Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AMS_Client_SSO.exe

Overview

General Information

Sample name:AMS_Client_SSO.exe
Analysis ID:1572226
MD5:fc361073495400d0da6736dc4cf07026
SHA1:1cf941c7e3873a23709601f18265d6e42761ef5a
SHA256:29e3344ef5e7d3e602d1db644513750b5af2a19301a8a628cf3e6014b311ba57
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • AMS_Client_SSO.exe (PID: 5036 cmdline: "C:\Users\user\Desktop\AMS_Client_SSO.exe" MD5: FC361073495400D0DA6736DC4CF07026)
    • AMS_Client_SSO.tmp (PID: 5096 cmdline: "C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmp" /SL5="$103BC,703643,51712,C:\Users\user\Desktop\AMS_Client_SSO.exe" MD5: 82E31DC1C0FA036F7DFAFF76C13003CF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: AMS_Client_SSO.exeReversingLabs: Detection: 41%
Source: AMS_Client_SSO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0047DD1C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047DD1C
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004622F4 FindFirstFileA,FindNextFileA,FindClose,1_2_004622F4
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00474460 FindFirstFileA,FindNextFileA,FindClose,1_2_00474460
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00454BE8 FindFirstFileA,GetLastError,1_2_00454BE8
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00497520 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00497520
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0046386C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_0046386C
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0047BC78 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047BC78
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00463CE8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CE8
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: AMS_Client_SSO.exe, 00000000.00000003.2107777509.0000000002350000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000003.2107916582.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000000.2108351473.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AMS_Client_SSO.tmp.0.drString found in binary or memory: Http://Www.SkyGz.Com
Source: AMS_Client_SSO.exe, 00000000.00000003.2107485324.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000003.2107417313.0000000002350000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000002.3354271008.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000002.3354691063.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000003.2109008189.00000000030E0000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000003.2109077182.00000000021B8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ispp.sourceforge.net/
Source: AMS_Client_SSO.exe, 00000000.00000003.2107777509.0000000002350000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000003.2107916582.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, AMS_Client_SSO.tmp, 00000001.00000000.2108351473.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AMS_Client_SSO.tmp.0.drString found in binary or memory: http://www.innosetup.com/
Source: AMS_Client_SSO.exe, 00000000.00000003.2107777509.0000000002350000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000003.2107916582.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, AMS_Client_SSO.tmp, 00000001.00000000.2108351473.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AMS_Client_SSO.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
Source: AMS_Client_SSO.exe, 00000000.00000003.2107777509.0000000002350000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000003.2107916582.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000000.2108351473.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AMS_Client_SSO.tmp.0.drString found in binary or memory: http://www.remobjects.com/psU
Source: AMS_Client_SSO.exe, 00000000.00000003.2107485324.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000003.2107417313.0000000002350000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000002.3354271008.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000002.3354691063.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000003.2109008189.00000000030E0000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000003.2109077182.00000000021B8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ultrapower.com.cn/
Source: AMS_Client_SSO.exe, 00000000.00000003.2107485324.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000002.3354271008.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000002.3354691063.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000003.2109077182.00000000021B8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ultrapower.com.cn/.
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004239F0 NtdllDefWindowProc_A,1_2_004239F0
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0044C51C NtdllDefWindowProc_A,1_2_0044C51C
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0041253C NtdllDefWindowProc_A,1_2_0041253C
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00458D78 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00458D78
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0042ED90 NtdllDefWindowProc_A,1_2_0042ED90
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004775A4 NtdllDefWindowProc_A,1_2_004775A4
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0042FF34 NtdllDefWindowProc_A,1_2_0042FF34
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0042E578: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E578
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_004092AC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004092AC
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00493114 ExitWindowsEx,1_2_00493114
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00457550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00457550
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_004082900_2_00408290
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0047E9861_2_0047E986
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00466E5C1_2_00466E5C
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004700081_2_00470008
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004340881_2_00434088
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004443741_2_00444374
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0048473C1_2_0048473C
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0048C8C81_2_0048C8C8
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0044491C1_2_0044491C
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004309B81_2_004309B8
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0045CB601_2_0045CB60
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00434D8C1_2_00434D8C
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00468E881_2_00468E88
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004450141_2_00445014
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0048B1281_2_0048B128
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004454381_2_00445438
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004856141_2_00485614
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0045FACC1_2_0045FACC
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0043DBFC1_2_0043DBFC
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0042FCBC1_2_0042FCBC
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: String function: 004058DC appears 103 times
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: String function: 00403650 appears 229 times
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: String function: 00445F68 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: String function: 00403460 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: String function: 00433FA0 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: String function: 00445C98 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: String function: 004033CC appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: String function: 004069F0 appears 38 times
Source: AMS_Client_SSO.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: AMS_Client_SSO.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: AMS_Client_SSO.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: AMS_Client_SSO.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: AMS_Client_SSO.exe, 00000000.00000003.2107777509.0000000002350000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs AMS_Client_SSO.exe
Source: AMS_Client_SSO.exe, 00000000.00000003.2107916582.00000000020B8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs AMS_Client_SSO.exe
Source: AMS_Client_SSO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: mal48.winEXE@3/4@0/0
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_004092AC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004092AC
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00457550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00457550
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00457D8C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00457D8C
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0045822C CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,1_2_0045822C
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_00409A04 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409A04
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeFile created: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: AMS_Client_SSO.exeReversingLabs: Detection: 41%
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeFile read: C:\Users\user\Desktop\AMS_Client_SSO.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\AMS_Client_SSO.exe "C:\Users\user\Desktop\AMS_Client_SSO.exe"
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeProcess created: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmp "C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmp" /SL5="$103BC,703643,51712,C:\Users\user\Desktop\AMS_Client_SSO.exe"
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeProcess created: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmp "C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmp" /SL5="$103BC,703643,51712,C:\Users\user\Desktop\AMS_Client_SSO.exe" Jump to behavior
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00464184 LoadLibraryA,GetProcAddress,1_2_00464184
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_004064B4 push 004064F1h; ret 0_2_004064E9
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_00404051 push eax; ret 0_2_0040408D
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_00404121 push 0040432Dh; ret 0_2_00404325
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_004041A2 push 0040432Dh; ret 0_2_00404325
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_0040421F push 0040432Dh; ret 0_2_00404325
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_00404284 push 0040432Dh; ret 0_2_00404325
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_00408D9C push 00408DCFh; ret 0_2_00408DC7
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_00407F88 push ecx; mov dword ptr [esp], eax0_2_00407F8D
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004098B4 push 004098F1h; ret 1_2_004098E9
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00406254 push ecx; mov dword ptr [esp], eax1_2_00406255
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00454484 push 004544B7h; ret 1_2_004544AF
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00410640 push ecx; mov dword ptr [esp], edx1_2_00410645
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0040A6C8 push esp; retf 1_2_0040A6D1
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004768D8 push ecx; mov dword ptr [esp], edx1_2_004768D9
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0041288C push 004128EFh; ret 1_2_004128E7
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004309B8 push ecx; mov dword ptr [esp], eax1_2_004309BD
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0044CBA8 push 0044CBFDh; ret 1_2_0044CBF5
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0045AF2C push 0045AF70h; ret 1_2_0045AF68
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0040CF98 push ecx; mov dword ptr [esp], edx1_2_0040CF9A
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0048309C push ecx; mov dword ptr [esp], ecx1_2_004830A1
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004432EC push ecx; mov dword ptr [esp], ecx1_2_004432F0
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004053CD push eax; ret 1_2_00405409
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0040F4F8 push ecx; mov dword ptr [esp], edx1_2_0040F4FA
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0040549D push 004056A9h; ret 1_2_004056A1
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0040551E push 004056A9h; ret 1_2_004056A1
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0040559B push 004056A9h; ret 1_2_004056A1
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00405600 push 004056A9h; ret 1_2_004056A1
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0045F7C4 push ecx; mov dword ptr [esp], eax1_2_0045F7C9
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00459788 push 004597C0h; ret 1_2_004597B8
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00481A64 push 00481B42h; ret 1_2_00481B3A
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile created: C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeFile created: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile created: C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_RegDLL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile created: C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004226CC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_004226CC
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00423A78 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423A78
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00423A78 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423A78
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00424048 IsIconic,SetActiveWindow,SetFocus,1_2_00424048
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00424000 IsIconic,SetActiveWindow,1_2_00424000
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00418270 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418270
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00481420 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_00481420
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00417494 IsIconic,GetCapture,1_2_00417494
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00417BBA IsIconic,SetWindowPos,1_2_00417BBA
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00417BBC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417BBC
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0044E68C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044E68C
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_RegDLL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5379
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-51945
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0047DD1C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047DD1C
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_004622F4 FindFirstFileA,FindNextFileA,FindClose,1_2_004622F4
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00474460 FindFirstFileA,FindNextFileA,FindClose,1_2_00474460
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00454BE8 FindFirstFileA,GetLastError,1_2_00454BE8
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00497520 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00497520
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0046386C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_0046386C
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0047BC78 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047BC78
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00463CE8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CE8
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_00409948 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409948
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeAPI call chain: ExitProcess graph end nodegraph_0-6682
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00464184 LoadLibraryA,GetProcAddress,1_2_00464184
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00477040 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00477040
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0045E548 GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree,1_2_0045E548
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: GetLocaleInfoA,0_2_004050F8
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: GetLocaleInfoA,0_2_00405144
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: GetLocaleInfoA,1_2_004084D0
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: GetLocaleInfoA,1_2_0040851C
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_0045A2C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_0045A2C8
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_00402698 GetSystemTime,0_2_00402698
Source: C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmpCode function: 1_2_00457508 GetUserNameA,1_2_00457508
Source: C:\Users\user\Desktop\AMS_Client_SSO.exeCode function: 0_2_00405BE0 GetVersionExA,0_2_00405BE0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Native API		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		1
Access Token Manipulation		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Access Token Manipulation		2
Process Injection		LSASS Memory1
Application Window Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Process Injection		1
Deobfuscate/Decode Files or Information		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		2
Obfuscated Files or Information		NTDS3
System Owner/User Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets3
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials15
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
AMS_Client_SSO.exe42%ReversingLabsWin32.Trojan.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_RegDLL.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_shfoldr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmp5%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.remobjects.com/psU0%Avira URL Cloudsafe
http://www.ultrapower.com.cn/.0%Avira URL Cloudsafe
http://www.ultrapower.com.cn/0%Avira URL Cloudsafe
Http://Www.SkyGz.Com0%Avira URL Cloudsafe
http://ispp.sourceforge.net/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.innosetup.com/AMS_Client_SSO.exe, 00000000.00000003.2107777509.0000000002350000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000003.2107916582.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, AMS_Client_SSO.tmp, 00000001.00000000.2108351473.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AMS_Client_SSO.tmp.0.drfalse
    		high
    http://www.ultrapower.com.cn/.AMS_Client_SSO.exe, 00000000.00000003.2107485324.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000002.3354271008.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000002.3354691063.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000003.2109077182.00000000021B8000.00000004.00001000.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.remobjects.com/psUAMS_Client_SSO.exe, 00000000.00000003.2107777509.0000000002350000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000003.2107916582.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000000.2108351473.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AMS_Client_SSO.tmp.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.remobjects.com/psAMS_Client_SSO.exe, 00000000.00000003.2107777509.0000000002350000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000003.2107916582.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, AMS_Client_SSO.tmp, 00000001.00000000.2108351473.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AMS_Client_SSO.tmp.0.drfalse
      		high
      http://ispp.sourceforge.net/AMS_Client_SSO.exe, 00000000.00000003.2107485324.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000003.2107417313.0000000002350000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000002.3354271008.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000002.3354691063.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000003.2109008189.00000000030E0000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000003.2109077182.00000000021B8000.00000004.00001000.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      Http://Www.SkyGz.ComAMS_Client_SSO.exe, 00000000.00000003.2107777509.0000000002350000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000003.2107916582.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000000.2108351473.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AMS_Client_SSO.tmp.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.ultrapower.com.cn/AMS_Client_SSO.exe, 00000000.00000003.2107485324.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000003.2107417313.0000000002350000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.exe, 00000000.00000002.3354271008.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000002.3354691063.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000003.2109008189.00000000030E0000.00000004.00001000.00020000.00000000.sdmp, AMS_Client_SSO.tmp, 00000001.00000003.2109077182.00000000021B8000.00000004.00001000.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1572226
      Start date and time:2024-12-10 09:39:17 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 57s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:AMS_Client_SSO.exe
      Detection:MAL
      Classification:mal48.winEXE@3/4@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 97%
      • Number of executed functions: 92
      • Number of non-executed functions: 185
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • VT rate limit hit for: AMS_Client_SSO.exe

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_setup64.tmpi9DKxTZoVd.exeGet hashmaliciousUnknownBrowse
        i9DKxTZoVd.exeGet hashmaliciousUnknownBrowse
          8wTiPaCBRi.exeGet hashmaliciousAmadeyBrowse
            file.exeGet hashmaliciousSocks5SystemzBrowse
              file.exeGet hashmaliciousSocks5SystemzBrowse
                NLtIe7ZgkL.exeGet hashmaliciousSocks5SystemzBrowse
                  NLtIe7ZgkL.exeGet hashmaliciousSocks5SystemzBrowse
                    AUCHKVG4Ic.exeGet hashmaliciousSocks5SystemzBrowse
                      getlab.exeGet hashmaliciousSocks5SystemzBrowse
                        SekpL8Z26C.exeGet hashmaliciousUnknownBrowse
                          C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_RegDLL.tmpSecuriteInfo.com.Win32.Packed.NoobyProtect.B.19272.10303.exeGet hashmaliciousUnknownBrowse
                            V9hLDJOZnm.exeGet hashmaliciousUnknownBrowse
                              8XEqRUCz9d.exeGet hashmaliciousUnknownBrowse
                                SDClient-Setup.exeGet hashmaliciousUnknownBrowse

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_RegDLL.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmp
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):4096
                                  Entropy (8bit):4.080671969914963
                                  Encrypted:false
                                  SSDEEP:48:ifCpgk2ufdWcjSOnTiquEMx5BGyI1ZNgK+bIg4yz5eO4yrL:NgkNdW/tx5G13gtwCoOF/
                                  MD5:4248FA25D2F50EBE23EAD46140933013
                                  SHA1:0DC9CF70FF66FE0BD9EAACA4593270464341A108
                                  SHA-256:5200596D2349CD7FEB4DBD4C78EB7D67FE334838460A3C290575A4B3E4CC6633
                                  SHA-512:914BC2188002755A30B65EB437B25D343DC171DC0B9216757FE84FA940E307C8222DFE28315392F642E930D757115D7264615E29E70B8F4E5604B37C683C9CBE
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Joe Sandbox View:
                                  • Filename: SecuriteInfo.com.Win32.Packed.NoobyProtect.B.19272.10303.exe, Detection: malicious, Browse
                                  • Filename: V9hLDJOZnm.exe, Detection: malicious, Browse
                                  • Filename: 8XEqRUCz9d.exe, Detection: malicious, Browse
                                  • Filename: SDClient-Setup.exe, Detection: malicious, Browse
                                  Reputation:moderate, very likely benign file
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....yJ............................p........ ....@..........................P..............................................D ..P....@..x............................................................................ ..D............................text...}........................... ..`.rdata....... ......................@..@.data...&....0......................@....rsrc...x....@......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_setup64.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmp
                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):6144
                                  Entropy (8bit):4.215994423157539
                                  Encrypted:false
                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                  MD5:4FF75F505FDDCC6A9AE62216446205D9
                                  SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                  SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                  SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Joe Sandbox View:
                                  • Filename: i9DKxTZoVd.exe, Detection: malicious, Browse
                                  • Filename: i9DKxTZoVd.exe, Detection: malicious, Browse
                                  • Filename: 8wTiPaCBRi.exe, Detection: malicious, Browse
                                  • Filename: file.exe, Detection: malicious, Browse
                                  • Filename: file.exe, Detection: malicious, Browse
                                  • Filename: NLtIe7ZgkL.exe, Detection: malicious, Browse
                                  • Filename: NLtIe7ZgkL.exe, Detection: malicious, Browse
                                  • Filename: AUCHKVG4Ic.exe, Detection: malicious, Browse
                                  • Filename: getlab.exe, Detection: malicious, Browse
                                  • Filename: SekpL8Z26C.exe, Detection: malicious, Browse
                                  Reputation:high, very likely benign file
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\is-5M5FN.tmp\_isetup\_shfoldr.dll

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmp
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                  Category:dropped
                                  Size (bytes):23312
                                  Entropy (8bit):4.596242908851566
                                  Encrypted:false
                                  SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                  MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                  SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                  SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                  SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:high, very likely benign file
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\AMS_Client_SSO.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):709632
                                  Entropy (8bit):6.518267624992226
                                  Encrypted:false
                                  SSDEEP:12288:DbYDJPwYXu6krl7P5WRX8Jmy8ZlDKLRzPoP5Oi+gHx++:PYtwYXu9l7Py8Ap70PoP5v+gHx++
                                  MD5:82E31DC1C0FA036F7DFAFF76C13003CF
                                  SHA1:2642671A2FAF72AF7D64E953B49E62F538D53824
                                  SHA-256:DB6AA814463FA84A36BD66EFACFAA1B91F92BA658B7145FABF5F6EE018E4C634
                                  SHA-512:86F09D6387FEDF6CFEC7EDD1E93AD89898377E314BAAF75DC090194C3AF17339A592BA5342C5240BE4F9A12BBC40F621062226660B32047843564037155B3641
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 5%
                                  Reputation:low
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................r........................@..............................................@.............................."&......."..........................................................................................................CODE.....q.......r.................. ..`DATA.................v..............@...BSS......................................idata.."&.......(..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...."......."..................@..P.....................`..............@..P........................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.982106485180035
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 98.86%
                                  • Inno Setup installer (109748/4) 1.08%
                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  File name:AMS_Client_SSO.exe
                                  File size:950'272 bytes
                                  MD5:fc361073495400d0da6736dc4cf07026
                                  SHA1:1cf941c7e3873a23709601f18265d6e42761ef5a
                                  SHA256:29e3344ef5e7d3e602d1db644513750b5af2a19301a8a628cf3e6014b311ba57
                                  SHA512:26402ef322c73ca004fb0c77d192562ad8eb5c423aec8bb3c38704e132cce4ba00e50810d236a41a6a7f99767be56e932e465dbd33653e8238f34695422bbc45
                                  SSDEEP:24576:Bs5qgsbGaf1lRVKLCMGyx2lOhPZqegbsUE:evKaCU2khPZqbE
                                  TLSH:B515234AC8C0C931C062ADF0CA1279418F777E592E7C351176AD6E9E6F6A2C091CB6F7
                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                  File Icon

                                  Icon Hash:2d2e3797b32b2b99

                                  Static PE Info

                                  General

                                  Entrypoint:0x409a58
                                  Entrypoint Section:CODE
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:1
                                  OS Version Minor:0
                                  File Version Major:1
                                  File Version Minor:0
                                  Subsystem Version Major:1
                                  Subsystem Version Minor:0
                                  Import Hash:aa770df5b9e208c1ca436e9267f0d390

                                  Entrypoint Preview

                                  Instruction
                                  push ebp
                                  mov ebp, esp
                                  add esp, FFFFFFC4h
                                  push ebx
                                  push esi
                                  push edi
                                  xor eax, eax
                                  mov dword ptr [ebp-10h], eax
                                  mov dword ptr [ebp-24h], eax
                                  call 00007F12B48B1957h
                                  call 00007F12B48B2B26h
                                  call 00007F12B48B4D51h
                                  call 00007F12B48B4D98h
                                  call 00007F12B48B762Fh
                                  call 00007F12B48B7796h
                                  xor eax, eax
                                  push ebp
                                  push 0040A10Fh
                                  push dword ptr fs:[eax]
                                  mov dword ptr fs:[eax], esp
                                  xor edx, edx
                                  push ebp
                                  push 0040A0D8h
                                  push dword ptr fs:[edx]
                                  mov dword ptr fs:[edx], esp
                                  mov eax, dword ptr [0040C014h]
                                  call 00007F12B48B81B0h
                                  call 00007F12B48B7D37h
                                  lea edx, dword ptr [ebp-10h]
                                  xor eax, eax
                                  call 00007F12B48B5381h
                                  mov edx, dword ptr [ebp-10h]
                                  mov eax, 0040CDE4h
                                  call 00007F12B48B19ECh
                                  push 00000002h
                                  push 00000000h
                                  push 00000001h
                                  mov ecx, dword ptr [0040CDE4h]
                                  mov dl, 01h
                                  mov eax, 00407288h
                                  call 00007F12B48B5C10h
                                  mov dword ptr [0040CDE8h], eax
                                  xor edx, edx
                                  push ebp
                                  push 0040A090h
                                  push dword ptr fs:[edx]
                                  mov dword ptr fs:[edx], esp
                                  call 00007F12B48B8220h
                                  mov dword ptr [0040CDF0h], eax
                                  mov eax, dword ptr [0040CDF0h]
                                  cmp dword ptr [eax+0Ch], 01h
                                  jne 00007F12B48B835Ah
                                  mov eax, dword ptr [0040CDF0h]
                                  mov edx, 00000028h
                                  call 00007F12B48B6011h
                                  mov edx, dword ptr [0040CDF0h]
                                  cmp eax, dword ptr [edx+00h]

