38
            • GetPixel.GDI32(00000000,?,00000000), ref: 00FEDE51
            • GetPixel.GDI32(00000000,00000000,?), ref: 00FEDE6A
            • GetPixel.GDI32(00000000,?,?), ref: 00FEDE8A
            • ReleaseDC.USER32(?,00000000), ref: 00FEDE95
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
            • String ID:
            • API String ID: 1946975507-0
            • Opcode ID: 2ad4e5c5bdee4af19d70240fc0948e6bbf9aad53fedc6bedaee05c6655c6af05
            • Instruction ID: d23db65bd5eb2d31dee006a725f6c403dcaff9bc5fac1b41d3d3aa05bcaa9ead
            • Opcode Fuzzy Hash: 2ad4e5c5bdee4af19d70240fc0948e6bbf9aad53fedc6bedaee05c6655c6af05
            • Instruction Fuzzy Hash: 32E0ED31500284AAEB216F65AC4DBE83F1AAF52336F14C666FA69580E1C7B14581EB11
            Function 00FAB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FAB2DF
            • UnloadUserProfile.USERENV(?,?), ref: 00FAB2EB
            • CloseHandle.KERNEL32(?), ref: 00FAB2F4
            • CloseHandle.KERNEL32(?), ref: 00FAB2FC
              • Part of subcall function 00FAAB24: GetProcessHeap.KERNEL32(00000000,?,00FAA848), ref: 00FAAB2B
              • Part of subcall function 00FAAB24: HeapFree.KERNEL32(00000000), ref: 00FAAB32
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
            • String ID:
            • API String ID: 146765662-0
            • Opcode ID: e53090910ee719b7027e5d0061f15910ccf75bd43360b23a0f2bb288aa0e3a80
            • Instruction ID: f0fd0193d3c1e0639647c22745eb218a7194fc78450ceacde9f0071ce1d6631a
            • Opcode Fuzzy Hash: e53090910ee719b7027e5d0061f15910ccf75bd43360b23a0f2bb288aa0e3a80
            • Instruction Fuzzy Hash: 4AE0BF36104009BBCB012B95DC0886DFB6BFF893213108221F61581575CB329471FB91
            Function 00FEB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 44c2674f522764eddee723886145fdeaf1066f31646d096499dea6675249b8da
            • Instruction ID: 07988129dd11007b9d057099fe58a7a2f72607cd11d1a861a1f81df63f791327
            • Opcode Fuzzy Hash: 44c2674f522764eddee723886145fdeaf1066f31646d096499dea6675249b8da
            • Instruction Fuzzy Hash: 53E09AB1500208EFDB015F70984CA7E7BAAEF4C355F118815F95ACB251DB749841EB50
            Function 00FEB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: cc7d326fbf0f2ac85c2646561548ae5c53659b8de687ea89e2e0afbd2b145a39
            • Instruction ID: aba657ce13d623596d2e18ed9e63a57b1ce36501216d1265670e236507834045
            • Opcode Fuzzy Hash: cc7d326fbf0f2ac85c2646561548ae5c53659b8de687ea89e2e0afbd2b145a39
            • Instruction Fuzzy Hash: 36E092B1500208AFDB016F70984CA7D7BAAEF4C365B118819F95ACB251DBB9A941EB50
            Function 00FADCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
            Download Yara Rule
            APIs
            • OleSetContainedObject.OLE32(?,00000001), ref: 00FADEAA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ContainedObject
            • String ID: AutoIt3GUI$Container
            • API String ID: 3565006973-3941886329
            • Opcode ID: 6bcd113a2ae1f1f9709fb0956498784c2f5b87d96bbc3e4ea34c10d45719e385
            • Instruction ID: b731753ad92e42e35d93d856857a4b5463f0e612c0aeb1284f96e6e4bdd367c0
            • Opcode Fuzzy Hash: 6bcd113a2ae1f1f9709fb0956498784c2f5b87d96bbc3e4ea34c10d45719e385
            • Instruction Fuzzy Hash: 3E9137B4600705AFDB14DF64C884B6AB7F9BF4A710F20856EF94ACB691DB70E841DB60
            Function 00FBDE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8C6F4: _wcscpy.LIBCMT ref: 00F8C717
              • Part of subcall function 00F7936C: __swprintf.LIBCMT ref: 00F793AB
              • Part of subcall function 00F7936C: __itow.LIBCMT ref: 00F793DF
            • __wcsnicmp.LIBCMT ref: 00FBDEFD
            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00FBDFC6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
            • String ID: LPT
            • API String ID: 3222508074-1350329615
            • Opcode ID: fe2b69c76f4288c9a085a3ae6493e57b807dda9f87416da80b1faf1dc73ea3f1
            • Instruction ID: 59c022a93a850a50cb7a32f2d62f27a77a59829d5687488e9947aad93ec415a4
            • Opcode Fuzzy Hash: fe2b69c76f4288c9a085a3ae6493e57b807dda9f87416da80b1faf1dc73ea3f1
            • Instruction Fuzzy Hash: 8161B275E00215AFCB14EF99C881EFEB7B5AF18310F00406AF54AAB291D774AE40EF91
            Function 00F8BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000), ref: 00F8BCDA
            • GlobalMemoryStatusEx.KERNEL32 ref: 00F8BCF3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: GlobalMemorySleepStatus
            • String ID: @
            • API String ID: 2783356886-2766056989
            • Opcode ID: 75229471d2cf533f79384f25f1f42bdcb40a1b2134cbdd52a73135b19538967e
            • Instruction ID: 5106670345244b04a364452844b585fb06c58594e9893bed1a25e577f7b0b866
            • Opcode Fuzzy Hash: 75229471d2cf533f79384f25f1f42bdcb40a1b2134cbdd52a73135b19538967e
            • Instruction Fuzzy Hash: FE5175720087449BE320AF50DC8ABAFBBECFF99354F41484EF1C8411A6DF3594A8A752
            Function 00FBC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F744ED: __fread_nolock.LIBCMT ref: 00F7450B
            • _wcscmp.LIBCMT ref: 00FBC65D
            • _wcscmp.LIBCMT ref: 00FBC670
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: _wcscmp$__fread_nolock
            • String ID: FILE
            • API String ID: 4029003684-3121273764
            • Opcode ID: fea35e0111874fb167365e2e80de9aace22867df912fcf03b6c7c8793adb678f
            • Instruction ID: 199dde6b463d1e79ad7163c2c2a0151735dbe26d5db56c161baa87ebd2022ad5
            • Opcode Fuzzy Hash: fea35e0111874fb167365e2e80de9aace22867df912fcf03b6c7c8793adb678f
            • Instruction Fuzzy Hash: 3441D972A0021A7BDF10DEA5DC41FEF77B9AF49714F00406AFA15EB181D774AA04EB91
            Function 00FDA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00FDA85A
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FDA86F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: '
            • API String ID: 3850602802-1997036262
            • Opcode ID: 3f9f8d7c0f423499cca20f9a2d6f3a0359f1483b7b11753a74dcbc7f7405b94a
            • Instruction ID: 57edb231da904b0d5a65cf2a938c630804af0c47828d3f0984ed5dd727e4df60
            • Opcode Fuzzy Hash: 3f9f8d7c0f423499cca20f9a2d6f3a0359f1483b7b11753a74dcbc7f7405b94a
            • Instruction Fuzzy Hash: 4C410775E013099FDB14CFA8C880BDA7BBAFB08310F14016AE905EB381D775A942EF95
            Function 00FC5180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FC5190
            • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00FC51C6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: CrackInternet_memset
            • String ID: |
            • API String ID: 1413715105-2343686810
            • Opcode ID: f9b17bbead4770968b1fb804c415e06bbd39ac1a02e29a5ed8e76f2a20f9b996
            • Instruction ID: 3c3c466b87422890be77785f11aca539576315fd87916e4888c2c10334dd1a0f
            • Opcode Fuzzy Hash: f9b17bbead4770968b1fb804c415e06bbd39ac1a02e29a5ed8e76f2a20f9b996
            • Instruction Fuzzy Hash: 29311A71C00119ABCF01AFA4CD45EEE7FB9FF14750F00401AF819A6166DB35AA45EBA1
            Function 00FD975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?,?), ref: 00FD980E
            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FD984A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$DestroyMove
            • String ID: static
            • API String ID: 2139405536-2160076837
            • Opcode ID: 381ce9c20ac2eb864b92b9bfec4440fee4e7cfa8e86ecafb5b0edb7a9841a33f
            • Instruction ID: 43a1759225cae71f01fdc65d0833e8c5ae902c2a231cbc1f5dde6888dd21b1fc
            • Opcode Fuzzy Hash: 381ce9c20ac2eb864b92b9bfec4440fee4e7cfa8e86ecafb5b0edb7a9841a33f
            • Instruction Fuzzy Hash: FC319E71510604AAEB109F74CC80BFB73AEFF59760F04861AF8A9D7290CB75AC81E760
            Function 00FB5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FB51C6
            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FB5201
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: InfoItemMenu_memset
            • String ID: 0
            • API String ID: 2223754486-4108050209
            • Opcode ID: f4af225ee35978d6571e108598622ac12b01cc54c67b0e5732bcad283747551a
            • Instruction ID: 23ebaa99116d87943a4bf66feb81c54c9ed2b1b7282e31bbf7cef02803540595