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x94c.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2400.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  CODE0x10000x91780x9200796c97a17dbe0ad9a1c914ed1e945e48False0.6155286815068494data6.551244836492117IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  DATA0xb0000x24c0x4001bd77779467ab96dd74fe03fb630c967False0.310546875data2.7582893372852912IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  BSS0xc0000xe480x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata0xd0000x94c0xa007932207301aa0be68ad680d185f2dca1False0.4140625data4.430263517183687IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                  .reloc0x100000x8ac0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                  .rsrc0x110000x24000x2400c3ec4e9c18c83da8d71ffdf96dcf943aFalse0.3795572916666667data5.015393696848271IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                  RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                  RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                  RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                  RT_STRING0x125740x142data0.6242236024844721
                                  RT_STRING0x126b80x116data0.7661870503597122
                                  RT_STRING0x127d00xfeAmigaOS bitmap font "\017_\034 %", 15464 elements, 2nd, 3rd0.8464566929133859
                                  RT_STRING0x128d00x68data0.75
                                  RT_STRING0x129380xb4data0.6277777777777778
                                  RT_STRING0x129ec0xaedata0.5344827586206896
                                  RT_RCDATA0x12a9c0x2cdata1.1818181818181819
                                  RT_GROUP_ICON0x12ac80x3edataEnglishUnited States0.8387096774193549
                                  RT_VERSION0x12b080x488dataChineseChina0.33017241379310347
                                  RT_MANIFEST0x12f900x462XML 1.0 document, ASCII text, with very long lines (1120), with CRLF line terminatorsChineseChina0.4839572192513369

                                  Imports

                                  DLLImport
                                  kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                  user32.dllMessageBoxA
                                  oleaut32.dllVariantChangeTypeEx, VariantCopy, VariantClear, SysStringLen, SysAllocStringLen
                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                  kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                  user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                  comctl32.dllInitCommonControls
                                  advapi32.dllAdjustTokenPrivileges

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  DutchNetherlands
                                  EnglishUnited States
                                  ChineseChina

                                  Network Behavior

                                  No network behavior found

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:03:40:06
                                  Start date:10/12/2024
                                  Path:C:\Users\user\Desktop\AMS_Client_SSO.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\AMS_Client_SSO.exe"
                                  Imagebase:0x400000
                                  File size:950'272 bytes
                                  MD5 hash:FC361073495400D0DA6736DC4CF07026
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:1
                                  Start time:03:40:06
                                  Start date:10/12/2024
                                  Path:C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmp
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-RVLT8.tmp\AMS_Client_SSO.tmp" /SL5="$103BC,703643,51712,C:\Users\user\Desktop\AMS_Client_SSO.exe"
                                  Imagebase:0x400000
                                  File size:709'632 bytes
                                  MD5 hash:82E31DC1C0FA036F7DFAFF76C13003CF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 5%, ReversingLabs
                                  Reputation:low
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:21.1%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:2.3%
                                    Total number of Nodes:1543
                                    Total number of Limit Nodes:19
                                    execution_graph 5123 407444 5124 407450 CloseHandle 5123->5124 5125 407459 5123->5125 5124->5125 6178 40504c 6179 40505f 6178->6179 6180 404d44 18 API calls 6179->6180 6181 405073 6180->6181 6731 409750 6732 409769 6731->6732 6733 40975f 6731->6733 6733->6732 6734 40978e CallWindowProcA 6733->6734 6734->6732 5819 409a58 5858 4030b0 5819->5858 5821 409a6e 5861 404284 5821->5861 5823 409a73 5864 4064b4 5823->5864 5827 409a7d 5874 408f08 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5827->5874 5836 4031a0 3 API calls 5837 409ac9 5836->5837 5838 4073dc 22 API calls 5837->5838 5839 409ae1 5838->5839 5910 409a04 FindResourceA 5839->5910 5842 407814 InterlockedExchange 5846 409b18 5842->5846 5843 4098d8 3 API calls 5844 409b56 5843->5844 5845 40739c 19 API calls 5844->5845 5847 409b7c 5845->5847 5846->5843 5846->5844 5848 409b97 5847->5848 5849 4098d8 3 API calls 5847->5849 5850 4078e8 4 API calls 5848->5850 5849->5848 5851 409bbc 5850->5851 5923 40898c 5851->5923 5855 409c02 5856 40898c 22 API calls 5855->5856 5857 409c3b 5855->5857 5856->5855 5942 403068 5858->5942 5860 4030b5 GetModuleHandleA GetCommandLineA 5860->5821 5862 40311c 3 API calls 5861->5862 5863 4042bf 5861->5863 5862->5863 5863->5823 5943 405b94 5864->5943 5873 406500 6F9C1CD0 5873->5827 5875 408f5b 5874->5875 6023 406e9c SetErrorMode 5875->6023 5878 407180 4 API calls 5879 408f8b 5878->5879 5880 403150 3 API calls 5879->5880 5881 408fa0 5880->5881 5882 409948 GetSystemInfo VirtualQuery 5881->5882 5883 4099fc 5882->5883 5886 409972 5882->5886 5888 4094d4 5883->5888 5884 4099dd VirtualQuery 5884->5883 5884->5886 5885 40999c VirtualProtect 5885->5886 5886->5883 5886->5884 5886->5885 5887 4099cb VirtualProtect 5886->5887 5887->5884 6027 406acc GetCommandLineA 5888->6027 5890 409591 5892 403170 3 API calls 5890->5892 5891 406b28 5 API calls 5894 4094f1 5891->5894 5893 4095ab 5892->5893 5896 406b28 5893->5896 5894->5890 5894->5891 5895 40340c LocalAlloc TlsSetValue TlsGetValue 5894->5895 5895->5894 5897 406b73 GetCommandLineA 5896->5897 5898 406b4f GetModuleFileNameA 5896->5898 5906 406b78 5897->5906 5899 403230 3 API calls 5898->5899 5901 406b71 5899->5901 5900 406b7d 5902 403150 3 API calls 5900->5902 5904 406ba0 5901->5904 5905 406b85 5902->5905 5903 4069ec 3 API calls 5903->5906 5907 403150 3 API calls 5904->5907 5908 4031e4 3 API calls 5905->5908 5906->5900 5906->5903 5906->5905 5909 406bb5 5907->5909 5908->5904 5909->5836 5911 409a19 5910->5911 5912 409a1e SizeofResource 5910->5912 5913 4098d8 3 API calls 5911->5913 5914 409a30 LoadResource 5912->5914 5915 409a2b 5912->5915 5913->5912 5917 409a43 LockResource 5914->5917 5918 409a3e 5914->5918 5916 4098d8 3 API calls 5915->5916 5916->5914 5920 409a54 5917->5920 5921 409a4f 5917->5921 5919 4098d8 3 API calls 5918->5919 5919->5917 5920->5842 5920->5846 5922 4098d8 3 API calls 5921->5922 5922->5920 5927 4089bd 5923->5927 5930 408a06 5923->5930 5924 408a51 5928 407b58 22 API calls 5924->5928 5925 407b58 22 API calls 5925->5927 5926 407b58 22 API calls 5926->5930 5927->5925 5927->5930 5931 4034a8 3 API calls 5927->5931 5935 4033d8 3 API calls 5927->5935 5936 4031a0 3 API calls 5927->5936 5929 408a68 5928->5929 5933 403170 3 API calls 5929->5933 5930->5924 5930->5926 5932 4034a8 3 API calls 5930->5932 5937 4033d8 3 API calls 5930->5937 5938 4031a0 3 API calls 5930->5938 5931->5927 5932->5930 5934 408a82 5933->5934 5939 404b0c 5934->5939 5935->5927 5936->5927 5937->5930 5938->5930 5940 402568 3 API calls 5939->5940 5941 404b17 5940->5941 5941->5855 5942->5860 5944 40582c 4 API calls 5943->5944 5945 405ba5 5944->5945 5946 40516c GetSystemDefaultLCID 5945->5946 5950 4051a2 5946->5950 5947 404bc8 LocalAlloc TlsSetValue TlsGetValue LoadStringA 5947->5950 5948 4050f8 LocalAlloc TlsSetValue TlsGetValue GetLocaleInfoA 5948->5950 5949 4031a0 LocalAlloc TlsSetValue TlsGetValue 5949->5950 5950->5947 5950->5948 5950->5949 5954 405204 5950->5954 5951 4050f8 LocalAlloc TlsSetValue TlsGetValue GetLocaleInfoA 5951->5954 5952 4031a0 LocalAlloc TlsSetValue TlsGetValue 5952->5954 5953 404bc8 LocalAlloc TlsSetValue TlsGetValue LoadStringA 5953->5954 5954->5951 5954->5952 5954->5953 5955 405287 5954->5955 5956 403170 3 API calls 5955->5956 5957 4052a1 5956->5957 5958 4052b0 GetSystemDefaultLCID 5957->5958 6015 4050f8 GetLocaleInfoA 5958->6015 5961 4031a0 3 API calls 5962 4052f0 5961->5962 5963 4050f8 4 API calls 5962->5963 5964 405305 5963->5964 5965 4050f8 4 API calls 5964->5965 5966 405329 5965->5966 6021 405144 GetLocaleInfoA 5966->6021 5969 405144 GetLocaleInfoA 5970 405359 5969->5970 5971 4050f8 4 API calls 5970->5971 5972 405373 5971->5972 5973 405144 GetLocaleInfoA 5972->5973 5974 405390 5973->5974 5975 4050f8 4 API calls 5974->5975 5976 4053aa 5975->5976 5977 4031a0 3 API calls 5976->5977 5978 4053b7 5977->5978 5979 4050f8 4 API calls 5978->5979 5980 4053cc 5979->5980 5981 4031a0 3 API calls 5980->5981 5982 4053d9 5981->5982 5983 405144 GetLocaleInfoA 5982->5983 5984 4053e7 5983->5984 5985 4050f8 4 API calls 5984->5985 5986 405401 5985->5986 5987 4031a0 3 API calls 5986->5987 5988 40540e 5987->5988 5989 4050f8 4 API calls 5988->5989 5990 405423 5989->5990 5991 4031a0 3 API calls 5990->5991 5992 405430 5991->5992 5993 4050f8 4 API calls 5992->5993 5994 405445 5993->5994 5995 405462 5994->5995 5996 405453 5994->5996 5998 4031e4 3 API calls 5995->5998 5997 4031e4 3 API calls 5996->5997 5999 405460 5997->5999 5998->5999 6000 4050f8 4 API calls 5999->6000 6001 405484 6000->6001 6002 4054a1 6001->6002 6003 405492 6001->6003 6005 403150 3 API calls 6002->6005 6004 4031e4 3 API calls 6003->6004 6006 40549f 6004->6006 6005->6006 6007 40336c 3 API calls 6006->6007 6008 4054c3 6007->6008 6009 40336c 3 API calls 6008->6009 6010 4054dd 6009->6010 6011 403170 3 API calls 6010->6011 6012 4054f7 6011->6012 6013 405be0 GetVersionExA 6012->6013 6014 405bf7 6013->6014 6014->5873 6016 405131 6015->6016 6017 40511f 6015->6017 6019 4031e4 3 API calls 6016->6019 6018 403230 3 API calls 6017->6018 6020 40512f 6018->6020 6019->6020 6020->5961 6022 405160 6021->6022 6022->5969 6024 4033cc 6023->6024 6025 406ed4 LoadLibraryA 6024->6025 6026 406eea 6025->6026 6026->5878 6034 4069ec 6027->6034 6029 406aef 6030 406b01 6029->6030 6031 4069ec 3 API calls 6029->6031 6032 403150 3 API calls 6030->6032 6031->6029 6033 406b16 6032->6033 6033->5894 6035 406a18 6034->6035 6036 403230 3 API calls 6035->6036 6037 406a25 6036->6037 6038 4033d8 3 API calls 6037->6038 6039 406a2d 6038->6039 6040 4031a0 3 API calls 6039->6040 6041 406a45 6040->6041 6042 403150 3 API calls 6041->6042 6043 406a67 6042->6043 6043->6029 6182 409c5a 6183 409c7f 6182->6183 6184 40963c 14 API calls 6183->6184 6188 409c84 6184->6188 6185 409cd7 6216 402698 GetSystemTime 6185->6216 6187 409cdc 6189 409194 31 API calls 6187->6189 6188->6185 6191 408c5c 3 API calls 6188->6191 6190 409ce4 6189->6190 6192 4031a0 3 API calls 6190->6192 6193 409cb3 6191->6193 6194 409cf1 6192->6194 6196 409cbb MessageBoxA 6193->6196 6195 406824 4 API calls 6194->6195 6197 409cfe 6195->6197 6196->6185 6198 409cc8 6196->6198 6199 4065bc 4 API calls 6197->6199 6200 405750 4 API calls 6198->6200 6201 409d0e 6199->6201 6200->6185 6202 406534 4 API calls 6201->6202 6203 409d1f 6202->6203 6204 4032f8 3 API calls 6203->6204 6205 409d2d 6204->6205 6206 4031a0 3 API calls 6205->6206 6207 409d3d 6206->6207 6208 4073dc 22 API calls 6207->6208 6209 409d7c 6208->6209 6210 402568 3 API calls 6209->6210 6211 409d9c 6210->6211 6212 4078e8 4 API calls 6211->6212 6213 409dde 6212->6213 6214 407b58 22 API calls 6213->6214 6215 409e05 6214->6215 6216->6187 6044 407568 SetFilePointer 6045 40759f 6044->6045 6046 40758f GetLastError 6044->6046 6046->6045 6047 407598 6046->6047 6048 407388 20 API calls 6047->6048 6048->6045 6743 403f69 6744 403ea3 3 API calls 6743->6744 6745 403f72 6744->6745 6746 403e38 3 API calls 6745->6746 6747 403f7e 6746->6747 5314 409c75 5351 4098d8 5314->5351 5316 409c7a 5317 409c7f 5316->5317 5457 402ef8 5316->5457 5358 40963c 5317->5358 5320 409cd7 5379 402698 GetSystemTime 5320->5379 5322 409c84 5322->5320 5462 408c5c 5322->5462 5323 409cdc 5380 409194 5323->5380 5327 4031a0 3 API calls 5329 409cf1 5327->5329 5328 409cb3 5331 409cbb MessageBoxA 5328->5331 5398 406824 5329->5398 5331->5320 5333 409cc8 5331->5333 5465 405750 5333->5465 5338 409d1f 5425 4032f8 5338->5425 5340 409d2d 5341 4031a0 3 API calls 5340->5341 5342 409d3d 5341->5342 5440 4073dc 5342->5440 5345 402568 3 API calls 5346 409d9c 5345->5346 5447 4078e8 5346->5447 5348 409dde 5469 407b58 5348->5469 5350 409e05 5352 4098e1 5351->5352 5353 4098f9 5351->5353 5355 40577c 3 API calls 5352->5355 5354 40577c 3 API calls 5353->5354 5357 40990a 5354->5357 5356 4098f3 5355->5356 5356->5316 5357->5316 5359 409685 5358->5359 5368 409649 5358->5368 5360 409692 5359->5360 5361 40968e 5359->5361 5483 406f20 GetModuleHandleA GetProcAddress 5360->5483 5362 409690 5361->5362 5363 40969b GetUserDefaultLangID 5361->5363 5366 409743 5362->5366 5372 4096e5 5362->5372 5373 4096db GetACP 5362->5373 5374 4096f2 5362->5374 5363->5362 5367 4095f0 4 API calls 5366->5367 5370 40967c 5367->5370 5368->5359 5369 409675 5368->5369 5477 4095f0 5369->5477 5370->5322 5375 4095f0 4 API calls 5372->5375 5373->5362 5373->5372 5374->5366 5376 409736 5374->5376 5377 40972c GetACP 5374->5377 5375->5370 5378 4095f0 4 API calls 5376->5378 5377->5374 5377->5376 5378->5370 5379->5323 5387 4091b4 5380->5387 5383 4091d9 CreateDirectoryA 5384 409251 5383->5384 5385 4091e3 GetLastError 5383->5385 5386 4031e4 3 API calls 5384->5386 5385->5387 5388 40925b 5386->5388 5387->5383 5389 408c5c 3 API calls 5387->5389 5394 407180 4 API calls 5387->5394 5397 40577c 3 API calls 5387->5397 5585 406bf0 5387->5585 5608 409088 5387->5608 5627 404b80 5387->5627 5630 408c2c 5387->5630 5390 403170 3 API calls 5388->5390 5389->5387 5392 409275 5390->5392 5393 403170 3 API calls 5392->5393 5395 409282 5393->5395 5394->5387 5395->5327 5397->5387 5748 40671c 5398->5748 5401 40340c 3 API calls 5402 406846 5401->5402 5403 4065bc 5402->5403 5753 4067e0 5403->5753 5406 4065fa 5409 40340c 3 API calls 5406->5409 5407 4065ec 5408 4032f8 3 API calls 5407->5408 5411 4065f8 5408->5411 5410 40660d 5409->5410 5412 4032f8 3 API calls 5410->5412 5413 403150 3 API calls 5411->5413 5412->5411 5414 40662f 5413->5414 5415 406534 5414->5415 5416 406561 5415->5416 5417 40653e 5415->5417 5419 4031e4 3 API calls 5416->5419 5759 40684c 5417->5759 5421 40656a 5419->5421 5420 406545 5420->5416 5422 406550 5420->5422 5421->5338 5423 4032f8 3 API calls 5422->5423 5424 40655e 5423->5424 5424->5338 5426 4032fc 5425->5426 5427 40335d 5425->5427 5428 4031a0 5426->5428 5429 403304 5426->5429 5432 40320c 3 API calls 5428->5432 5435 4031b4 5428->5435 5429->5427 5430 403313 5429->5430 5433 4031a0 3 API calls 5429->5433 5434 40320c 3 API calls 5430->5434 5431 4031e0 5431->5340 5432->5435 5433->5430 5437 40332d 5434->5437 5435->5431 5436 402580 3 API calls 5435->5436 5436->5431 5438 4031a0 3 API calls 5437->5438 5439 403359 5438->5439 5439->5340 5441 4073e6 5440->5441 5765 407472 5441->5765 5768 407474 5441->5768 5442 407412 5443 407426 5442->5443 5444 407388 20 API calls 5442->5444 5443->5345 5444->5443 5448 4078f5 5447->5448 5449 40577c 3 API calls 5448->5449 5450 407949 5448->5450 5449->5450 5451 407814 InterlockedExchange 5450->5451 5452 40795b 5451->5452 5453 40577c 3 API calls 5452->5453 5454 407971 5452->5454 5453->5454 5455 4079b4 5454->5455 5456 40577c 3 API calls 5454->5456 5455->5348 5456->5455 5458 40311c 3 API calls 5457->5458 5459 402efd 5458->5459 5771 402ba0 5459->5771 5461 402f25 5461->5461 5463 408c2c 3 API calls 5462->5463 5464 408c78 5463->5464 5464->5328 5466 405755 5465->5466 5467 40582c 4 API calls 5466->5467 5468 405767 5467->5468 5468->5468 5470 407b73 5469->5470 5471 407b68 5469->5471 5785 407afc 5470->5785 5774 407d5c 5471->5774 5474 40577c 3 API calls 5475 407b71 5474->5475 5475->5350 5478 4095f8 5477->5478 5482 409632 5477->5482 5478->5482 5504 4033d8 5478->5504 5480 40962c 5508 408ce4 5480->5508 5482->5370 5484 406f63 5483->5484 5485 406f5a 5483->5485 5486 406fa4 5484->5486 5487 406f6c 5484->5487 5494 403150 3 API calls 5485->5494 5489 406e64 RegOpenKeyExA 5486->5489 5531 406e64 5487->5531 5492 406fbd 5489->5492 5490 406f85 5491 406fda 5490->5491 5534 406e58 5490->5534 5537 4031e4 5491->5537 5492->5491 5495 406e58 5 API calls 5492->5495 5498 40701c 5494->5498 5499 406fd1 RegCloseKey 5495->5499 5502 403150 3 API calls 5498->5502 5499->5491 5503 407024 5502->5503 5503->5362 5505 4033de 5504->5505 5507 4033ef 5504->5507 5506 40320c 3 API calls 5505->5506 5505->5507 5506->5507 5507->5480 5509 408cf2 5508->5509 5511 408d0a 5509->5511 5521 408c9c 5509->5521 5512 408c9c 3 API calls 5511->5512 5513 408d2e 5511->5513 5512->5513 5524 407814 5513->5524 5516 408d5c 5518 408c9c 3 API calls 5516->5518 5519 403230 3 API calls 5516->5519 5520 408d8b 5516->5520 5517 408c9c 3 API calls 5517->5516 5518->5516 5519->5516 5520->5482 5522 40577c 3 API calls 5521->5522 5523 408cad 5522->5523 5523->5511 5527 4077c0 5524->5527 5528 4077d2 5527->5528 5529 4077e3 5527->5529 5530 4077d7 InterlockedExchange 5528->5530 5529->5516 5529->5517 5530->5529 5532 406e75 RegOpenKeyExA 5531->5532 5533 406e6f 5531->5533 5532->5490 5533->5532 5555 406d0c 5534->5555 5539 4031e8 5537->5539 5538 40320a 5541 4032b4 5538->5541 5539->5538 5540 402580 3 API calls 5539->5540 5540->5538 5542 4032f7 5541->5542 5543 4032b8 5541->5543 5542->5485 5544 4031a0 5543->5544 5545 4032c2 5543->5545 5548 4031b4 5544->5548 5552 40320c 3 API calls 5544->5552 5546 4032d5 5545->5546 5547 4032ec 5545->5547 5550 4034a8 3 API calls 5546->5550 5551 4034a8 3 API calls 5547->5551 5549 4031e0 5548->5549 5553 402580 3 API calls 5548->5553 5549->5485 5554 4032da 5550->5554 5551->5554 5552->5548 5553->5549 5554->5485 5556 406d32 RegQueryValueExA 5555->5556 5561 406d55 5556->5561 5570 406d77 5556->5570 5557 406d6f 5559 403150 3 API calls 5557->5559 5558 403150 3 API calls 5560 406e43 RegCloseKey 5558->5560 5559->5570 5560->5491 5561->5557 5562 403230 3 API calls 5561->5562 5563 4033d8 3 API calls 5561->5563 5561->5570 5562->5561 5564 406dac RegQueryValueExA 5563->5564 5564->5556 5565 406dc8 5564->5565 5565->5570 5572 4034a8 5565->5572 5568 406e1c 5569 4031a0 3 API calls 5568->5569 5569->5570 5570->5558 5571 4033d8 3 API calls 5571->5568 5573 4034b5 5572->5573 5580 4034e5 5572->5580 5574 4034de 5573->5574 5576 4034c1 5573->5576 5577 40320c 3 API calls 5574->5577 5575 403150 3 API calls 5578 4034cf 5575->5578 5581 402598 5576->5581 5577->5580 5578->5568 5578->5571 5580->5575 5582 40259e 5581->5582 5582->5578 5583 4025b0 5582->5583 5584 40311c 3 API calls 5582->5584 5583->5578 5584->5583 5634 406954 5585->5634 5588 406c22 5589 406954 4 API calls 5588->5589 5592 406c6e 5588->5592 5591 406c32 5589->5591 5593 