            • Opcode Fuzzy Hash: f4af225ee35978d6571e108598622ac12b01cc54c67b0e5732bcad283747551a
            • Instruction Fuzzy Hash: F131F831E017049FEB24DF9AD845BEEBBF8FF45760F184019E981A61A0D7789A44EF10
            Function 00FC658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: __snwprintf
            • String ID: , $$AUTOITCALLVARIABLE%d
            • API String ID: 2391506597-2584243854
            • Opcode ID: 9eab8b473105caa0104d334b18a0e711406420ef2fd81d7367a8c2154cc2848f
            • Instruction ID: 3d1d30f703ac46678aeb764a5abc3ee65c1297f48ad44cf6d03ab867b5cfafc6
            • Opcode Fuzzy Hash: 9eab8b473105caa0104d334b18a0e711406420ef2fd81d7367a8c2154cc2848f
            • Instruction Fuzzy Hash: 19216B71600219AACF10EFA4DD82FAD73B4BB49700F40445EF409EF141DA78E959EBA2
            Function 00FD93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FD945C
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD9467
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: Combobox
            • API String ID: 3850602802-2096851135
            • Opcode ID: 89f3f4a1ee783bb7a1f20ec7dcfc26342d4cddb17bc368fdc9c63ab580878b5c
            • Instruction ID: 314bd3350489cf698918c3d47ae122d7348c84e11a49da809e4b1d3d630444c1
            • Opcode Fuzzy Hash: 89f3f4a1ee783bb7a1f20ec7dcfc26342d4cddb17bc368fdc9c63ab580878b5c
            • Instruction Fuzzy Hash: C811E671704108AFEF11DE94CC80EBB376FEB493B4F144126F95897391D6B19C52A760
            Function 00FD98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00F8D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F8D1BA
              • Part of subcall function 00F8D17C: GetStockObject.GDI32(00000011), ref: 00F8D1CE
              • Part of subcall function 00F8D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F8D1D8
            • GetWindowRect.USER32(00000000,?), ref: 00FD9968
            • GetSysColor.USER32(00000012), ref: 00FD9982
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Window$ColorCreateMessageObjectRectSendStock
            • String ID: static
            • API String ID: 1983116058-2160076837
            • Opcode ID: 40d9c3ae262dca7b8282392065d296bedc3203198351e79b8571dc76e56e1e15
            • Instruction ID: 7dc8fac91ed9477ed595470f6ee5829ef19df5141acfa57bcf1ba925f7804d54
            • Opcode Fuzzy Hash: 40d9c3ae262dca7b8282392065d296bedc3203198351e79b8571dc76e56e1e15
            • Instruction Fuzzy Hash: 63115972510209AFDB04DFB8CC45AFA7BA9FF08314F041629F995D2250D775E810EB50
            Function 00FD9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowTextLengthW.USER32(00000000), ref: 00FD9699
            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FD96A8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: LengthMessageSendTextWindow
            • String ID: edit
            • API String ID: 2978978980-2167791130
            • Opcode ID: 2e853ef552ba404da4f3a6e170e245d3bc7d549520dcfc910fadd87ee3a71d07
            • Instruction ID: 206cfb2877b32dc24bce986c57ea6e67f285355fab8b133741e35e10c75bdac9
            • Opcode Fuzzy Hash: 2e853ef552ba404da4f3a6e170e245d3bc7d549520dcfc910fadd87ee3a71d07
            • Instruction Fuzzy Hash: 61116A71904108AAEB116FA4DC44AEB3B6EEF05378F18471AF965972E0C7B5DC50BB60
            Function 00FB5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00FB52D5
            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00FB52F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: InfoItemMenu_memset
            • String ID: 0
            • API String ID: 2223754486-4108050209
            • Opcode ID: 14597ad890ed96cb0cd4207cad745f612b453b85e9f51bf08a8bedc66bf77b2f
            • Instruction ID: aa86ebbacb66a0ceeb62939b81ab80cdb8ecb86f726ddad744062d206191f639
            • Opcode Fuzzy Hash: 14597ad890ed96cb0cd4207cad745f612b453b85e9f51bf08a8bedc66bf77b2f
            • Instruction Fuzzy Hash: FA11E276D02614ABDB20DA9AD904BDD77FAAB09B60F0C0015E941E7294D3B8ED09EF90
            Function 00FC4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FC4DF5
            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FC4E1E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Internet$OpenOption