406c3e 5591->5593 5595 406930 6 API calls 5591->5595 5642 406784 5592->5642 5593->5592 5597 406954 4 API calls 5593->5597 5605 406c63 5593->5605 5595->5593 5600 406c57 5597->5600 5599 406534 4 API calls 5601 406c83 5599->5601 5603 406930 6 API calls 5600->5603 5600->5605 5602 4031e4 3 API calls 5601->5602 5604 406c8d 5602->5604 5603->5605 5606 403170 3 API calls 5604->5606 5605->5592 5654 406bc4 GetWindowsDirectoryA 5605->5654 5607 406ca7 5606->5607 5607->5387 5609 4090a8 5608->5609 5610 406534 4 API calls 5609->5610 5611 4090c1 5610->5611 5612 4031e4 3 API calls 5611->5612 5619 4090cc 5612->5619 5613 406874 5 API calls 5613->5619 5615 408c5c 3 API calls 5615->5619 5617 40577c 3 API calls 5617->5619 5619->5613 5619->5615 5619->5617 5620 409148 5619->5620 5696 409014 5619->5696 5704 40336c 5619->5704 5710 408e98 5619->5710 5621 4031e4 3 API calls 5620->5621 5622 409153 5621->5622 5623 403170 3 API calls 5622->5623 5624 40916d 5623->5624 5625 403150 3 API calls 5624->5625 5626 409175 5625->5626 5626->5387 5628 405094 18 API calls 5627->5628 5629 404b9e 5628->5629 5629->5387 5631 408c4c 5630->5631 5738 408b04 5631->5738 5635 4034a8 3 API calls 5634->5635 5637 406967 5635->5637 5636 40697e GetEnvironmentVariableA 5636->5637 5638 40698a 5636->5638 5637->5636 5641 406991 5637->5641 5656 406ce8 5637->5656 5640 403150 3 API calls 5638->5640 5640->5641 5641->5588 5651 406930 5641->5651 5660 4033cc 5642->5660 5645 4067b3 5646 4067ca 5645->5646 5647 4067bb 5645->5647 5648 4031e4 3 API calls 5646->5648 5649 403230 3 API calls 5647->5649 5650 4067c8 5648->5650 5649->5650 5650->5599 5662 4068d8 5651->5662 5655 406be5 5654->5655 5655->5592 5657 406cf6 5656->5657 5658 4034a8 3 API calls 5657->5658 5659 406d04 5658->5659 5659->5637 5661 4033d0 GetFullPathNameA 5660->5661 5661->5645 5661->5646 5669 406874 5662->5669 5664 4068fa 5665 406902 GetFileAttributesA 5664->5665 5666 406917 5665->5666 5667 403150 3 API calls 5666->5667 5668 40691f 5667->5668 5668->5588 5679 406640 5669->5679 5671 4068ac 5674 4068c2 5671->5674 5675 4068b7 5671->5675 5673 406885 5673->5671 5686 40686c CharPrevA 5673->5686 5687 40340c 5674->5687 5676 4031e4 3 API calls 5675->5676 5678 4068c0 5676->5678 5678->5664 5680 406651 5679->5680 5681 4066b5 5680->5681 5685 40666f 5680->5685 5682 40657c IsDBCSLeadByte 5681->5682 5683 4066b0 5681->5683 5682->5683 5683->5673 5685->5683 5694 40657c IsDBCSLeadByte 5685->5694 5686->5673 5688 403411 5687->5688 5689 40343e 5687->5689 5688->5689 5691 403425 5688->5691 5690 403150 3 API calls 5689->5690 5693 403434 5690->5693 5692 403230 3 API calls 5691->5692 5692->5693 5693->5678 5695 406590 5694->5695 5695->5685 5697 403150 3 API calls 5696->5697 5699 409035 5697->5699 5701 409062 5699->5701 5719 403260 5699->5719 5722 40344c 5699->5722 5702 403150 3 API calls 5701->5702 5703 409077 5702->5703 5703->5619 5705 403374 5704->5705 5706 40320c 3 API calls 5705->5706 5707 403387 5706->5707 5708 4031a0 3 API calls 5707->5708 5709 4033af 5708->5709 5726 408dd4 5710->5726 5712 408eae 5713 408eb2 5712->5713 5732 406944 5712->5732 5713->5619 5716 408ee5 5735 408e10 5716->5735 5720 403230 3 API calls 5719->5720 5721 40326d 5720->5721 5721->5699 5723 403450 5722->5723 5725 40347b 5722->5725 5724 4034a8 3 API calls 5723->5724 5724->5725 5725->5699 5727 408de2 5726->5727 5728 408dde 5726->5728 5729 408e04 SetLastError 5727->5729 5730 408deb Wow64DisableWow64FsRedirection 5727->5730 5728->5712 5731 408dff 5729->5731 5730->5731 5731->5712 5733 4068d8 6 API calls 5732->5733 5734 40694e GetLastError 5733->5734 5734->5716 5736 408e15 Wow64RevertWow64FsRedirection 5735->5736 5737 408e1f 5735->5737 5736->5737 5737->5619 5739 403150 3 API calls 5738->5739 5747 408b35 5738->5747 5739->5747 5740 403170 3 API calls 5741 408bed 5740->5741 5741->5387 5742 408b4c 5744 4032b4 3 API calls 5742->5744 5743 403230 3 API calls 5743->5747 5745 408b60 5744->5745 5745->5740 5746 4032b4 LocalAlloc TlsSetValue TlsGetValue 5746->5747 5747->5742 5747->5743 5747->5745 5747->5746 5749 406640 IsDBCSLeadByte 5748->5749 5751 406731 5749->5751 5750 40677b 5750->5401 5751->5750 5752 40657c IsDBCSLeadByte 5751->5752 5752->5751 5754 4067ef 5753->5754 5755 40671c IsDBCSLeadByte 5754->5755 5756 4067fa 5755->5756 5757 4065e6 5756->5757 5758 40657c IsDBCSLeadByte 5756->5758 5757->5406 5757->5407 5758->5756 5760 406853 5759->5760 5761 406857 5759->5761 5760->5420 5764 40686c CharPrevA 5761->5764 5763 406868 5763->5420 5764->5763 5766 407474 5765->5766 5767 4074b3 CreateFileA 5766->5767 5767->5442 5769 4033cc 5768->5769 5770 4074b3 CreateFileA 5769->5770 5770->5442 5772 402ba9 RaiseException 5771->5772 5773 402bba 5771->5773 5772->5773 5773->5461 5775 407d71 5774->5775 5777 407d80 5775->5777 5792 407c80 5775->5792 5778 407dba 5777->5778 5779 407c80 18 API calls 5777->5779 5780 407c80 18 API calls 5778->5780 5781 407dce 5778->5781 5779->5778 5780->5781 5784 407dfa 5781->5784 5789 407d04 5781->5789 5784->5475 5786 407b10 5785->5786 5787 407b4f 5785->5787 5786->5787 5803 407a5c 5786->5803 5787->5474 5787->5475 5790 407d13 VirtualFree 5789->5790 5791 407d25 VirtualAlloc 5789->5791 5790->5791 5791->5784 5795 4057b0 5792->5795 5794 407ca2 5794->5777 5796 4057bc 5795->5796 5797 405080 18 API calls 5796->5797 5798 4057e9 5797->5798 5799 4031a0 3 API calls 5798->5799 5800 4057f4 5799->5800 5801 403150 3 API calls 5800->5801 5802 405809 5801->5802 5802->5794 5804 407a67 5803->5804 5805 407a78 5803->5805 5806 40577c 3 API calls 5804->5806 5815 40739c 5805->5815 5806->5805 5809 40739c 19 API calls 5810 407aad 5809->5810 5811 407814 InterlockedExchange 5810->5811 5812 407ac2 5811->5812 5813 407ad8 5812->5813 5814 40577c 3 API calls 5812->5814 5813->5786 5814->5813 5816 4073b0 5815->5816 5817 4073c0 5816->5817 5818 4072e8 19 API calls 5816->5818 5817->5809 5818->5817 6748 406578 IsDBCSLeadByte 6749 406590 6748->6749 6059 409f0c 6090 4093b4 GetLastError 6059->6090 6062 409f18 6064 409f22 CreateWindowExA SetWindowLongA 6062->6064 6063 402ef8 4 API calls 6063->6062 6065 405080 18 API calls 6064->6065 6066 409fa5 6065->6066 6067 4032b4 3 API calls 6066->6067 6068 409fb3 6067->6068 6069 4032b4 3 API calls 6068->6069 6070 409fc0 6069->6070 6103 406a78 GetCommandLineA 6070->6103 6073 4032b4 3 API calls 6074 409fd5 6073->6074 6108 4097dc 6074->6108 6077 4095f0 4 API calls 6078 409ffa 6077->6078 6079 40a033 6078->6079 6080 40a01a 6078->6080 6082 40a04c 6079->6082 6086 40a046 RemoveDirectoryA 6079->6086 6124 409350 6080->6124 6083 40a060 6082->6083 6084 40a055 73EA5CF0 6082->6084 6085 40a088 6083->6085 6132 403534 6083->6132 6084->6083 6086->6082 6088 40a07e 6089 402580 3 API calls 6088->6089 6089->6085 6091 404b80 18 API calls 6090->6091 6092 4093fb 6091->6092 6093 407180 4 API calls 6092->6093 6094 40940b 6093->6094 6095 408c2c 3 API calls 6094->6095 6096 409420 6095->6096 6097 40577c 3 API calls 6096->6097 6098 40942f 6097->6098 6099 403170 3 API calls 6098->6099 6100 40944e 6099->6100 6101 403150 3 API calls 6100->6101 6102 409456 6101->6102 6102->6062 6102->6063 6104 4069ec 3 API calls 6103->6104 6105 406a9d 6104->6105 6106 403150 3 API calls 6105->6106 6107 406abb 6106->6107 6107->6073 6109 40336c 3 API calls 6108->6109 6110 409817 6109->6110 6111 409849 CreateProcessA 6110->6111 6112 409855 6111->6112 6113 40985c CloseHandle 6111->6113 6114 4093b4 20 API calls 6112->6114 6115 409865 6113->6115 6114->6113 6145 4097b0 6115->6145 6118 409881 6119 4097b0 3 API calls 6118->6119 6120 409886 GetExitCodeProcess CloseHandle 6119->6120 6121 4098a6 6120->6121 6122 403150 3 API calls 6121->6122 6123 4098ae 6122->6123 6123->6077 6123->6078 6125 4093aa 6124->6125 6129 409363 6124->6129 6125->6079 6126 40936b Sleep 6126->6129 6127 40937b Sleep 6127->6129 6129->6125 6129->6126 6129->6127 6130 409392 GetLastError 6129->6130 6149 408e20 6129->6149 6130->6125 6131 40939c GetLastError 6130->6131 6131->6125 6131->6129 6133 403558 6132->6133 6134 403549 6132->6134 6135 403570 6133->6135 6136 403569 6133->6136 6137 403553 6134->6137 6138 403588 6134->6138 6142 40356e 6134->6142 6140 403170 3 API calls 6135->6140 6139 403150 3 API calls 6136->6139 6137->6133 6141 4035a4 6137->6141 6138->6142 6143 403534 3 API calls 6138->6143 6139->6142 6140->6142 6141->6142 6157 40350c 6141->6157 6142->6088 6143->6138 6146 4097c4 PeekMessageA 6145->6146 6147 4097d6 MsgWaitForMultipleObjects 6146->6147 6148 4097b8 TranslateMessage DispatchMessageA 6146->6148 6147->6115 6147->6118 6148->6146 6150 408dd4 2 API calls 6149->6150 6151 408e36 6150->6151 6152 408e3a 6151->6152 6153 408e56 DeleteFileA GetLastError 6151->6153 6152->6129 6154 408e74 6153->6154 6155 408e10 Wow64RevertWow64FsRedirection 6154->6155 6156 408e7c 6155->6156 6156->6129 6158 40351e 6157->6158 6160 403530 6158->6160 6161 4035bc 6158->6161 6160->6141 6162 403534 6161->6162 6163 403558 6162->6163 6166 40356e 6162->6166 6167 403553 6162->6167 6172 403588 6162->6172 6164 403570 6163->6164 6165 403569 6163->6165 6169 403170 3 API calls 6164->6169 6168 403150 3 API calls 6165->6168 6166->6158 6167->6163 6171 4035a4 6167->6171 6168->6166 6169->6166 6170 403534 3 API calls 6170->6172 6171->6166 6173 40350c 3 API calls 6171->6173 6172->6166 6172->6170 6173->6171 5121 406f13 5122 406f04 SetErrorMode 5121->5122 6770 403f19 6771 403f3e 6770->6771 6773 403f20 6770->6773 6771->6773 6774 403e2a 3 API calls 6771->6774 6772 403f28 6773->6772 6775 402648 3 API calls 6773->6775 6774->6773 6776 403f66 6775->6776 6777 402b1c RaiseException 6782 40291e 6783 402926 6782->6783 6784 40350c 3 API calls 6783->6784 6785 40293b 6783->6785 6784->6783 6242 40421f 6243 40425f 6242->6243 6244 40311c 3 API calls 6243->6244 6245 4042bf 6244->6245 6246 407e20 6247 407e48 6246->6247 6249 407e4f 6246->6249 6248 407d5c 20 API calls 6247->6248 6248->6249 6250 407e82 6249->6250 6251 407e76 6249->6251 6252 407e78 6249->6252 6253 407eb7 6250->6253 6255 407c80 18 API calls 6250->6255 6257 405080 18 API calls 6251->6257 6254 407c80 18 API calls 6252->6254 6256 403150 3 API calls 6253->6256 6254->6250 6255->6253 6258 407ecc 6256->6258 6259 407e9e 6257->6259 6261 407c08 6259->6261 6262 4031e4 3 API calls 6261->6262 6263 407c2d 6262->6263 6264 4032b4 3 API calls 6263->6264 6265 407c37 6264->6265 6266 40577c 3 API calls 6265->6266 6267 407c46 6266->6267 6268 403150 3 API calls 6267->6268 6269 407c60 6268->6269 6269->6250 6790 404121 6791 40419b 6790->6791 6792 404168 6791->6792 6793 40311c 3 API calls 6791->6793 6794 4042bf 6793->6794 6270 403e23 6271 403de8 6270->6271 6272 403e03 6271->6272 6273 403e17 6271->6273 6274 403dfe 6271->6274 6277 403e14 6272->6277 6283 402648 6272->6283 6275 402648 3 API calls 6273->6275 6279 403c68 6274->6279 6275->6277 6280 403c76 6279->6280 6281 403c8b 6280->6281 6282 402648 3 API calls 6280->6282 6281->6272 6282->6281 6284 40311c 3 API calls 6283->6284 6285 40264e 6284->6285 6285->6277 6286 409e24 6287 409e49 6286->6287 6288 407814 InterlockedExchange 6287->6288 6289 409e73 6288->6289 6290 409e83 6289->6290 6291 4098d8 3 API calls 6289->6291 6296 4075a8 SetEndOfFile 6290->6296 6291->6290 6293 409e9f 6294 402580 3 API calls 6293->6294 6295 409ed6 6294->6295 6297 4075b8 6296->6297 6298 4075bf 6296->6298 6299 407388 20 API calls 6297->6299 6298->6293 6299->6298 6049 407528 ReadFile 6050 407548 6049->6050 6051 40755f 6049->6051 6052 407558 6050->6052 6053 40754e GetLastError 6050->6053 6054 407388 20 API calls 6052->6054 6053->6051 6053->6052 6054->6051 6304 403a28 CloseHandle 6305 403a38 6304->6305 6306 403a39 GetLastError 6304->6306 6307 402628 6308 40311c 3 API calls 6307->6308 6309 4025e8 6308->6309 6310 402606 6309->6310 6311 40311c 3 API calls 6309->6311 6311->6310 6312 40702a 6313 407014 6312->6313 6314 403150 3 API calls 6313->6314 6315 40701c 6314->6315 6316 403150 3 API calls 6315->6316 6317 407024 6316->6317 6318 403e31 6319 403de8 6318->6319 6320 403e03 6319->6320 6321 403e17 6319->6321 6322 403dfe 6319->6322 6325 403e14 6320->6325 6326 402648 3 API calls 6320->6326 6323 402648 3 API calls 6321->6323 6324 403c68 3 API calls 6322->6324 6323->6325 6324->6320 6326->6325 6331 402e38 6332 402e3d 6331->6332 6333 402e32 6332->6333 6334 402e4e RtlUnwind 6332->6334 6335 402e71 6334->6335 6336 403a3f 6337 403a4c 6336->6337 6338 403b5c GetStdHandle 6337->6338 6339 403aae CreateFileA 6337->6339 6349 403a52 6337->6349 6340 403bb7 GetLastError 6338->6340 6344 403b5a 6338->6344 6339->6340 6341 403acc 6339->6341 6340->6349 6343 403adb GetFileSize 6341->6343 6341->6344 6343->6340 6345 403aee SetFilePointer 6343->6345 6346 403b87 GetFileType 6344->6346 6344->6349 6345->6340 6350 403b0a ReadFile 6345->6350 6348 403ba2 CloseHandle 6346->6348 6346->6349 6348->6349 6350->6340 6351 403b2c 6350->6351 6351->6344 6352 403b3f SetFilePointer 6351->6352 6352->6340 6353 403b50 SetEndOfFile 6352->6353 6353->6340 6353->6344 6354 409e3f 6355 4098d8 3 API calls 6354->6355 6356 409e44 6355->6356 6357 402ef8 4 API calls 6356->6357 6358 409e49 6356->6358 6357->6358 6359 407814 InterlockedExchange 6358->6359 6360 409e73 6359->6360 6361 409e83 6360->6361 6362 4098d8 3 API calls 6360->6362 6363 4075a8 21 API calls 6361->6363 6362->6361 6364 409e9f 6363->6364 6365 402580 3 API calls 6364->6365 6366 409ed6 6365->6366 4930 4074c0 SetFilePointer 4931 4074f3 4930->4931 4932 4074e3 GetLastError 4930->4932 4932->4931 4933 4074ec 4932->4933 4935 407388 GetLastError 4933->4935 4938 4072e8 4935->4938 4947 407180 FormatMessageA 4938->4947 4941 407330 4954 40577c 4941->4954 4944 40733f 4958 403150 4944->4958 4948 4071a6 4947->4948 4962 403230 4948->4962 4951 405080 4987 405094 4951->4987 4955 405783 4954->4955 4956 4031a0 3 API calls 4955->4956 4957 40579b 4956->4957 4957->4944 4959 403156 4958->4959 4960 40316f 4958->4960 4959->4960 5117 402580 4959->5117 4960->4931 4967 40320c 4962->4967 4964 403240 4965 403150 3 API calls 4964->4965 4966 403258 4965->4966 4966->4941 4966->4951 4968 403210 4967->4968 4969 40322c 4967->4969 4972 402568 4968->4972 4969->4964 4971 403219 4971->4964 4973 40256c 4972->4973 4974 402576 4972->4974 4973->4974 4976 40311c 4973->4976 4974->4971 4974->4974 4977 403142 TlsGetValue 4976->4977 4978 40312c 4976->4978 4979 403137 4977->4979 4980 40314c 4977->4980 4978->4974 4979->4977 4982 4030e0 4979->4982 4980->4974 4983 4030f3 LocalAlloc 4982->4983 4984 4030e9 4982->4984 4985 403103 4983->4985 4986 40310e TlsSetValue 4983->4986 4984->4983 4985->4979 4986->4979 4988 4050b1 4987->4988 4995 404d44 4988->4995 4991 4050dd 4993 403230 3 API calls 4991->4993 4994 40508f 4993->4994 4994->4941 4997 404d5f 4995->4997 4996 404d71 4996->4991 5000 404ad0 4996->5000 4997->4996 5003 404e66 4997->5003 5010 404d38 4997->5010 5109 40582c 5000->5109 5002 404ae1 5002->4991 5004 404e77 5003->5004 5006 404ec5 5003->5006 5004->5006 5007 404f4b 5004->5007 5009 404ee3 5006->5009 5013 404ce0 5006->5013 5007->5009 5017 404d24 5007->5017 5009->4997 5011 403150 3 API calls 5010->5011 5012 404d42 5011->5012 5012->4997 5014 404cee 5013->5014 5020 404ae8 5014->5020 5016 404d1c 5016->5006 5046 40394c 5017->5046 5023 40589c 5020->5023 5022 404b01 5022->5016 5024 4058aa 5023->5024 5033 404bc8 LoadStringA 5024->5033 5027 405080 18 API calls 5028 4058e2 5027->5028 5036 4031a0 5028->5036 5034 403230 LocalAlloc TlsSetValue TlsGetValue 5033->5034 5035 404bf5 5034->5035 5035->5027 5037 4031a4 5036->5037 5038 4031b4 5036->5038 5037->5038 5040 40320c LocalAlloc TlsSetValue TlsGetValue 5037->5040 5039 4031e0 5038->5039 5041 402580 LocalAlloc TlsSetValue TlsGetValue 5038->5041 5042 403170 5039->5042 5040->5038 5041->5039 5044 403176 5042->5044 5043 40319b 5043->5022 5044->5043 5045 402580 LocalAlloc TlsSetValue TlsGetValue 5044->5045 5045->5044 5047 403953 5046->5047 5052 40385c 5047->5052 5049 403973 5050 403150 3 API calls 5049->5050 5051 40397a 5050->5051 5051->5009 5053 403870 5052->5053 5054 40387d 5052->5054 5080 403730 5053->5080 5056 403883 5054->5056 5057 4038dc 5054->5057 5060 403896 5056->5060 5061 403889 5056->5061 5058 4038e3 5057->5058 5059 40393b 5057->5059 5062 4038f3 5058->5062 5063 4038e9 5058->5063 5066 40379c 3 API calls 5059->5066 5065 40383c 6 API calls 5060->5065 5089 40383c 5061->5089 5068 40379c 3 API calls 5062->5068 5104 40380c 5063->5104 5070 4038a4 5065->5070 5069 403878 5066->5069 5071 403905 5068->5071 5069->5049 5094 40379c 5070->5094 5073 40380c 8 API calls 5071->5073 5075 40391e 5073->5075 5074 4038bf 5100 4036fc 5074->5100 5078 4036fc VariantClear 5075->5078 5077 4038d4 5077->5049 5079 403933 5078->5079 5079->5049 5081 403798 5080->5081 5083 403734 5080->5083 5081->5069 5082 403753 5086 40378c VariantCopy 5082->5086 5088 40375b 5082->5088 5083->5082 5084 403743 VariantClear 5083->5084 5085 40374b 5083->5085 5084->5082 5087 403150 LocalAlloc TlsSetValue TlsGetValue 5085->5087 5086->5081 5087->5082 5088->5069 5090 403670 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5089->5090 5091 403848 5090->5091 5092 4036fc VariantClear 5091->5092 5093 403851 5092->5093 5093->5069 5095 4037b2 VariantChangeTypeEx 5094->5095 5096 4037ed VariantChangeTypeEx 5094->5096 5097 4037ce 5095->5097 5099 4037da 5096->5099 5098 4036fc VariantClear 5097->5098 5098->5099 5099->5074 5101 403709 5100->5101 5102 403716 5100->5102 5101->5102 5103 403729 VariantClear 5101->5103 5102->5077 5103->5077 5105 403654 7 API calls 5104->5105 5106 403823 5105->5106 5107 4036fc VariantClear 5106->5107 5108 40382a 5107->5108 5108->5069 5110 405838 5109->5110 5111 404bc8 4 API calls 5110->5111 5112 40585e 5111->5112 5113 4031a0 3 API calls 5112->5113 5114 405869 5113->5114 5115 403150 3 API calls 5114->5115 5116 40587e 5115->5116 5116->5002 5118 402584 5117->5118 5119 40258e 5117->5119 5118->5119 5120 40311c 3 API calls 5118->5120 5119->4960 5119->5119 5120->5119 6803 4059c0 6804 4059c8 6803->6804 6808 4059d0 6803->6808 6805 4059d7 6804->6805 6806 4059ce 6804->6806 6807 40582c 4 API calls 6805->6807 6810 405938 6806->6810 6807->6808 6811 405940 6810->6811 6812 40595a 6811->6812 6815 40311c 3 API calls 6811->6815 6813 405976 6812->6813 6814 40595f 6812->6814 6817 40311c 3 API calls 6813->6817 6816 40582c 4 API calls 6814->6816 6815->6811 6818 405972 6816->6818 6819 40597b 6817->6819 6821 40311c 3 API calls 6818->6821 6820 40589c 18 API calls 6819->6820 6820->6818 6822 4059a4 6821->6822 6823 40311c 3 API calls 6822->6823 6824 4059b2 6823->6824 6824->6808 5308 4075c4 WriteFile 5309 4075e4 5308->5309 5310 4075eb 5308->5310 5311 407388 20 API calls 5309->5311 5312 4075fc 5310->5312 5313 4072e8 19 API calls 5310->5313 5311->5310 5313->5312 6371 402ac6 6372 402ad2 6371->6372 6375 402ea4 6372->6375 6376 40311c 3 API calls 6375->6376 6378 402eb4 6376->6378 6377 402ad7 6378->6377 6380 402ae0 6378->6380 6381 402af9 6380->6381 6382 402ae9 RaiseException 6380->6382 6381->6377 6382->6381 6391 408cce 6393 408cf2 6391->6393 6392 408c9c 3 API calls 6394 408d0a 6392->6394 6393->6392 6393->6394 6395 408c9c 3 API calls 6394->6395 6396 408d2e 6394->6396 6395->6396 6397 407814 InterlockedExchange 6396->6397 6398 408d49 6397->6398 6399 408c9c 3 API calls 6398->6399 6401 408d5c 6398->6401 6399->6401 6400 408c9c 3 API calls 6400->6401 6401->6400 6402 403230 3 API calls 6401->6402 6403 408d8b 6401->6403 6402->6401 6825 402dce 6826 402dfa 6825->6826 6827 402de1 6825->6827 6829 402b78 6827->6829 6830 402b81 6829->6830 6831 402b9d 6829->6831 6832 402b89 RaiseException 6830->6832 6831->6826 6832->6831 6833 4039d0 ReadFile 6834 4039f1 GetLastError 6833->6834 6835 4039ee 6833->6835 6408 4038da 6409 4038cc 6408->6409 6410 4036fc VariantClear 6409->6410 6411 4038d4 6410->6411 6412 407cdc 6413 407d04 VirtualFree 6412->6413 6414 407ce9 6413->6414 6836 402bdc 6839 402c56 6836->6839 6840 402bed 6836->6840 6837 402c2a RtlUnwind 6838 40311c 3 API calls 6837->6838 6838->6839 6840->6837 6840->6839 6841 402afc RaiseException 6840->6841 6842 402c21 6841->6842 6842->6837 6415 40a0dd 6424 409468 6415->6424 6418 402ef8 4 API calls 6419 40a0e7 6418->6419 6420 403150 3 API calls 6419->6420 6421 40a106 6420->6421 6422 403150 3 API calls 6421->6422 6423 40a10e 6422->6423 6433 405598 6424->6433 6426 4094b1 6429 403150 3 API calls 6426->6429 6427 409483 6427->6426 6439 407108 6427->6439 6430 4094c6 6429->6430 6430->6418 6431 4094a1 6432 4094a9 MessageBoxA 6431->6432 6432->6426 6434 40311c 3 API calls 6433->6434 6435 40559d 6434->6435 6436 4055b5 6435->6436 6437 40311c 3 API calls 6435->6437 6436->6427 6438 4055ab 6437->6438 6438->6427 6440 405598 3 API calls 6439->6440 6441 407117 6440->6441 6442 40712b 6441->6442 6443 40711d 6441->6443 6445 40713b 6442->6445 6446 407147 6442->6446 6444 4031e4 3 API calls 6443->6444 6448 407129 6444->6448 6450 4070cc 6445->6450 6457 403270 6446->6457 6448->6431 6451 4031e4 3 API calls 6450->6451 6452 4070db 6451->6452 6453 4070f8 6452->6453 6454 40684c CharPrevA 6452->6454 6453->6448 6455 4070e7 6454->6455 6455->6453 6456 4032b4 3 API calls 6455->6456 6456->6453 6458 403230 3 API calls 6457->6458 6459 40327a 6458->6459 6459->6448 6460 403ee6 6461 403ef8 6460->6461 6462 403eef 6460->6462 6464 403ea3 6462->6464 6467 403ea5 6464->6467 6466 403ed8 6466->6461 6468 403e38 6467->6468 6470 40311c 3 API calls 6467->6470 6475 403ed9 6467->6475 6487 403e38 6467->6487 6468->6466 6469 403e8e 6468->6469 6476 403e45 6468->6476 6478 403e2a 6468->6478 6473 402648 3 API calls 6469->6473 6470->6467 6471 403e6b 6471->6461 6473->6471 6475->6461 6476->6471 6477 402648 3 API calls 6476->6477 6477->6471 6479 403de8 6478->6479 6480 403e17 6479->6480 6481 403dfe 6479->6481 6485 403e03 6479->6485 6482 402648 3 API calls 6480->6482 6483 403c68 3 API calls 6481->6483 6484 403e14 6482->6484 6483->6485 6484->6469 6484->6476 6485->6484 6486 402648 3 API calls 6485->6486 6486->6484 6488 403e73 6487->6488 6490 403e45 6487->6490 6489 403e8e 6488->6489 6492 403e2a 3 API calls 6488->6492 6493 402648 3 API calls 6489->6493 6491 403e6b 6490->6491 6495 402648 3 API calls 6490->6495 6491->6467 6494 403e82 6492->6494 6493->6491 6494->6489 6494->6490 6495->6491 6500 409ee8 6501 409f18 6500->6501 6502 409f22 CreateWindowExA SetWindowLongA 6501->6502 6503 405080 18 API calls 6502->6503 6504 409fa5 6503->6504 6505 4032b4 3 API calls 6504->6505 6506 409fb3 6505->6506 6507 4032b4 3 API calls 6506->6507 6508 409fc0 6507->6508 6509 406a78 4 API calls 6508->6509 6510 409fcc 6509->6510 6511 4032b4 3 API calls 6510->6511 6512 409fd5 6511->6512 6513 4097dc 28 API calls 6512->6513 6514 409fe7 6513->6514 6515 4095f0 4 API calls 6514->6515 6516 409ffa 6514->6516 6515->6516 6517 40a033 6516->6517 6518 409350 9 API calls 6516->6518 6519 40a04c 6517->6519 6523 40a046 RemoveDirectoryA 6517->6523 6518->6517 6520 40a060 6519->6520 6521 40a055 73EA5CF0 6519->6521 6522 40a088 6520->6522 6524 403534 3 API calls 6520->6524 6521->6520 6523->6519 6525 40a07e 6524->6525 6526 402580 3 API calls 6525->6526 6526->6522 6531 407af5 6532 407b10 6531->6532 6533 407b4f 6531->6533 6532->6533 6534 407a5c 20 API calls 6532->6534 6534->6532 6537 4074f6 GetFileSize 6538 407522 6537->6538 6539 407512 GetLastError 6537->6539 6539->6538 6540 40751b 6539->6540 6541 407388 20 API calls 6540->6541 6541->6538 6542 406ef7 6543 406f04 SetErrorMode 6542->6543 6544 409efa 6545 409f3e CreateWindowExA SetWindowLongA 6544->6545 6546 409efe 6544->6546 6547 409fa5 6545->6547 6548 405080 18 API calls 6545->6548 6546->6545 6549 4032b4 3 API calls 6547->6549 6548->6547 6550 409fb3 6549->6550 6551 4032b4 3 API calls 6550->6551 6552 409fc0 6551->6552 6553 406a78 4 API calls 6552->6553 6554 409fcc 6553->6554 6555 4032b4 3 API calls 6554->6555 6556 409fd5 6555->6556 6557 4097dc 28 API calls 6556->6557 6558 409fe7 6557->6558 6559 4095f0 4 API calls 6558->6559 6560 409ffa 6558->6560 6559->6560 6561 40a033 6560->6561 6562 409350 9 API calls 6560->6562 6563 40a04c 6561->6563 6567 40a046 RemoveDirectoryA 6561->6567 6562->6561 6564 40a060 6563->6564 6565 40a055 73EA5CF0 6563->6565 6566 40a088 6564->6566 6568 403534 3 API calls 6564->6568 6565->6564 6567->6563 6569 40a07e 6568->6569 6570 402580 3 API calls 6569->6570 6570->6566 6852 4039fa 6853 403a02 WriteFile 6852->6853 6854 403a1c 6852->6854 6853->6854 6855 403a20 GetLastError 6853->6855 6855->6854 6575 402880 6576 402568 3 API calls 6575->6576 6577 40288a 6576->6577 6578 408e82 6579 408e74 6578->6579 6580 408e10 Wow64RevertWow64FsRedirection 6579->6580 6581 408e7c 6580->6581 6586 408e84 SetLastError 6587 408e8d 6586->6587 6598 401a8d 6599 401a6a 6598->6599 6600 401a73 RtlLeaveCriticalSection 6599->6600 6601 401a7d RtlDeleteCriticalSection 6599->6601 6600->6601 6602 405a8e 6603 405a90 6602->6603 6604 405acc 6603->6604 6605 405ae3 6603->6605 6606 405ac6 6603->6606 6607 40582c 4 API calls 6604->6607 6611 404bc8 4 API calls 6605->6611 6606->6604 6608 405b38 6606->6608 6609 405adf 6607->6609 6610 40589c 18 API calls 6608->6610 6613 403150 3 API calls 6609->6613 6610->6609 6612 405b0c 6611->6612 6614 40589c 18 API calls 6612->6614 6615 405b72 6613->6615 6614->6609 6630 408a94 6631 408a9b 6630->6631 6632 403150 3 API calls 6631->6632 6639 408b35 6632->6639 6633 408b60 6634 403170 3 API calls 6633->6634 6636 408bed 6634->6636 6635 408b4c 6638 4032b4 3 API calls 6635->6638 6637 403230 3 API calls 6637->6639 6638->6633 6639->6633 6639->6635 6639->6637 6640 4032b4 LocalAlloc TlsSetValue TlsGetValue 6639->6640 6640->6639 6856 408d94 6859 408c80 6856->6859 6860 408c89 6859->6860 6861 403150 3 API calls 6860->6861 6862 408c97 6860->6862 6861->6860 6641 40a095 6643 40a007 6641->6643 6642 40a033 6645 40a04c 6642->6645 6649 40a046 RemoveDirectoryA 6642->6649 6643->6642 6644 409350 9 API calls 6643->6644 6644->6642 6646 40a060 6645->6646 6647 40a055 73EA5CF0 6645->6647 6648 40a088 6646->6648 6650 403534 3 API calls 6646->6650 6647->6646 6649->6645 6651 40a07e 6650->6651 6652 402580 3 API calls 6651->6652 6652->6648 6653 40a09a 6654 40a0a3 6653->6654 6656 40a0ce 6653->6656 6663 409340 6654->6663 6657 403150 3 API calls 6656->6657 6659 40a106 6657->6659 6658 40a0a8 6658->6656 6660 40a0c6 MessageBoxA 6658->6660 6661 403150 3 API calls 6659->6661 6660->6656 6662 40a10e 6661->6662 6666 4092ac 6663->6666 6667 409319 ExitWindowsEx 6666->6667 6668 4092be GetCurrentProcess OpenProcessToken 6666->6668 6670 4092d0 6667->6670 6669 4092d4 LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6668->6669 6668->6670 6669->6667 6669->6670 6670->6658 6671 402ca0 6674 402cd2 6671->6674 6675 402cb1 6671->6675 6672 402d5c RtlUnwind 6673 40311c 3 API calls 6672->6673 6673->6674 6675->6672 6675->6674 6678 402afc 6675->6678 6679 402b05 RaiseException 6678->6679 6680 402b1b 6678->6680 6679->6680 6680->6672 6681 403ca2 6683 403cb2 6681->6683 6682 403d7f ExitProcess 6683->6682 6684 403d58 6683->6684 6685 403d8a 6683->6685 6691 403d44 6683->6691 6692 403d2f MessageBoxA 6683->6692 6686 403c68 3 API calls 6684->6686 6687 403d62 6686->6687 6688 403c68 3 API calls 6687->6688 6689 403d6c 6688->6689 6701 4019b0 6689->6701 6697 403f80 6691->6697 6692->6684 6694 403d71 6694->6682 6694->6685 6698 403f84 6697->6698 6699 403ea3 3 API calls 6698->6699 6700 403fa2 6699->6700 6702 4019c1 6701->6702 6703 401a8f 6701->6703 6704 4019e2 LocalFree 6702->6704 6705 4019d8 RtlEnterCriticalSection 6702->6705 6703->6694 6706 401a15 6704->6706 6705->6704 6707 401a03 VirtualFree 6706->6707 6708 401a1d 6706->6708 6707->6706 6709 401a44 LocalFree 6708->6709 6710 401a5b 6708->6710 6709->6709 6709->6710 6711 401a73 RtlLeaveCriticalSection 6710->6711 6712 401a7d RtlDeleteCriticalSection 6710->6712 6711->6712 6712->6694 6863 4041a2 6864 4041a6 6863->6864 6865 404168 6863->6865 6866 40421e 6864->6866 6867 40311c 3 API calls 6864->6867 6868 4042bf 6867->6868 5126 4024a4 5127 4024b8 5126->5127 5128 4024cb 5126->5128 5165 4018ec RtlInitializeCriticalSection 5127->5165 5130 4024e2 RtlEnterCriticalSection 5128->5130 5131 4024ec 5128->5131 5130->5131 5142 4022d4 5131->5142 5134 4024c1 5137 402505 5140 4024f9 5137->5140 5172 402130 5137->5172 5138 402555 5139 40254b RtlLeaveCriticalSection 5139->5138 5140->5138 5140->5139 5143 4022e8 5142->5143 5144 402309 5143->5144 5150 40238c 5143->5150 5145 402318 5144->5145 5186 401b48 5144->5186 5145->5140 5152 401fa8 5145->5152 5149 402429 5149->5145 5193 401cd4 5149->5193 5150->5145 5150->5149 5189 401d54 5150->5189 5197 401e58 5150->5197 5153 401fbc 5152->5153 5154 401fcf 5152->5154 5155 4018ec 4 API calls 5153->5155 5156 401fe6 RtlEnterCriticalSection 5154->5156 5159 401ff0 5154->5159 5157 401fc1 5155->5157 5156->5159 5157->5154 5158 401fc5 5157->5158 5162 402026 5158->5162 5159->5162 5279 401eb4 5159->5279 5162->5137 5163 402111 RtlLeaveCriticalSection 5164 40211b 5163->5164 5164->5137 5166 401910 RtlEnterCriticalSection 5165->5166 5167 40191a 5165->5167 5166->5167 5168 401938 LocalAlloc 5167->5168 5171 401952 5168->5171 5169 4019a1 5169->5128 5169->5134 5170 401997 RtlLeaveCriticalSection 5170->5169 5171->5169 5171->5170 5173 40214e 5172->5173 5174 402149 5172->5174 5176 40217f RtlEnterCriticalSection 5173->5176 5179 402189 5173->5179 5180 402152 5173->5180 5175 4018ec 4 API calls 5174->5175 5175->5173 5176->5179 5177 402195 5181 4022c1 5177->5181 5182 4022b7 RtlLeaveCriticalSection 5177->5182 5178 402218 5178->5180 5183 401d54 7 API calls 5178->5183 5179->5177 5179->5178 5184 402244 5179->5184 5180->5140 5181->5140 5182->5181 5183->5180 5184->5177 5185 401cd4 7 API calls 5184->5185 5185->5177 5187 402130 9 API calls 5186->5187 5188 401b69 5187->5188 5188->5145 5190 401d5d 5189->5190 5191 401d66 5189->5191 5190->5191 5192 401b48 9 API calls 5190->5192 5191->5150 5192->5191 5194 401d22 5193->5194 5195 401cf2 5193->5195 5194->5195 5202 401c3c 5194->5202 5195->5145 5257 40173c 5197->5257 5199 401e6d 5200 401e7a 5199->5200 5268 401da0 5199->5268 5200->5150 5203 401c4e 5202->5203 5204 401c71 5203->5204 5205 401c83 5203->5205 5215 401860 5204->5215 5207 401860 3 API calls 5205->5207 5208 401c81 5207->5208 5214 401c99 5208->5214 5225 401b18 5208->5225 5210 401ca8 5211 401cc2 5210->5211 5230 401b6c 5210->5230 5235 401384 5211->5235 5214->5195 5216 401886 5215->5216 5218 4018df 5215->5218 5239 40162c 5216->5239 5218->5208 5222 4018ba 5222->5218 5224 401384 LocalAlloc 5222->5224 5224->5218 5226 401b35 5225->5226 5227 401b26 5225->5227 5226->5210 5228 401cd4 9 API calls 5227->5228 5229 401b33 5228->5229 5229->5210 5231 401b71 5230->5231 5232 401b7f 5230->5232 5233 401b48 9 API calls 5231->5233 5232->5211 5234 401b7e 5233->5234 5234->5211 5236 40138f 5235->5236 5237 4013aa 5236->5237 5238 4012e4 LocalAlloc 5236->5238 5237->5214 5238->5237 5241 401663 5239->5241 5240 4016a3 5243 401320 5240->5243 5241->5240 5242 40167d VirtualFree 5241->5242 5242->5241 5244 401333 5243->5244 5251 4012e4 5244->5251 5247 4014f0 5250 40151b 5247->5250 5248 40156e 5248->5222 5249 401542 VirtualFree 5249->5250 5250->5248 5250->5249 5254 40128c 5251->5254 5255 401298 LocalAlloc 5254->5255 5256 4012aa 5254->5256 5255->5256 5256->5222 5256->5247 5258 40175b 5257->5258 5259 40180f 5258->5259 5260 401478 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5258->5260 5263 401320 LocalAlloc 5258->5263 5264 4017f5 5258->5264 5266 4017aa 5258->5266 5261 4017bb 5259->5261 5275 401598 5259->5275 5260->5258 5261->5199 5263->5258 5265 4014f0 VirtualFree 5264->5265 5265->5261 5267 4014f0 VirtualFree 5266->5267 5267->5261 5269 401d54 9 API calls 5268->5269 5270 401db4 5269->5270 5271 401320 LocalAlloc 5270->5271 5272 401dc4 5271->5272 5273 401b18 9 API calls 5272->5273 5274 401dcc 5272->5274 5273->5274 5274->5200 5277 4015de 5275->5277 5276 40160e 5276->5261 5277->5276 5278 4015fa VirtualAlloc 5277->5278 5278->5276 5278->5277 5282 401ec4 5279->5282 5280 401f14 5280->5163 5280->5164 5281 401ef0 5281->5280 5283 401cd4 9 API calls 5281->5283 5282->5280 5282->5281 5285 401e2c 5282->5285 5283->5280 5290 4016ac 5285->5290 5288 401e49 5288->5282 5289 401da0 9 API calls 5289->5288 5291 4016c8 5290->5291 5293 4016d2 5291->5293 5295 401320 LocalAlloc 5291->5295 5297 401723 5291->5297 5299 40172f 5291->5299 5300 401414 5291->5300 5294 401598 VirtualAlloc 5293->5294 5296 4016de 5294->5296 5295->5291 5296->5299 5298 4014f0 VirtualFree 5297->5298 5298->5299 5299->5288 5299->5289 5301 401423 VirtualAlloc 5300->5301 5303 401450 5301->5303 5304 401473 5301->5304 5305 4012e4 LocalAlloc 5303->5305 5304->5291 5306 40145c 5305->5306 5306->5304 5307 401460 VirtualFree 5306->5307 5307->5304 6713 4028a6 6714 4028ae 6713->6714 6715 40350c 3 API calls 6714->6715 6716 4028c3 6714->6716 6715->6714 6717 402580 3 API calls 6716->6717 6718 4028c8 6717->6718 6873 4019a7 6874 40198e 6873->6874 6875 4019a1 6874->6875 6876 401997 RtlLeaveCriticalSection 6874->6876 6876->6875 6055 4075a8 SetEndOfFile 6056 4075b8 6055->6056 6057 4075bf 6055->6057 6058 407388 20 API calls 6056->6058 6058->6057 6877 4011aa 6878 4011ac GetStdHandle 6877->6878 6890 402bbc 6891 402bc5 RaiseException 6890->6891 6892 402bd8 6890->6892 6891->6892 6893 402bbd RaiseException 6894 402bd8 6893->6894