            • String ID: <local>
            • API String ID: 942729171-4266983199
            • Opcode ID: 93a957e908bfe8e81bd9eef602e6d71d2af6f7a5f5fbcd3fbb0d1475e039926b
            • Instruction ID: 882cc37376ff04e057d43e9a3cb436d996597514417fb0138f9c82cc4bd92b01
            • Opcode Fuzzy Hash: 93a957e908bfe8e81bd9eef602e6d71d2af6f7a5f5fbcd3fbb0d1475e039926b
            • Instruction Fuzzy Hash: 4111A071901226BBDB259F51C9AAFFBFBA8FF06765F10822EF50696140D3707840E6E0
            Function 00FCA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
            Download Yara Rule
            APIs
            • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00FCA84E
            • htons.WSOCK32(00000000,?,00000000), ref: 00FCA88B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: htonsinet_addr
            • String ID: 255.255.255.255
            • API String ID: 3832099526-2422070025
            • Opcode ID: 2c7bcb1ecd81f6e066e855169ab0615abb898dde8879ae2dd6f0da7d502bb203
            • Instruction ID: 3687ae24d09b1c1b08f20598202da8a5e2f1a45cff7e01456c9489169e7060fd
            • Opcode Fuzzy Hash: 2c7bcb1ecd81f6e066e855169ab0615abb898dde8879ae2dd6f0da7d502bb203
            • Instruction Fuzzy Hash: EF010475600309ABCB10AF68C846FA9B364FF45724F10841AF5159B2D1D739E801E752
            Function 00FAB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FAB7EF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: ComboBox$ListBox
            • API String ID: 3850602802-1403004172
            • Opcode ID: 49eef1a4d9d8f6675f89afb94599982be93fb17972af9a847b4043e4a24a0dbc
            • Instruction ID: 5ed03065aada44d9724d9b9fa25892552f7621ee8e1ecacb111d2fd1aaa3f1ec
            • Opcode Fuzzy Hash: 49eef1a4d9d8f6675f89afb94599982be93fb17972af9a847b4043e4a24a0dbc
            • Instruction Fuzzy Hash: 4501D8B1A41114AFCB04EBA8CC529FE736DBF47350704061DF462972D2EB785908A790
            Function 00FAB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00FAB6EB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: ComboBox$ListBox
            • API String ID: 3850602802-1403004172
            • Opcode ID: b13f94bed7fda92eff0a02906285f79628fe10e3fe9119cd571340ee3f948598
            • Instruction ID: db5d7606d0128b6695a7248b2cac0ac4086debb695d20bf5bcb3639f269c386d
            • Opcode Fuzzy Hash: b13f94bed7fda92eff0a02906285f79628fe10e3fe9119cd571340ee3f948598
            • Instruction Fuzzy Hash: 13018FB1A41008ABCB04EBA4CD52BFE73A99F06340B14001DF442A7282EB585E18A7F6
            Function 00FAB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00FAB76C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: ComboBox$ListBox
            • API String ID: 3850602802-1403004172
            • Opcode ID: 6b5f5971e0a03762b0020b06483a2f1dc80d35cf69a5c691594c20ce748f42c1
            • Instruction ID: 15d93fbd5550bbfb248be9a5f2e8dd857e6fb9b81031beda4da44687c425700c
            • Opcode Fuzzy Hash: 6b5f5971e0a03762b0020b06483a2f1dc80d35cf69a5c691594c20ce748f42c1
            • Instruction Fuzzy Hash: 0F01D6B5A41104ABCB00E7A4DD12FFE73AD9F07340F54401EF442B3192EBA85E09A7B6
            Function 00FB7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: ClassName_wcscmp
            • String ID: #32770
            • API String ID: 2292705959-463685578
            • Opcode ID: afffce82f04aaa0f1f79a7c516428a75b5867cc0bc9f69724a0bffffdc9c100a
            • Instruction ID: 64ea386c163f3a35c3ee8475731545f7e5df008e58c3bb8ac92bfe197d9de6ce
            • Opcode Fuzzy Hash: afffce82f04aaa0f1f79a7c516428a75b5867cc0bc9f69724a0bffffdc9c100a
            • Instruction Fuzzy Hash: 79E02233A0032827DB20AAA69C09EC7FBACBB94760F01402AF905D7041D664A6008BD0
            Function 00FAA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
            Download Yara Rule
            APIs
            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FAA63F
              • Part of subcall function 00F913F1: _doexit.LIBCMT ref: 00F913FB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: Message_doexit
            • String ID: AutoIt$Error allocating memory.