                                    Executed Functions

                                    Function 00409948 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 144 409948-40996c GetSystemInfo VirtualQuery 145 409972 144->145 146 4099fc-409a03 144->146 147 4099f1-4099f6 145->147 147->146 148 409974-40997b 147->148 149 4099dd-4099ef VirtualQuery 148->149 150 40997d-409981 148->150 149->146 149->147 150->149 151 409983-40998b 150->151 152 40999c-4099ad VirtualProtect 151->152 153 40998d-409990 151->153 155 4099b1-4099b3 152->155 156 4099af 152->156 153->152 154 409992-409995 153->154 154->152 157 409997-40999a 154->157 158 4099c2-4099c5 155->158 156->155 157->152 157->155 159 4099b5-4099be call 409940 158->159 160 4099c7-4099c9 158->160 159->158 160->149 162 4099cb-4099d8 VirtualProtect 160->162 162->149
                                    APIs
                                    • GetSystemInfo.KERNEL32(?), ref: 0040995A
                                    • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409965
                                    • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 004099A6
                                    • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 004099D8
                                    • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 004099E8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Virtual$ProtectQuery$InfoSystem
                                    • String ID:
                                    • API String ID: 2441996862-0
                                    • Opcode ID: ba286c78c749df456ae899089e39f235de0f1e2cfaa3d3ba7d238c827e31356b
                                    • Instruction ID: a5486ccdf981a3684568a2114c960ada309cebc0f3ca5b62ca576bd290099cb0
                                    • Opcode Fuzzy Hash: ba286c78c749df456ae899089e39f235de0f1e2cfaa3d3ba7d238c827e31356b
                                    • Instruction Fuzzy Hash: 4F216FF12002046AD7309A598D85F5BB7D89B45364F08492FFA89E37C2D638ED408669
                                    Function 004050F8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4B8,00000001,?,004051C3,?,00000000,004052A2), ref: 00405116
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: e52897eeac4ef9350b142c39b7f90a3767442283d8066bbe80a915a9a08815cd
                                    • Instruction ID: d7c0312113fe9e5b185ca91cbea975456de00c07e94ab0a8f5be0f56b72314a7
                                    • Opcode Fuzzy Hash: e52897eeac4ef9350b142c39b7f90a3767442283d8066bbe80a915a9a08815cd
                                    • Instruction Fuzzy Hash: 1AE09272B0021417D315A95A4C82AEBB25CEB58311F40417FBD45EB3C1EDB59E4147A9
                                    Function 00408F08 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00408FA1,?,?,?,?,00000000,?,00409A87), ref: 00408F28
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408F2E
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00408FA1,?,?,?,?,00000000,?,00409A87), ref: 00408F42
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408F48
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                    • API String ID: 1646373207-2130885113
                                    • Opcode ID: c7d020f19a345ef3fc8cc9fa6fa8e8c3e85b5c58a7be9a112240abfae4151a32
                                    • Instruction ID: 76bc9a42515b238a253a50a72c2f057f01a3480d43b68efedb9593b3896e19b6
                                    • Opcode Fuzzy Hash: c7d020f19a345ef3fc8cc9fa6fa8e8c3e85b5c58a7be9a112240abfae4151a32
                                    • Instruction Fuzzy Hash: 51018F70208701AEE304BF76DE47B163659E789B58F61443FF944B62C1CEBD5811866D
                                    Function 00409EE8 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409F44
                                    • SetWindowLongA.USER32(000103BC,000000FC,00409750), ref: 00409F5B
                                      • Part of subcall function 00406A78: GetCommandLineA.KERNEL32(00000000,00406ABC,?,?,?,?,00000000,?,00409FCC,?), ref: 00406A90
                                      • Part of subcall function 004097DC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098D4,020B59B4,004098C8,00000000,004098AF), ref: 0040984C
                                      • Part of subcall function 004097DC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098D4,020B59B4,004098C8,00000000), ref: 00409860
                                      • Part of subcall function 004097DC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409879
                                      • Part of subcall function 004097DC: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 0040988B
                                      • Part of subcall function 004097DC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098D4,020B59B4,004098C8), ref: 00409894
                                    • RemoveDirectoryA.KERNEL32(00000000,0040A09A,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A047
                                    • 73EA5CF0.USER32(000103BC,0040A09A,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A05B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                    • API String ID: 978128352-3001827809
                                    • Opcode ID: 1caaa2773b8130262091e015769064f393edd00a2e454a3a23a456c8735d74ee
                                    • Instruction ID: b5f5bd46ecd701419372da39d4e61ead17bd94def7200430506a27b4058da4ce
                                    • Opcode Fuzzy Hash: 1caaa2773b8130262091e015769064f393edd00a2e454a3a23a456c8735d74ee
                                    • Instruction Fuzzy Hash: 8B413670600205DFDB10EFA9EE85B9E7BA5EB88304F10467BE510B72E2DB789805DB5D
                                    Function 00409F0C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 004093B4: GetLastError.KERNEL32(00000000,00409457,?,0040B240,?,020B59B4), ref: 004093D8
                                    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409F44
                                    • SetWindowLongA.USER32(000103BC,000000FC,00409750), ref: 00409F5B
                                      • Part of subcall function 00406A78: GetCommandLineA.KERNEL32(00000000,00406ABC,?,?,?,?,00000000,?,00409FCC,?), ref: 00406A90
                                      • Part of subcall function 004097DC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098D4,020B59B4,004098C8,00000000,004098AF), ref: 0040984C
                                      • Part of subcall function 004097DC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098D4,020B59B4,004098C8,00000000), ref: 00409860
                                      • Part of subcall function 004097DC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409879
                                      • Part of subcall function 004097DC: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 0040988B
                                      • Part of subcall function 004097DC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098D4,020B59B4,004098C8), ref: 00409894
                                    • RemoveDirectoryA.KERNEL32(00000000,0040A09A,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A047
                                    • 73EA5CF0.USER32(000103BC,0040A09A,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A05B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryErrorExitLastLineLongMultipleObjectsRemoveWait
                                    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                    • API String ID: 240127915-3001827809
                                    • Opcode ID: d544bd9d4f53e876ccc74028f5564b597a0d7fff5da5ce66ff517ff1d7a7eb6c
                                    • Instruction ID: 9857274fc1a6888786ab8904bf0f9be3d4ec9a73f481a6631502bc2ee32de070
                                    • Opcode Fuzzy Hash: d544bd9d4f53e876ccc74028f5564b597a0d7fff5da5ce66ff517ff1d7a7eb6c
                                    • Instruction Fuzzy Hash: F641F770600205DBD710FFA9EE86B9E7BA5EB48304F10467BE510B72E2DB789805DB5D
                                    Function 004097DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098D4,020B59B4,004098C8,00000000,004098AF), ref: 0040984C
                                    • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098D4,020B59B4,004098C8,00000000), ref: 00409860
                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409879
                                    • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 0040988B
                                    • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098D4,020B59B4,004098C8), ref: 00409894
                                      • Part of subcall function 004093B4: GetLastError.KERNEL32(00000000,00409457,?,0040B240,?,020B59B4), ref: 004093D8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                    • String ID: D
                                    • API String ID: 3356880605-2746444292
                                    • Opcode ID: a9360140db7eda2137cd67c2d4880e9d1c32efb5402f054155f8a0aa6b6b5a1c
                                    • Instruction ID: 93f28b9e895902062fdf091f9fc2c0083708cb13d367d5b4dd4b9bd30f50c822
                                    • Opcode Fuzzy Hash: a9360140db7eda2137cd67c2d4880e9d1c32efb5402f054155f8a0aa6b6b5a1c
                                    • Instruction Fuzzy Hash: E21175B1610208AEDB00FBE6CC42F9E77ACDF49714F51403BBA04F72C2DA789D008668
                                    Function 00409EFA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 108 409efa-409efc 109 409f3e-409f9b CreateWindowExA SetWindowLongA 108->109 110 409efe-409f09 108->110 111 409fa5-409fd0 call 4032b4 * 2 call 406a78 call 4032b4 109->111 112 409fa0 call 405080 109->112 110->109 120 409fd5-409fe2 call 4097dc 111->120 112->111 122 409fe7-409fee 120->122 123 409ff0-409ff5 call 4095f0 122->123 124 409ffa-40a018 call 4028f8 122->124 123->124 129 40a033-40a03a 124->129 130 40a01a-40a02c 124->130 132 40a04c-40a053 129->132 133 40a03c-40a047 call 4033cc RemoveDirectoryA 129->133 131 40a02e call 409350 130->131 131->129 135 40a060-40a067 132->135 136 40a055-40a05b 73EA5CF0 132->136 133->132 137 40a069-40a08a call 403534 call 402580 135->137 138 40a08f 135->138 136->135 137->138
                                    APIs
                                    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409F44
                                    • SetWindowLongA.USER32(000103BC,000000FC,00409750), ref: 00409F5B
                                    • RemoveDirectoryA.KERNEL32(00000000,0040A09A,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A047
                                    • 73EA5CF0.USER32(000103BC,0040A09A,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A05B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$CreateDirectoryLongRemove
                                    • String ID: /SL5="$%x,%d,%d,
                                    • API String ID: 3138356250-3932573195
                                    • Opcode ID: aa12f063552bed5c1dc6b56d0afb4331bf2ecf388e8d5e747785146f64d2b5c2
                                    • Instruction ID: c09278efa42d3324b942dc2ca69b8e55c90c53d556496e8850fbc245b90780d6
                                    • Opcode Fuzzy Hash: aa12f063552bed5c1dc6b56d0afb4331bf2ecf388e8d5e747785146f64d2b5c2
                                    • Instruction Fuzzy Hash: CA410570A00245DBCB11EFA9EE85B9A7BA5EB48304F10467BE410B72E2DB389805DB5D
                                    Function 00409194 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00409283,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091DA
                                    • GetLastError.KERNEL32(00000000,00000000,?,00000000,00409283,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CreateDirectoryErrorLast
                                    • String ID: .tmp
                                    • API String ID: 1375471231-2986845003
                                    • Opcode ID: 6fc56f98c171c9cd783fff4258809177e112e86359274d9ad11f378d9e163bfb
                                    • Instruction ID: abc3d245fc2fc67225a77bd599ce7d55d2c5227c03d6c5447387b9b618325eb5
                                    • Opcode Fuzzy Hash: 6fc56f98c171c9cd783fff4258809177e112e86359274d9ad11f378d9e163bfb
                                    • Instruction Fuzzy Hash: 69211775A002099BDB01EBA5C8529DFB7B9EB88304F10457FE901B73C2DA7C9E059AA5
                                    Function 00401414 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 194 401414-401421 195 401423-401428 194->195 196 40142a-401430 194->196 197 401436-40144e VirtualAlloc 195->197 196->197 198 401450-40145e call 4012e4 197->198 199 401473-401476 197->199 198->199 202 401460-401471 VirtualFree 198->202 202->199
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,0040170D), ref: 00401443
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,0040170D), ref: 0040146A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID: 4U
                                    • API String ID: 2087232378-1921797992
                                    • Opcode ID: 1cb43c849478ac14433406b6e3715afb74e5659cd4b3a16917f07690f455237c
                                    • Instruction ID: b10f2db527449a3d71de704a0217f88cc0837b989be249acc572bb0198679e0c
                                    • Opcode Fuzzy Hash: 1cb43c849478ac14433406b6e3715afb74e5659cd4b3a16917f07690f455237c
                                    • Instruction Fuzzy Hash: 1BF0A772B0072056DB206A6A5CC1F535AC4AF85B90F1541BBF94CFF3F9D6B54C0142AD
                                    Function 00409C5A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409CBE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Message
                                    • String ID: .tmp
                                    • API String ID: 2030045667-2986845003
                                    • Opcode ID: a86e929eb08ffc80647f53d42e746e1ae09a1dd115dbbdbb46e531674b93ac4d
                                    • Instruction ID: b7332ae2f0d03c33c084f969185e5c185e3764add83a5791f468ecd3e79556b1
                                    • Opcode Fuzzy Hash: a86e929eb08ffc80647f53d42e746e1ae09a1dd115dbbdbb46e531674b93ac4d
                                    • Instruction Fuzzy Hash: E341B030604241DFD710EF25DE92A5A7BA6FB49304B11463AF800B77E2CB79AC01DB9C
                                    Function 00409C75 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409CBE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Message
                                    • String ID: .tmp
                                    • API String ID: 2030045667-2986845003
                                    • Opcode ID: 4376caaac15471fd0ef50c9ec428a0d13f81215c7d0dbc30cba97b8e32755065
                                    • Instruction ID: f6cbeec691de0ee22d4bc0a889506c427546c4bc9589121ccd7748d3129805c2
                                    • Opcode Fuzzy Hash: 4376caaac15471fd0ef50c9ec428a0d13f81215c7d0dbc30cba97b8e32755065
                                    • Instruction Fuzzy Hash: 59418334600241DFD710EF25DE92A5A7BA6FB49708B41467AF800B77E2C779AC01DB9D
                                    Function 0040162C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 298 40162c-401661 299 40169b-4016a1 298->299 300 401663-40166e 299->300 301 4016a3-4016a8 299->301 302 401670 300->302 303 401673-401675 300->303 302->303 304 401677 303->304 305 401679-40167b 303->305 304->305 306 401699 305->306 307 40167d-40168d VirtualFree 305->307 306->299 307->306 308 40168f 307->308 308->306
                                    APIs
                                    • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,00401893), ref: 00401686
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID: 4U
                                    • API String ID: 1263568516-1921797992
                                    • Opcode ID: 9fd991f010506b2102e1f6fed4e4429131c72f51f3928a8ab8a477c9da5b79fa
                                    • Instruction ID: adc309513e37e3591c2b10e3c4e9a80e06d8536add9933bc251d7f4690d6afea
                                    • Opcode Fuzzy Hash: 9fd991f010506b2102e1f6fed4e4429131c72f51f3928a8ab8a477c9da5b79fa
                                    • Instruction Fuzzy Hash: 1501A7766487148BC3109F29DDC0E3A77E8EB84364F194A3ED984B73A1D23B6C4587E8
                                    Function 00406E9C Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 309 406e9c-406eef SetErrorMode call 4033cc LoadLibraryA
                                    APIs
                                    • SetErrorMode.KERNEL32(00008000), ref: 00406EA6
                                    • LoadLibraryA.KERNEL32(00000000,00000000,00406EF0,?,00000000,00406F0E,?,00008000), ref: 00406ED5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorLibraryLoadMode
                                    • String ID:
                                    • API String ID: 2987862817-0
                                    • Opcode ID: 282251d95ca19b5029b9c2a2bd25065b6218408c7dcf9ad9130dc438184f933b
                                    • Instruction ID: 4a59c1859940de6f6d81faa3b4d8dd11170c167e1eaa7ed360d3f990fb157dcc
                                    • Opcode Fuzzy Hash: 282251d95ca19b5029b9c2a2bd25065b6218408c7dcf9ad9130dc438184f933b
                                    • Instruction Fuzzy Hash: EEF089745147047FDB015F76CC5241BBBEDD749F047934875F900B29D1E53C5820D668
                                    Function 00407568 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 319 407568-40758d SetFilePointer 320 40759f-4075a4 319->320 321 40758f-407596 GetLastError 319->321 321->320 322 407598-40759a call 407388 321->322 322->320
                                    APIs
                                    • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00407587
                                    • GetLastError.KERNEL32(?,?,?,00000000), ref: 0040758F
                                      • Part of subcall function 00407388: GetLastError.KERNEL32(00407288,00407426,?,?,020A03A4,?,00409AE1,00000001,00000000,00000002,00000000,0040A0D8,?,00000000,0040A10F), ref: 0040738B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FilePointer
                                    • String ID:
                                    • API String ID: 1156039329-0
                                    • Opcode ID: 4b4e93de333a3cce642c2996d73c93b1535ff8d1f0695df8178d397978e57373
                                    • Instruction ID: 4e119c7579c4e8092388e8c829464cbffbb779679a8c52bbc06cec45da0e9649
                                    • Opcode Fuzzy Hash: 4b4e93de333a3cce642c2996d73c93b1535ff8d1f0695df8178d397978e57373
                                    • Instruction Fuzzy Hash: EEE092767082006BD710E65DD881ADB23DCDF853A4F004536BA54EB1C1D675E8018366
                                    Function 00407528 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 313 407528-407546 ReadFile 314 407548-40754c 313->314 315 40755f-407566 313->315 316 407558-40755a call 407388 314->316 317 40754e-407556 GetLastError 314->317 316->315 317->315 317->316
                                    APIs
                                    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040753F
                                    • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0040754E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastRead
                                    • String ID:
                                    • API String ID: 1948546556-0
                                    • Opcode ID: 60e63bc2ff5526e1bd28c8a7098a19329bed0093cf160d1b5924f83231400461
                                    • Instruction ID: 3fc1b25707805f89ba53e3d3dd3fcc8a28820e72da4c9fc95339f9490d4b16f8
                                    • Opcode Fuzzy Hash: 60e63bc2ff5526e1bd28c8a7098a19329bed0093cf160d1b5924f83231400461
                                    • Instruction Fuzzy Hash: 3EE092B56181507AEB20B65E9CC4FAB67DCCBC5314F04407BFA08DB282D678EC048376
                                    Function 004074C0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 324 4074c0-4074e1 SetFilePointer 325 4074f3-4074f5 324->325 326 4074e3-4074ea GetLastError 324->326 326->325 327 4074ec-4074ee call 407388 326->327 327->325
                                    APIs
                                    • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004074D7
                                    • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004074E3
                                      • Part of subcall function 00407388: GetLastError.KERNEL32(00407288,00407426,?,?,020A03A4,?,00409AE1,00000001,00000000,00000002,00000000,0040A0D8,?,00000000,0040A10F), ref: 0040738B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FilePointer
                                    • String ID:
                                    • API String ID: 1156039329-0
                                    • Opcode ID: 0dd762855ce75d8d861d21fe55c1929f9bb0fd02210f0b496c114b023f039fab
                                    • Instruction ID: 045c31e500626a1b3f1af00d0da6b7b675e9e091cee08a4801d854aeabbe78d6
                                    • Opcode Fuzzy Hash: 0dd762855ce75d8d861d21fe55c1929f9bb0fd02210f0b496c114b023f039fab
                                    • Instruction Fuzzy Hash: A5E04FB1A012109FEB10EEB99881B5276D8AF05364F048576EA54DF2C5E274EC009765
                                    Function 0040516C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDefaultLCID.KERNEL32(00000000,004052A2), ref: 0040518B
                                      • Part of subcall function 00404BC8: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404BE5
                                      • Part of subcall function 004050F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4B8,00000001,?,004051C3,?,00000000,004052A2), ref: 00405116
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: DefaultInfoLoadLocaleStringSystem
                                    • String ID:
                                    • API String ID: 1658689577-0
                                    • Opcode ID: 877c368f4bb6552c4e4bb10c945e871b8b159a244fec0e4e507fe6f44fbbc3ae
                                    • Instruction ID: e620c52222067207f1207d8e49aa6b7e1717c09444c28048f3a8618a214730fc
                                    • Opcode Fuzzy Hash: 877c368f4bb6552c4e4bb10c945e871b8b159a244fec0e4e507fe6f44fbbc3ae
                                    • Instruction Fuzzy Hash: A8315075E005099BCB00EF95C8C19EEB779FF89304F518677E814BB285E738AE058B94
                                    Function 00407472 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004074B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 582d1f1d8291c9895930e60d103f42b593c4a935057a42f68c1f21ff45f76a9c
                                    • Instruction ID: ea6efb602eedd822030724ca8d1ef18407959fb42f39815f70de2912e8fc1cd6
                                    • Opcode Fuzzy Hash: 582d1f1d8291c9895930e60d103f42b593c4a935057a42f68c1f21ff45f76a9c
                                    • Instruction Fuzzy Hash: FDE06D713502082EE340AAECAC51FA227DCD309754F009022B988DB341D971DD118BEC
                                    Function 00407474 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004074B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: da3adcda14f9cc23a91243d3e9efbae15869b6f812a45a0d696eb7b26ba19a3c
                                    • Instruction ID: e00ad229c211fd9d581879a771e15019e3328832200e22b37b7321e35209f1f2
                                    • Opcode Fuzzy Hash: da3adcda14f9cc23a91243d3e9efbae15869b6f812a45a0d696eb7b26ba19a3c
                                    • Instruction Fuzzy Hash: 5EE06D713502082ED240AAECAC51F92279C9309754F009022B988DB341D9719D118BEC
                                    Function 004068D8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00406920,?,?,?,?,00000000,?,00406935,00406C63,00000000,00406CA8,?,?,?), ref: 00406903
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: ddd913687c4af24284a614a5d3b2ac75a7954956b2e5ac553c158238c3695d55
                                    • Instruction ID: 247490e5dddb3cd6d792f508a7c7f4d9bcd8e46243e3821c013d09e8b2904929
                                    • Opcode Fuzzy Hash: ddd913687c4af24284a614a5d3b2ac75a7954956b2e5ac553c158238c3695d55
                                    • Instruction Fuzzy Hash: 1AE06571304304ABD701FBA2DC52E5EBAACD749744B524476B501B6691D578AE108518
                                    Function 004075C4 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004075DB
                                      • Part of subcall function 00407388: GetLastError.KERNEL32(00407288,00407426,?,?,020A03A4,?,00409AE1,00000001,00000000,00000002,00000000,0040A0D8,?,00000000,0040A10F), ref: 0040738B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastWrite
                                    • String ID:
                                    • API String ID: 442123175-0
                                    • Opcode ID: 2449abf237b154253dcf2b231e0da589e0eb2b5517b9a23d8c49629d5bbf5411
                                    • Instruction ID: bf2420fae7be1c796ff5e9dafab81396972af070abd0e74292f43109a7205787
                                    • Opcode Fuzzy Hash: 2449abf237b154253dcf2b231e0da589e0eb2b5517b9a23d8c49629d5bbf5411
                                    • Instruction Fuzzy Hash: 27E092727082106BD710E65EDC80E9767DCCFC5314F00407BB904DB240D578EC00867A
                                    Function 00407180 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00408F8B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00408FA1), ref: 0040719F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FormatMessage
                                    • String ID:
                                    • API String ID: 1306739567-0
                                    • Opcode ID: af1b892024a10b0149d59814818bb16afca6d94390805eff77c2f94963abed33
                                    • Instruction ID: 78c342ef8b13633b9ce7504445b1df4efbca70e86221974922dca9dbfb79e1ed
                                    • Opcode Fuzzy Hash: af1b892024a10b0149d59814818bb16afca6d94390805eff77c2f94963abed33
                                    • Instruction Fuzzy Hash: 99E04FB1B9830126F22515945C87F7A265E47C0B04F68813A7B50AD3D3DABEB94A42AF
                                    Function 004075A8 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEndOfFile.KERNEL32(?,020B5A10,00409E9F,00000000), ref: 004075AF
                                      • Part of subcall function 00407388: GetLastError.KERNEL32(00407288,00407426,?,?,020A03A4,?,00409AE1,00000001,00000000,00000002,00000000,0040A0D8,?,00000000,0040A10F), ref: 0040738B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorFileLast
                                    • String ID:
                                    • API String ID: 734332943-0
                                    • Opcode ID: 2ff8edb08080e924c2b395f282aa3d8258573adb5ced5672aaac345b41159427
                                    • Instruction ID: c84b9967ade63b90ae5fadc7445a94aee5da4ff4f23cce3377b8b30e500823d0
                                    • Opcode Fuzzy Hash: 2ff8edb08080e924c2b395f282aa3d8258573adb5ced5672aaac345b41159427
                                    • Instruction Fuzzy Hash: F6C04CA160420497DB40E6BA99C1A5662DC5A5830934040B6BE04DF286E678E8005626
                                    Function 00406EF7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(?,00406F15), ref: 00406F08
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: 818bea9cf33842a394188a1ac225ba0296730a47377aaf6dee31af733e213ea4
                                    • Instruction ID: 195156d5974372316dd31be47fab1db1a84c07533002a91ceb47f4415d4fe426
                                    • Opcode Fuzzy Hash: 818bea9cf33842a394188a1ac225ba0296730a47377aaf6dee31af733e213ea4
                                    • Instruction Fuzzy Hash: 0BB09BB660C2005DE705AAA5741151863D4D7C47103E24477F100D75C0D93C94108928
                                    Function 00406F13 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(?,00406F15), ref: 00406F08
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: 39a6427b1e34a0460ebea946fdd75769eaf13b8d53f53b458d190413493460f9
                                    • Instruction ID: 49059a331f3e696f06bdf6500ec88ac126869def137668b8b6183474cd0cad6e
                                    • Opcode Fuzzy Hash: 39a6427b1e34a0460ebea946fdd75769eaf13b8d53f53b458d190413493460f9
                                    • Instruction Fuzzy Hash: E4A022A8C00000F2CE00B3F0800080C23A82AC83003C208A23302B2080C03CC0008A2A
                                    Function 0040686C Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharPrevA.USER32(?,?,00406868,?,00406545,?,?,00406C83,00000000,00406CA8,?,?,?,?,00000000,00000000), ref: 0040686E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CharPrev
                                    • String ID:
                                    • API String ID: 122130370-0
                                    • Opcode ID: 17375083e06acd4281245791c958798094bb343357575ce1856f87173c3dc77f
                                    • Instruction ID: cbe64d4c7edd27d39883a15f4eb6bc05c670268b750324a8a0318a3f2751a189
                                    • Opcode Fuzzy Hash: 17375083e06acd4281245791c958798094bb343357575ce1856f87173c3dc77f
                                    • Instruction Fuzzy Hash:
                                    Function 00407D5C Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407DEC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: ab0d8e915407696dbfa729c1cf019266e3aa3c7485f9b7de8c376a871caed4a8
                                    • Instruction ID: 88abe12ac083620d08a0326627454b4573b9b9be0377a77665fc6f2eea2115d2
                                    • Opcode Fuzzy Hash: ab0d8e915407696dbfa729c1cf019266e3aa3c7485f9b7de8c376a871caed4a8
                                    • Instruction Fuzzy Hash: 671187716042049BDB00EF59C881B5B3795EF84358F04847AFD58AB3C6DA38EC458BAB
                                    Function 00407444 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 34f7c28931ad07156da999db502c54da79982fd6687bee61c5c787cdc59d2315
                                    • Instruction ID: d1822603d93184d2d1f97af12f770bdf028799b70db8fd4f7cb90eaf87315233
                                    • Opcode Fuzzy Hash: 34f7c28931ad07156da999db502c54da79982fd6687bee61c5c787cdc59d2315
                                    • Instruction Fuzzy Hash: 98D05E42B00A2007D625B2BE598975A96C84F89B44B08843BB555E73D2D6BCAC41478A
                                    Function 00407D04 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,00407DE2), ref: 00407D1B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-0
                                    • Opcode ID: 9ae5d995123a7260372b7b930a149358a8c6f2fd2c8cbd8dd402b565a27582fd
                                    • Instruction ID: 4c5f2f590ff33b2dc96641120235f5e2f8ede2a2b4e48a1e83a0acf71a3c3cdf
                                    • Opcode Fuzzy Hash: 9ae5d995123a7260372b7b930a149358a8c6f2fd2c8cbd8dd402b565a27582fd
                                    • Instruction Fuzzy Hash: A2D0E9B17553045BEB90EEB95C85B1237D8AB48601F5144BA6E04EB286E674D8119614

                                    Non-executed Functions

                                    Function 004092AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47shutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000028), ref: 004092C1
                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004092C7
                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004092E0
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00409307
                                    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040930C
                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 0040931B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                    • String ID: SeShutdownPrivilege
                                    • API String ID: 107509674-3733053543
                                    • Opcode ID: c11169119eb480ce68f8b7bf1a998ed23b8ee3ccb0398d253d4334e31255c739
                                    • Instruction ID: 29f7a6c5bd8c9b8c793a74e9cd2d0a734bd4b747c69f79ec3df1e8906fea4c96
                                    • Opcode Fuzzy Hash: c11169119eb480ce68f8b7bf1a998ed23b8ee3ccb0398d253d4334e31255c739
                                    • Instruction Fuzzy Hash: 7DF081B074430276E210A6729C46F5B21DC9F88758F40497ABE11F61C2E7BCCC04866A
                                    Function 00409A04 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409A0E
                                    • SizeofResource.KERNEL32(00000000,00000000,?,00409AF9,00000000,0040A090,?,00000001,00000000,00000002,00000000,0040A0D8,?,00000000,0040A10F), ref: 00409A21
                                    • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409AF9,00000000,0040A090,?,00000001,00000000,00000002,00000000,0040A0D8,?,00000000), ref: 00409A33
                                    • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409AF9,00000000,0040A090,?,00000001,00000000,00000002,00000000,0040A0D8), ref: 00409A44
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID:
                                    • API String ID: 3473537107-0
                                    • Opcode ID: 444f223925d881b99b66e9940801be9ff7db93a652800f5a103621663852e084
                                    • Instruction ID: 1699135cdca10acd806c0e10d53be14059188eb67a3f9bfdb46f6a21ae12a095
                                    • Opcode Fuzzy Hash: 444f223925d881b99b66e9940801be9ff7db93a652800f5a103621663852e084
                                    • Instruction Fuzzy Hash: 4EE07E8139534625EA5136F618C3B6E12488BA670EF45403FBB00796C3DDBC8C04072A
                                    Function 00408290 Relevance: 1.8, Strings: 1, Instructions: 545COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: k~@
                                    • API String ID: 0-2091116603
                                    • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                    • Instruction ID: f3f21cbe82d5c62ee1158359cb66d9f40f2b9af7370c2710a255d8bb59c23f69
                                    • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                    • Instruction Fuzzy Hash: 1B320775E04219DFCB14CF99CA80AEDB7B2BF88304F24816AD855B7385DB34AE42CB55
                                    Function 00405144 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00405346,?,?,?,00000000,004054F8), ref: 00405157
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                    • Instruction ID: dafe592e7dc6c1b7054599e76d4d58ed7407bf9814640fa962432ce8f4dc9030
                                    • Opcode Fuzzy Hash: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                    • Instruction Fuzzy Hash: CBD05E7A70E2502AE214556B2D85EBB4B9CCAC5BA5F15403EFA48DB281D2248C069775
                                    Function 00402698 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 004026A2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: SystemTime
                                    • String ID:
                                    • API String ID: 2656138-0
                                    • Opcode ID: 53f97af16c827b6ea156a293a2d19da2756640ed923cd57d4244cad09abd3229
                                    • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                    • Opcode Fuzzy Hash: 53f97af16c827b6ea156a293a2d19da2756640ed923cd57d4244cad09abd3229
                                    • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                    Function 00405BE0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersionExA.KERNEL32(?,004064DC,00000000,004064EA,?,?,?,?,?,00409A78), ref: 00405BEE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Version
                                    • String ID:
                                    • API String ID: 1889659487-0
                                    • Opcode ID: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                    • Instruction ID: 057236854e9c7512930c0e8adc14ed6c4dae08121393f90bcfead39230acef0a
                                    • Opcode Fuzzy Hash: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                    • Instruction Fuzzy Hash: 97C0127040470186E3105B319D01B5772D4A744314FC40539AAA4A13C1E73C80024A9A
                                    Function 00406F20 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407025), ref: 00406F49
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406F4F
                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407025), ref: 00406F9D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressCloseHandleModuleProc
                                    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                    • API String ID: 4190037839-2401316094
                                    • Opcode ID: 397d68445e6cec7e8aac4f1180d1d8cb467463fb348c3d0a1dc9a63b1eb7ecab
                                    • Instruction ID: 0de64c96e5b484413b2f955cfebbd9d33cd1af335a4f823adc7626bdb94de1a2
                                    • Opcode Fuzzy Hash: 397d68445e6cec7e8aac4f1180d1d8cb467463fb348c3d0a1dc9a63b1eb7ecab
                                    • Instruction Fuzzy Hash: 95216130A04309ABDB10EBB1CC41A9FB7A9EB48304F51457AB501F72C1EB7CAA05875D
                                    Function 00403A3F Relevance: 15.1, APIs: 10, Instructions: 119fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403ABE
                                    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403AE2
                                    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403AFE
                                    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B1F
                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403B48
                                    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403B52
                                    • GetStdHandle.KERNEL32(000000F5), ref: 00403B72
                                    • GetFileType.KERNEL32(?,000000F5), ref: 00403B89
                                    • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403BA4
                                    • GetLastError.KERNEL32(000000F5), ref: 00403BBE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                    • String ID:
                                    • API String ID: 1694776339-0
                                    • Opcode ID: bfa32bb3cd9739c20f952283b57e243722151fd607dbfdeb92c4b19b2b12fd22
                                    • Instruction ID: 39c216bb6ee344b9585b74db20130f8a00ef2ae92934a7221e260c5489e01c5c
                                    • Opcode Fuzzy Hash: bfa32bb3cd9739c20f952283b57e243722151fd607dbfdeb92c4b19b2b12fd22
                                    • Instruction Fuzzy Hash: 8641CB702006009EE7305E258805B237DEDEF4431DF204A7FE1D67A6E2D7BDAA45875D
                                    Function 004019B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401A88), ref: 004019DD
                                    • LocalFree.KERNEL32(0054F700,00000000,00401A88), ref: 004019EF
                                    • VirtualFree.KERNEL32(?,00000000,00008000,0054F700,00000000,00401A88), ref: 00401A0E
                                    • LocalFree.KERNEL32(00550700,?,00000000,00008000,0054F700,00000000,00401A88), ref: 00401A4D
                                    • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401A8F), ref: 00401A78
                                    • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401A8F), ref: 00401A82
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                    • String ID: 4U
                                    • API String ID: 3782394904-1921797992
                                    • Opcode ID: 0224cd9e4cd685bbc0eaaadd33ee953dcb083d991e8bb988fb07d43f52490cec
                                    • Instruction ID: e0da3218868b2eff3b283f08a977793ac46513ca518615f56d0a063205e332b4
                                    • Opcode Fuzzy Hash: 0224cd9e4cd685bbc0eaaadd33ee953dcb083d991e8bb988fb07d43f52490cec
                                    • Instruction Fuzzy Hash: CC118230742280DEDB11ABA59EE6F723658B785748F44427EF444B62F2C67C9840CB5D
                                    Function 004052B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDefaultLCID.KERNEL32(00000000,004054F8,?,?,?,?,00000000,00000000,00000000,?,004064D7,00000000,004064EA), ref: 004052CA
                                      • Part of subcall function 004050F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4B8,00000001,?,004051C3,?,00000000,004052A2), ref: 00405116
                                      • Part of subcall function 00405144: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00405346,?,?,?,00000000,004054F8), ref: 00405157
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: InfoLocale$DefaultSystem
                                    • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                    • API String ID: 1044490935-665933166
                                    • Opcode ID: e9f267c541578e64696966b1ee52736ed34d5bed39ccf2743147974671e08898
                                    • Instruction ID: f91b7a2f2b9b22d714582e6341564114617d49eddd39a33539c2bf0915514603
                                    • Opcode Fuzzy Hash: e9f267c541578e64696966b1ee52736ed34d5bed39ccf2743147974671e08898
                                    • Instruction Fuzzy Hash: 32516234B00544ABD700EBA98C9179F77AADB88304F50D47BB111BB7C6DA3DDA059B5C
                                    Function 004018EC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019A2,?,?,0040214E,?,?,?,?,?,00401B69,00401D8F,00401DB4), ref: 00401902
                                    • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019A2,?,?,0040214E,?,?,?,?,?,00401B69,00401D8F,00401DB4), ref: 00401915
                                    • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019A2,?,?,0040214E,?,?,?,?,?,00401B69,00401D8F,00401DB4), ref: 0040193F
                                    • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019A9,00000000,004019A2,?,?,0040214E,?,?,?,?,?,00401B69,00401D8F,00401DB4), ref: 0040199C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                    • String ID: 4U
                                    • API String ID: 730355536-1921797992
                                    • Opcode ID: de471818b2414683b21f6bc9ff1e5a95ed4441ac9e21a28f2cfdab420b4996fd
                                    • Instruction ID: 5746b3b2d889d8a1011873919fe502cc9b982e698476508195c1ae4d0b4fb488
                                    • Opcode Fuzzy Hash: de471818b2414683b21f6bc9ff1e5a95ed4441ac9e21a28f2cfdab420b4996fd
                                    • Instruction Fuzzy Hash: 9B016170584240DED715AB6999F6B353A94F785704F50827FF484F62F2C67C4450CB9E
                                    Function 00403670 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036AA
                                    • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036B5
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004036C8
                                    • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 004036D2
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004036E1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocString
                                    • String ID:
                                    • API String ID: 262959230-0
                                    • Opcode ID: dbed304cfed877ab963453fce097edfbac203c8171883807f50a9af1782cfa2c
                                    • Instruction ID: 0190e091da2a7f8450f1c96766014df6c265c93429416bc30eedfc26ea6e6653
                                    • Opcode Fuzzy Hash: dbed304cfed877ab963453fce097edfbac203c8171883807f50a9af1782cfa2c
                                    • Instruction Fuzzy Hash: 1AF044613442543BE56075A65C43FAB198CCB41BAEF10057EF708FA2C2D8799D0542BD
                                    Function 00403CA2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D3D
                                    • ExitProcess.KERNEL32 ref: 00403D85
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ExitMessageProcess
                                    • String ID: Error$Runtime error at 00000000
                                    • API String ID: 1220098344-2970929446
                                    • Opcode ID: 445f10b0f8322d28c22961e862ce6c5d63c74b710c0e2d1f3d4d7c8d13ea9c85
                                    • Instruction ID: 8320b6201b412c18e5afb5eab0fcfc57c1528460d1eb796ab10d24a9e8389a7c
                                    • Opcode Fuzzy Hash: 445f10b0f8322d28c22961e862ce6c5d63c74b710c0e2d1f3d4d7c8d13ea9c85
                                    • Instruction Fuzzy Hash: 0721D330B14341DAE714AFA89AD57153E98A789349F04833BE540BB3E2C73C4A45C76E
                                    Function 00401478 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,0040C44C,?,?,?,004017D4), ref: 00401496
                                    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,0040C44C,?,?,?,004017D4), ref: 004014BB
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,0040C44C,?,?,?,004017D4), ref: 004014E1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Virtual$Alloc$Free
                                    • String ID: 4U
                                    • API String ID: 3668210933-1921797992
                                    • Opcode ID: 8bf6239f509a5d165cbffa01a46693f269e74f09348e47a38c3464accab4aa1a
                                    • Instruction ID: d47062aac3a230bbc8038d4816de129337f303d0768d8ec70577b8dfb9aa1cde
                                    • Opcode Fuzzy Hash: 8bf6239f509a5d165cbffa01a46693f269e74f09348e47a38c3464accab4aa1a
                                    • Instruction Fuzzy Hash: F2F0C8717403106AE7316A694CC5F533AD8DF85754F1041BAFA0CFF3EAD6B85800826C
                                    Function 00406D0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00406E44,?,?,?,00000000), ref: 00406D48
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,00406E44), ref: 00406DB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID: %p@
                                    • API String ID: 3660427363-2552522111
                                    • Opcode ID: db8d605f2d7428e5773ab85079a6bd4d584bfa9fa5127d8ea1a6b6ceb35a20a7
                                    • Instruction ID: bbc643352df9f954991911a303aa0bfad60e55d9832b9a780d3595a2f682af09
                                    • Opcode Fuzzy Hash: db8d605f2d7428e5773ab85079a6bd4d584bfa9fa5127d8ea1a6b6ceb35a20a7
                                    • Instruction Fuzzy Hash: 1B414F75E00219AFDB10DF95C881BAFB7B9EF04704F56457AE801F7284D738AE108BA9
                                    Function 004030B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000,00409A6E), ref: 004030B7
                                    • GetCommandLineA.KERNEL32(00000000,00409A6E), ref: 004030C2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CommandHandleLineModule
                                    • String ID: U1h8.@
                                    • API String ID: 2123368496-3367623671
                                    • Opcode ID: 4dadbc42209142439aad2af0ab94c32bfcf3adda6045e33ce680bfa058b26073
                                    • Instruction ID: 924c7b9890db684fc682acc431aa6d470a398ff13c163616bddd672675baf13b
                                    • Opcode Fuzzy Hash: 4dadbc42209142439aad2af0ab94c32bfcf3adda6045e33ce680bfa058b26073
                                    • Instruction Fuzzy Hash: 40C01274580300CAD720AFFA9E863047990A385349F40823EA604BA2F1CA7C4205EBDD
                                    Function 00409350 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A033,000000FA,00000032,0040A09A), ref: 0040936F
                                    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A033,000000FA,00000032,0040A09A), ref: 0040937F
                                    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A033,000000FA,00000032,0040A09A), ref: 00409392
                                    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A033,000000FA,00000032,0040A09A), ref: 0040939C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3353966688.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3353936163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354026831.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3354083067.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorLastSleep
                                    • String ID:
                                    • API String ID: 1458359878-0
                                    • Opcode ID: 42f751c5a7adbc297ec854d2b17d8e809afb88cacf9d3c48e6fcb1b7561c2c84
                                    • Instruction ID: 20e6580ac09384fab4cee847e89ba62e511b3a88b3cad5b96716f3c005a3b8a5
                                    • Opcode Fuzzy Hash: 42f751c5a7adbc297ec854d2b17d8e809afb88cacf9d3c48e6fcb1b7561c2c84
                                    • Instruction Fuzzy Hash: BBF0F673A00214A7CB20A5AB988695FA25DDACA3A8710403BFD04F73C2D53ECD0186A9