            • API String ID: 1993061046-4017498283
            • Opcode ID: f18af7d6690295954e1a8c16a0c44300a18c30e88ae636dac9052b68b42abdfa
            • Instruction ID: bcdd672ee6d15b58ae9ce4a42e21bbaa3b0879d2ea57c2f7a10727db6c0418a4
            • Opcode Fuzzy Hash: f18af7d6690295954e1a8c16a0c44300a18c30e88ae636dac9052b68b42abdfa
            • Instruction Fuzzy Hash: C7D05B313C472837E21537D96C17FD5754C9F15BA1F04402AFB4C995D249D6D640A2E9
            Function 00FEAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
            Download Yara Rule
            APIs
            • GetSystemDirectoryW.KERNEL32(?), ref: 00FEACC0
            • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00FEAEBD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: DirectoryFreeLibrarySystem
            • String ID: WIN_XPe
            • API String ID: 510247158-3257408948
            • Opcode ID: f56c191494e84a079d326f0016d754f9773d2c544eada41ed4f72e6af1423b21
            • Instruction ID: 57a41cd11ce5fe106d7e99b1555fc58d2591450b52603c49cc5201dff8c72906
            • Opcode Fuzzy Hash: f56c191494e84a079d326f0016d754f9773d2c544eada41ed4f72e6af1423b21
            • Instruction Fuzzy Hash: 13E0ED71C00549DFDB15DBAADA44AECB7BCAF58301F248085E152B2160DB70AA84FF26
            Function 00FD86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FD86E2
            • PostMessageW.USER32(00000000), ref: 00FD86E9
              • Part of subcall function 00FB7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FB7AD0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: 59c37f2f66958dab83ff70b729e9940aad2208a16dab97e29e05d1ee3b9498e0
            • Instruction ID: 1f99e9fcae44b45f14c2fc5c801965df1ca1fc51554d6a89a07e98552c53a16d
            • Opcode Fuzzy Hash: 59c37f2f66958dab83ff70b729e9940aad2208a16dab97e29e05d1ee3b9498e0
            • Instruction Fuzzy Hash: 62D0C9323853286BE36567719C0BFD67A1DAB49B11F140819B649EE1D0C9A8A940DA54
            Function 00FD8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FD86A2
            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FD86B5
              • Part of subcall function 00FB7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FB7AD0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1713581548.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true
            • Associated: 00000000.00000002.1713569216.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.0000000000FFD000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713626282.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713660564.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1713720490.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_PO#001498.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: a647b65fefcfd222c89d4966dde56165f89fa1bc9b690621a68f1d25829f8ff8
            • Instruction ID: febb754b0a3e3ac9bf2f8057d8894f529a54ad3b45bf34013a18f3b4f95f0943
            • Opcode Fuzzy Hash: a647b65fefcfd222c89d4966dde56165f89fa1bc9b690621a68f1d25829f8ff8
            • Instruction Fuzzy Hash: 56D0C932384328A7E36467719C1BFD67A1DAF44B11F140819B649AE1D0C9A8A940DA54