                                    Execution Graph

                                    Execution Coverage:8%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:7.5%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:45
                                    execution_graph 49860 40ce60 49861 40ce6d 49860->49861 49863 40ce72 49860->49863 49864 406eb0 CloseHandle 49861->49864 49864->49863 49865 47e986 49866 47e98f 49865->49866 49869 47e9ba 49865->49869 49868 47e9ac 49866->49868 49866->49869 49867 47e9f9 49870 47ea0c 49867->49870 49871 47ea19 49867->49871 50203 475b50 175 API calls 49868->50203 49869->49867 50205 47d384 LocalAlloc TlsSetValue TlsGetValue 49869->50205 49874 47ea10 49870->49874 49875 47ea4e 49870->49875 49877 47ea33 49871->49877 49878 47ea22 49871->49878 49880 47ea14 49874->49880 49887 47ea91 49874->49887 49888 47eaac 49874->49888 49883 47ea57 49875->49883 49884 47ea72 49875->49884 49876 47e9b1 49876->49869 50204 408b48 LocalAlloc TlsSetValue TlsGetValue LoadStringA 49876->50204 50208 47d5c0 36 API calls 49877->50208 50207 47d550 36 API calls 49878->50207 49879 47e9ec 50206 47d550 36 API calls 49879->50206 49893 47ead5 49880->49893 49894 47eaf3 49880->49894 50209 47d5c0 36 API calls 49883->50209 50210 47d5c0 36 API calls 49884->50210 50211 47d5c0 36 API calls 49887->50211 50212 47d5c0 36 API calls 49888->50212 49896 47eaea 49893->49896 50213 47d550 36 API calls 49893->50213 50215 47d224 23 API calls 49894->50215 50214 47d224 23 API calls 49896->50214 49898 47eaf1 49900 47eb03 49898->49900 49901 47eb09 49898->49901 49902 47eb07 49900->49902 49985 47d52c 49900->49985 49901->49902 49904 47d52c 36 API calls 49901->49904 49990 47abf4 49902->49990 49904->49902 49912 47eb4a 49913 47eb5a 49912->49913 50217 47d8f8 26 API calls 49912->50217 50131 47dc94 49913->50131 49916 47eb60 49917 47ecb0 49916->49917 49918 47eb6d 49916->49918 50246 47dbb0 17 API calls 49917->50246 50218 494180 6 API calls 49918->50218 49921 47eb79 50219 494238 LocalAlloc TlsSetValue TlsGetValue 49921->50219 49922 47ecae 50136 47a8e0 49922->50136 49924 47ebd2 49926 47ebea 49924->49926 50220 4942c0 LocalAlloc TlsSetValue TlsGetValue 49924->50220 50221 47dbb0 17 API calls 49926->50221 49931 47ebf9 49934 47ec16 49931->49934 50222 4942c0 LocalAlloc TlsSetValue TlsGetValue 49931->50222 49933 47a8e0 41 API calls 49935 47ecef 49933->49935 50223 4943bc 17 API calls 49934->50223 49938 40341c 3 API calls 49935->49938 49940 47ecff 49938->49940 49939 47ec76 49939->49922 50224 4594dc 49939->50224 49941 47a8e0 41 API calls 49940->49941 49942 47ed0f 49941->49942 49944 40341c 3 API calls 49942->49944 49946 47ed1f 49944->49946 49948 47a8e0 41 API calls 49946->49948 49949 47ed2f 49948->49949 49950 40341c 3 API calls 49949->49950 49951 47ed3f 49950->49951 50145 466338 49951->50145 49958 47ed5f 49961 47eda3 49958->49961 50155 457324 49958->50155 50247 45412c 49958->50247 50250 47ceb8 36 API calls 49958->50250 50251 408b48 LocalAlloc TlsSetValue TlsGetValue LoadStringA 49958->50251 49963 47ee23 49961->49963 50252 477f58 18 API calls 49961->50252 50253 475850 LocalAlloc TlsSetValue TlsGetValue 49961->50253 49962 47f1ac 50272 4033ec 49962->50272 49983 47eee3 49963->49983 50254 477f58 18 API calls 49963->50254 50255 475850 LocalAlloc TlsSetValue TlsGetValue 49963->50255 49964 47f0e1 49978 47f132 49964->49978 50270 47b91c 18 API calls 49964->50270 49973 47a8e0 41 API calls 49973->49983 49974 4033ec 3 API calls 49977 47f1eb 49974->49977 49979 4033ec 3 API calls 49977->49979 49978->49962 50271 47ba00 LocalAlloc TlsSetValue TlsGetValue 49978->50271 49980 47f1f8 49979->49980 49983->49964 49983->49973 50166 42c6b4 49983->50166 50171 42c6dc 49983->50171 50176 47dd1c 49983->50176 50256 42d1d4 49983->50256 50280 47ceb8 36 API calls 49985->50280 49987 47d547 50281 408b48 LocalAlloc TlsSetValue TlsGetValue LoadStringA 49987->50281 50282 42d620 GetWindowsDirectoryA 49990->50282 49992 47ac12 49993 40341c 3 API calls 49992->49993 49994 47ac1f 49993->49994 50284 42d64c GetSystemDirectoryA 49994->50284 49996 47ac27 49997 40341c 3 API calls 49996->49997 49998 47ac34 49997->49998 50286 42d678 49998->50286 50000 47ac3c 50001 40341c 3 API calls 50000->50001 50002 47ac49 50001->50002 50003 47ac52 50002->50003 50004 47ac6e 50002->50004 50342 42cf90 50003->50342 50005 4033cc 3 API calls 50004->50005 50007 47ac6c 50005->50007 50009 47acb3 50007->50009 50350 42c654 LocalAlloc TlsSetValue TlsGetValue IsDBCSLeadByte 50007->50350 50290 47aa7c 50009->50290 50010 40341c 3 API calls 50010->50007 50013 47ac8e 50015 40341c 3 API calls 50013->50015 50017 47ac9b 50015->50017 50016 40341c 3 API calls 50018 47accf 50016->50018 50017->50009 50021 40341c 3 API calls 50017->50021 50019 47aced 50018->50019 50022 40358c 3 API calls 50018->50022 50020 47aa7c 7 API calls 50019->50020 50023 47acfc 50020->50023 50021->50009 50022->50019 50024 40341c 3 API calls 50023->50024 50025 47ad09 50024->50025 50026 47ad31 50025->50026 50027 42c218 4 API calls 50025->50027 50028 47ad98 50026->50028 50032 47aa7c 7 API calls 50026->50032 50029 47ad1f 50027->50029 50030 47adc2 50028->50030 50031 47ada1 50028->50031 50033 40358c 3 API calls 50029->50033 50301 42c218 50030->50301 50034 42c218 4 API calls 50031->50034 50035 47ad49 50032->50035 50033->50026 50038 47adae 50034->50038 50039 40341c 3 API calls 50035->50039 50037 47adcf 50311 40358c 50037->50311 50041 40358c 3 API calls 50038->50041 50042 47ad56 50039->50042 50043 47adc0 50041->50043 50044 47ad69 50042->50044 50351 4554cc LocalAlloc TlsSetValue TlsGetValue 50042->50351 50333 47ab60 50043->50333 50046 47aa7c 7 API calls 50044->50046 50048 47ad78 50046->50048 50050 40341c 3 API calls 50048->50050 50052 47ad85 50050->50052 50051 4033cc 3 API calls 50053 47adfb 50051->50053 50052->50028 50352 4554cc LocalAlloc TlsSetValue TlsGetValue 50052->50352 50055 47b02c 50053->50055 50056 47b034 50055->50056 50056->50056 50416 455bac 50056->50416 50059 40341c 3 API calls 50060 47b061 50059->50060 50061 403460 3 API calls 50060->50061 50062 47b06e 50061->50062 50434 403548 50062->50434 50064 47b07c 50065 4594dc 23 API calls 50064->50065 50066 47b084 50065->50066 50067 47b097 50066->50067 50464 458cec LocalAlloc TlsSetValue TlsGetValue SendMessageA IsBadWritePtr 50066->50464 50069 42c218 4 API calls 50067->50069 50070 47b0a4 50069->50070 50071 40358c 3 API calls 50070->50071 50072 47b0b4 50071->50072 50073 47b0be CreateDirectoryA 50072->50073 50074 47b124 50073->50074 50075 47b0c8 GetLastError 50073->50075 50076 40358c 3 API calls 50074->50076 50077 45412c 3 API calls 50075->50077 50078 47b139 50076->50078 50079 47b0e0 50077->50079 50448 47afd4 50078->50448 50465 406c94 18 API calls 50079->50465 50082 47b0f0 50466 42e50c FormatMessageA 50082->50466 50083 47b146 50453 45a0e4 50083->50453 50087 47b14e 50089 47b177 50087->50089 50090 40358c 3 API calls 50087->50090 50092 4033ec 3 API calls 50089->50092 50093 47b164 50090->50093 50095 47b191 50092->50095 50096 47afd4 24 API calls 50093->50096 50097 4033ec 3 API calls 50095->50097 50098 47b16f 50096->50098 50099 47b19e 50097->50099 50475 45a150 LocalAlloc TlsSetValue TlsGetValue 50098->50475 50101 47b338 50099->50101 50102 42c218 4 API calls 50101->50102 50103 47b364 50102->50103 50104 40358c 3 API calls 50103->50104 50105 47b374 50104->50105 50106 47afd4 24 API calls 50105->50106 50107 47b381 50106->50107 50663 454760 50107->50663 50110 47b39a 50112 454760 25 API calls 50110->50112 50113 47b3a7 50112->50113 50114 47b3e0 50113->50114 50115 403460 3 API calls 50113->50115 50666 42e09c SetErrorMode 50114->50666 50115->50114 50117 47b3ef 50118 42e09c 2 API calls 50117->50118 50120 47b3fc 50118->50120 50119 47b42f GetProcAddress 50122 47b455 50119->50122 50123 47b44b 50119->50123 50120->50119 50670 40785c 50120->50670 50126 4033cc 3 API calls 50122->50126 50674 4554cc LocalAlloc TlsSetValue TlsGetValue 50123->50674 50128 47b46a 50126->50128 50129 4033cc 3 API calls 50128->50129 50130 47b472 50129->50130 50130->49912 50216 47d768 30 API calls 50130->50216 50132 47dca5 50131->50132 50133 47dce0 50132->50133 50134 47dcd0 50132->50134 50133->49916 50705 47c69c 6 API calls 50134->50705 50706 47a900 50136->50706 50139 40341c 50140 403420 50139->50140 50141 403430 50139->50141 50140->50141 50143 403488 3 API calls 50140->50143 50142 40345c 50141->50142 50144 402648 3 API calls 50141->50144 50142->49933 50143->50141 50144->50142 50721 46624c 50145->50721 50148 42e66c 50149 42e675 50148->50149 50149->50149 50757 42e718 GetModuleHandleA GetProcAddress 50149->50757 50152 42e6af 50153 42e6c8 MultiByteToWideChar 50152->50153 50154 42e6dc 50153->50154 50154->49958 50160 45733b 50155->50160 50156 403744 3 API calls 50156->50160 50159 42d8ac 4 API calls 50159->50160 50160->50156 50160->50159 50161 4573d1 50160->50161 50162 45739d OpenMutexA 50160->50162 50759 406adc 50160->50759 50766 403784 LocalAlloc TlsSetValue TlsGetValue 50160->50766 50163 4033ec 3 API calls 50161->50163 50162->50160 50164 4573ae CloseHandle 50162->50164 50165 4573eb 50163->50165 50164->50161 50165->49958 50767 42c524 50166->50767 50169 403744 3 API calls 50170 42c6d6 50169->50170 50170->49983 50172 42c524 IsDBCSLeadByte 50171->50172 50173 42c6ec 50172->50173 50174 403744 3 API calls 50173->50174 50175 42c6fd 50174->50175 50175->49983 50177 403600 3 API calls 50176->50177 50178 47dd63 50177->50178 50179 47dd7b FindFirstFileA 50178->50179 50180 47ddd7 50179->50180 50181 47dd8a 50179->50181 50182 47def2 50180->50182 50183 47dde1 50180->50183 50184 47ddba FindNextFileA 50181->50184 50185 4033ec 3 API calls 50182->50185 50187 403460 3 API calls 50183->50187 50184->50181 50186 47ddce FindClose 50184->50186 50188 47df0f 50185->50188 50186->50180 50189 47ddf5 50187->50189 50190 4033cc 3 API calls 50188->50190 50191 403548 3 API calls 50189->50191 50192 47df17 50190->50192 50193 47de02 50191->50193 50192->49983 50194 403548 3 API calls 50193->50194 50195 47de12 50194->50195 50196 47de1d FindFirstFileA 50195->50196 50196->50182 50197 47de30 50196->50197 50198 47debc FindNextFileA 50197->50198 50200 403460 3 API calls 50197->50200 50201 403548 LocalAlloc TlsSetValue TlsGetValue 50197->50201 50202 47dd1c 3 API calls 50197->50202 50198->50197 50199 47ded4 FindClose 50198->50199 50199->49983 50200->50197 50201->50197 50202->50197 50203->49876 50205->49879 50206->49867 50207->49880 50208->49880 50209->49880 50210->49880 50211->49880 50212->49880 50213->49896 50214->49898 50215->49898 50216->49912 50217->49913 50218->49921 50219->49924 50220->49926 50221->49931 50222->49934 50223->49939 50225 459610 50224->50225 50226 459508 50224->50226 50228 459661 50225->50228 50777 458d60 LocalAlloc TlsSetValue TlsGetValue SendMessageA IsBadWritePtr 50225->50777 50773 4591dc GetSystemTimeAsFileTime FileTimeToSystemTime 50226->50773 50230 4033cc 3 API calls 50228->50230 50229 459510 50232 40785c 18 API calls 50229->50232 50233 459676 50230->50233 50234 459581 50232->50234 50245 408b48 LocalAlloc TlsSetValue TlsGetValue LoadStringA 50233->50245 50774 4594cc 19 API calls 50234->50774 50236 459606 50776 4594cc 19 API calls 50236->50776 50237 4595d7 50237->50236 50241 403744 3 API calls 50237->50241 50238 403744 3 API calls 50240 459589 50238->50240 50240->50237 50240->50238 50243 4594cc 19 API calls 50240->50243 50242 4595fe 50241->50242 50775 4594cc 19 API calls 50242->50775 50243->50240 50246->49922 50248 4540fc 3 API calls 50247->50248 50249 454148 50248->50249 50249->49958 50250->49958 50252->49961 50253->49961 50254->49963 50255->49963 50257 42d1fb GetModuleFileNameA 50256->50257 50258 42d21f GetCommandLineA 50256->50258 50259 4034ac 3 API calls 50257->50259 50265 42d224 50258->50265 50261 42d21d 50259->50261 50260 42d229 50263 4033cc 3 API calls 50260->50263 50262 42d24c 50261->50262 50266 4033cc 3 API calls 50262->50266 50267 42d231 50263->50267 50265->50260 50265->50267 50778 42d028 50265->50778 50268 42d261 50266->50268 50269 403460 3 API calls 50267->50269 50268->49983 50269->50262 50270->49964 50271->49978 50274 4033f2 50272->50274 50273 403417 50276 4033cc 50273->50276 50274->50273 50275 402648 3 API calls 50274->50275 50275->50274 50277 4033d2 50276->50277 50278 4033eb 50276->50278 50277->50278 50279 402648 3 API calls 50277->50279 50278->49974 50279->50278 50280->49987 50283 42d641 50282->50283 50283->49992 50285 42d66d 50284->50285 50285->49996 50287 4033cc 3 API calls 50286->50287 50288 42d688 GetModuleHandleA GetProcAddress 50287->50288 50289 42d6a1 50288->50289 50289->50000 50353 42db00 50290->50353 50292 47aaa2 50293 47aaa6 50292->50293 50294 47aac8 50292->50294 50356 42da30 50293->50356 50296 4033cc 3 API calls 50294->50296 50298 47aacf 50296->50298 50298->50016 50299 47aabd RegCloseKey 50299->50298 50300 4033cc 3 API calls 50300->50299 50302 42c222 50301->50302 50303 42c245 50301->50303 50405 42c704 CharPrevA 50302->50405 50406 403460 50303->50406 50306 42c229 50306->50303 50308 42c234 50306->50308 50309 40358c 3 API calls 50308->50309 50310 42c242 50309->50310 50310->50037 50312 403590 50311->50312 50321 403548 50311->50321 50313 40341c 50312->50313 50314 4035a0 50312->50314 50315 4035ae 50312->50315 50312->50321 50318 403488 3 API calls 50313->50318 50322 403430 50313->50322 50317 40341c 3 API calls 50314->50317 50319 403488 3 API calls 50315->50319 50316 40345c 50316->50043 50317->50321 50318->50322 50329 4035c1 50319->50329 50320 40358b 50320->50043 50321->50313 50321->50320 50323 403556 50321->50323 50322->50316 50324 402648 3 API calls 50322->50324 50325 403580 50323->50325 50326 403569 50323->50326 50324->50316 50327 403870 3 API calls 50325->50327 50328 403870 3 API calls 50326->50328 50330 40356e 50327->50330 50328->50330 50331 40341c 3 API calls 50329->50331 50330->50043 50332 4035ed 50331->50332 50332->50043 50334 47ab6e 50333->50334 50335 42db00 RegOpenKeyExA 50334->50335 50337 47ab96 50335->50337 50336 47abc7 50336->50051 50337->50336 50338 42da30 5 API calls 50337->50338 50339 47abac 50338->50339 50340 42da30 5 API calls 50339->50340 50341 47abbe RegCloseKey 50340->50341 50341->50336 50343 403870 3 API calls 50342->50343 50346 42cfa3 50343->50346 50344 42cfba GetEnvironmentVariableA 50345 42cfc6 50344->50345 50344->50346 50347 4033cc 3 API calls 50345->50347 50346->50344 50349 42cfcd 50346->50349 50415 42d8b4 LocalAlloc TlsSetValue TlsGetValue 50346->50415 50347->50349 50349->50010 50350->50013 50351->50044 50352->50028 50354 42db11 RegOpenKeyExA 50353->50354 50355 42db0b 50353->50355 50354->50292 50355->50354 50359 42d8e4 50356->50359 50360 42d90a RegQueryValueExA 50359->50360 50364 42d92d 50360->50364 50375 42d94f 50360->50375 50361 4033cc 3 API calls 50363 42da1b 50361->50363 50362 42d947 50365 4033cc 3 API calls 50362->50365 50363->50299 50363->50300 50364->50362 50364->50375 50376 4034ac 50364->50376 50381 403710 50364->50381 50365->50375 50368 42d984 RegQueryValueExA 50368->50360 50369 42d9a0 50368->50369 50369->50375 50385 403870 50369->50385 50372 42d9f4 50373 40341c 3 API calls 50372->50373 50373->50375 50374 403710 3 API calls 50374->50372 50375->50361 50394 403488 50376->50394 50378 4034bc 50379 4033cc 3 API calls 50378->50379 50380 4034d4 50379->50380 50380->50364 50382 403716 50381->50382 50384 403727 50381->50384 50383 403488 3 API calls 50382->50383 50382->50384 50383->50384 50384->50368 50386 40387d 50385->50386 50393 4038ad 50385->50393 50387 4038a6 50386->50387 50389 403889 50386->50389 50390 403488 3 API calls 50387->50390 50388 4033cc 3 API calls 50391 403897 50388->50391 50404 402660 LocalAlloc TlsSetValue TlsGetValue 50389->50404 50390->50393 50391->50372 50391->50374 50393->50388 50395 4034a8 50394->50395 50396 40348c 50394->50396 50395->50378 50399 402630 50396->50399 50400 402634 50399->50400 50401 40263e 50399->50401 50400->50401 50403 403398 LocalAlloc TlsSetValue TlsGetValue 50400->50403 50401->50378 50403->50401 50404->50391 50405->50306 50408 403464 50406->50408 50407 403486 50407->50037 50408->50407 50410 402648 50408->50410 50411 40264c 50410->50411 50412 402656 50410->50412 50411->50412 50414 403398 LocalAlloc TlsSetValue TlsGetValue 50411->50414 50412->50407 50412->50412 50414->50412 50415->50346 50419 455bcc 50416->50419 50420 455bf1 CreateDirectoryA 50419->50420 50425 45412c 3 API calls 50419->50425 50431 42e50c 4 API calls 50419->50431 50432 4540fc 3 API calls 50419->50432 50476 42d6fc 50419->50476 50499 455938 50419->50499 50518 406c94 18 API calls 50419->50518 50519 408b74 LocalAlloc TlsSetValue TlsGetValue 50419->50519 50421 455c69 50420->50421 50422 455bfb GetLastError 50420->50422 50423 403460 3 API calls 50421->50423 50422->50419 50424 455c73 50423->50424 50426 4033ec 3 API calls 50424->50426 50425->50419 50427 455c8d 50426->50427 50429 4033ec 3 API calls 50427->50429 50430 455c9a 50429->50430 50430->50059 50431->50419 50432->50419 50435 40358b 50434->50435 50436 40354c 50434->50436 50435->50064 50437 403556 50436->50437 50438 40341c 50436->50438 50439 403580 50437->50439 50440 403569 50437->50440 50444 403488 3 API calls 50438->50444 50445 403430 50438->50445 50441 403870 3 API calls 50439->50441 50443 403870 3 API calls 50440->50443 50447 40356e 50441->50447 50442 40345c 50442->50064 50443->50447 50444->50445 50445->50442 50446 402648 3 API calls 50445->50446 50446->50442 50447->50064 50602 40d0ac 50448->50602 50452 47b00b 50452->50083 50454 45a0f6 50453->50454 50455 45a0f0 50453->50455 50456 403460 3 API calls 50454->50456 50457 45a104 50455->50457 50458 45a0f4 50455->50458 50459 45a102 50456->50459 50460 403460 3 API calls 50457->50460 50462 4033cc 3 API calls 50458->50462 50459->50087 50461 45a110 50460->50461 50461->50087 50463 45a119 50462->50463 50463->50087 50464->50067 50465->50082 50467 42e532 50466->50467 50468 4034ac 3 API calls 50467->50468 50469 42e54f 50468->50469 50470 4540fc 50469->50470 50471 45411c 50470->50471 50653 453fd4 50471->50653 50474 408b74 LocalAlloc TlsSetValue TlsGetValue 50474->50074 50475->50089 50477 42cf90 4 API calls 50476->50477 50478 42d722 50477->50478 50479 42d72e 50478->50479 50529 42cad0 50478->50529 50481 42cf90 4 API calls 50479->50481 50482 42d77a 50479->50482 50483 42d73e 50481->50483 50520 42c58c 50482->50520 50484 42d74a 50483->50484 50486 42cad0 6 API calls 50483->50486 50484->50482 50487 42d76f 50484->50487 50490 42cf90 4 API calls 50484->50490 50486->50484 50487->50482 50488 42d620 GetWindowsDirectoryA 50487->50488 50488->50482 50492 42d763 50490->50492 50491 42c218 4 API calls 50493 42d78f 50491->50493 50492->50487 50495 42cad0 6 API calls 50492->50495 50494 403460 3 API calls 50493->50494 50496 42d799 50494->50496 50495->50487 50497 4033ec 3 API calls 50496->50497 50498 42d7b3 50497->50498 50498->50419 50500 455958 50499->50500 50501 42c218 4 API calls 50500->50501 50502 455971 50501->50502 50503 403460 3 API calls 50502->50503 50504 45597c 50503->50504 50505 42c948 5 API calls 50504->50505 50507 45412c 3 API calls 50504->50507 50511 4559f8 50504->50511 50567 4558c4 50504->50567 50575 403600 50504->50575 50581 454b78 50504->50581 50589 408b74 LocalAlloc TlsSetValue TlsGetValue 50504->50589 50505->50504 50507->50504 50512 403460 3 API calls 50511->50512 50513 455a03 50512->50513 50514 4033ec 3 API calls 50513->50514 50515 455a1d 50514->50515 50516 4033cc 3 API calls 50515->50516 50517 455a25 50516->50517 50517->50419 50518->50419 50519->50419 50532 403704 50520->50532 50523 42c5d2 50526 403460 3 API calls 50523->50526 50524 42c5bb 50524->50523 50525 42c5c3 50524->50525 50527 4034ac 3 API calls 50525->50527 50528 42c5d0 50526->50528 50527->50528 50528->50491 50534 42ca54 50529->50534 50533 403708 GetFullPathNameA 50532->50533 50533->50523 50533->50524 50540 42c948 50534->50540 50536 42ca76 50537 42ca7e GetFileAttributesA 50536->50537 50538 4033cc 3 API calls 50537->50538 50539 42ca9b 50538->50539 50539->50479 50550 42c448 50540->50550 50542 42c959 50543 42c980 50542->50543 50557 42c8cc CharPrevA 50542->50557 50545 42c996 50543->50545 50546 42c98b 50543->50546 50558 403744 50545->50558 50547 403460 3 API calls 50546->50547 50549 42c994 50547->50549 50549->50536 50553 42c459 50550->50553 50551 42c4bd 50554 42c4b8 50551->50554 50566 42c260 IsDBCSLeadByte 50551->50566 50553->50551 50556 42c477 50553->50556 50554->50542 50556->50554 50565 42c260 IsDBCSLeadByte 50556->50565 50557->50542 50559 403776 50558->50559 50562 403749 50558->50562 50560 4033cc 3 API calls 50559->50560 50561 40376c 50560->50561 50561->50549 50562->50559 50563 40375d 50562->50563 50564 4034ac 3 API calls 50563->50564 50564->50561 50565->50556 50566->50554 50568 4033cc 3 API calls 50567->50568 50569 4558e5 50568->50569 50572 455912 50569->50572 50590 4034dc 50569->50590 50593 4037cc 50569->50593 50573 4033cc 3 API calls 50572->50573 50574 455927 50573->50574 50574->50504 50576 403608 50575->50576 50577 403488 3 API calls 50576->50577 50578 40361b 50577->50578 50579 40341c 3 API calls 50578->50579 50580 403643 50579->50580 50597 4548ac Wow64DisableWow64FsRedirection SetLastError 50581->50597 50583 454b8e 50584 454b92 50583->50584 50598 42cae4 50583->50598 50584->50504 50588 454bcd 50588->50504 50589->50504 50591 4034ac 3 API calls 50590->50591 50592 4034e9 50591->50592 50592->50569 50594 4037d0 50593->50594 50596 4037fb 50593->50596 50595 403870 3 API calls 50594->50595 50595->50596 50596->50569 50597->50583 50599 42ca54 6 API calls 50598->50599 50600 42caee GetLastError 50599->50600 50601 4548e8 Wow64RevertWow64FsRedirection 50600->50601 50601->50588 50603 40d0b6 50602->50603 50613 40d170 FindResourceA 50603->50613 50605 40d0e4 50606 47aef8 50605->50606 50625 40cf00 50606->50625 50608 47af2d 50609 4033ec 3 API calls 50608->50609 50610 47afbd 50609->50610 50611 4033cc 3 API calls 50610->50611 50612 47afc5 50611->50612 50612->50452 50614 40d195 50613->50614 50615 40d19c LoadResource 50613->50615 50623 40d0fc 18 API calls 50614->50623 50617 40d1b6 SizeofResource LockResource 50615->50617 50618 40d1af 50615->50618 50620 40d1d4 50617->50620 50624 40d0fc 18 API calls 50618->50624 50620->50605 50621 40d19b 50621->50615 50622 40d1b5 50622->50617 50623->50621 50624->50622 50630 40cdb0 50625->50630 50627 40cf1a 50642 40cee8 50627->50642 50629 40cf35 50629->50608 50631 40cdbd 50630->50631 50632 40cdd9 50631->50632 50633 40ce0e 50631->50633 50646 406e28 50632->50646 50650 406de8 CreateFileA 50633->50650 50636 40cde0 50641 40ce07 50636->50641 50649 408c94 18 API calls 50636->50649 50637 40ce18 50637->50641 50651 408c94 18 API calls 50637->50651 50640 40ce3f 50640->50641 50641->50627 50643 40cef0 50642->50643 50644 40cefc 50642->50644 50652 40cc18 LocalAlloc TlsSetValue TlsGetValue LoadStringA 50643->50652 50644->50629 50647 403704 50646->50647 50648 406e44 CreateFileA 50647->50648 50648->50636 50649->50641 50650->50637 50651->50640 50652->50644 50654 4033cc 3 API calls 50653->50654 50661 454005 50654->50661 50655 454030 50656 4033ec 3 API calls 50655->50656 50657 4540bd 50656->50657 50657->50474 50658 45401c 50660 403548 3 API calls 50658->50660 50659 4034ac 3 API calls 50659->50661 50660->50655 50661->50655 50661->50658 50661->50659 50662 403548 LocalAlloc TlsSetValue TlsGetValue 50661->50662 50662->50661 50664 45476d 50663->50664 50675 454698 50663->50675 50664->50110 50669 4554cc LocalAlloc TlsSetValue TlsGetValue 50664->50669 50667 403704 50666->50667 50668 42e0d4 LoadLibraryA 50667->50668 50668->50117 50669->50110 50689 407870 50670->50689 50673 4554cc LocalAlloc TlsSetValue TlsGetValue 50673->50119 50674->50122 50676 403704 50675->50676 50677 4546b5 751C1520 50676->50677 50678 4546c3 50677->50678 50679 45473a 50677->50679 50680 402630 3 API calls 50678->50680 50685 45474d 50679->50685 50688 4544bc 22 API calls 50679->50688 50681 4546ca 751C1500 50680->50681 50683 454708 50681->50683 50684 4546ee 751C1540 50681->50684 50686 402648 3 API calls 50683->50686 50684->50683 50685->50664 50687 454732 50686->50687 50687->50664 50688->50685 50690 40788d 50689->50690 50697 407520 50690->50697 50693 4078b9 50695 4034ac 3 API calls 50693->50695 50696 40786b 50695->50696 50696->50673 50699 40753b 50697->50699 50698 40754d 50698->50693 50702 406890 LocalAlloc TlsSetValue TlsGetValue LoadStringA 50698->50702 50699->50698 50703 407642 18 API calls 50699->50703 50704 407514 LocalAlloc TlsSetValue TlsGetValue 50699->50704 50702->50693 50703->50699 50704->50699 50705->50133 50707 403460 3 API calls 50706->50707 50715 47a933 50707->50715 50708 47aa38 50709 4033ec 3 API calls 50708->50709 50710 47a8fb 50709->50710 50710->50139 50711 403784 LocalAlloc TlsSetValue TlsGetValue 50711->50715 50713 403744 3 API calls 50713->50715 50715->50708 50715->50711 50715->50713 50716 4037cc 3 API calls 50715->50716 50718 4554cc LocalAlloc TlsSetValue TlsGetValue 50715->50718 50719 479a74 41 API calls 50715->50719 50720 42c704 CharPrevA 50715->50720 50716->50715 50718->50715 50719->50715 50720->50715 50722 403460 3 API calls 50721->50722 50723 46627a 50722->50723 50738 42d8ac 50723->50738 50726 42d8ac 4 API calls 50727 46629e 50726->50727 50741 466138 50727->50741 50730 42d8ac 4 API calls 50731 4662b7 50730->50731 50745 4661b0 50731->50745 50734 42d8ac 4 API calls 50735 4662d0 50734->50735 50736 4033cc 3 API calls 50735->50736 50737 4662e5 50736->50737 50737->50148 50749 42d7f4 50738->50749 50742 466152 50741->50742 50743 40785c 18 API calls 50742->50743 50744 46618d 50743->50744 50744->50730 50746 4661d0 50745->50746 50747 40785c 18 API calls 50746->50747 50748 46621a 50747->50748 50748->50734 50750 42d814 50749->50750 50751 42d89f 50749->50751 50750->50751 50754 4037cc 3 API calls 50750->50754 50755 403784 LocalAlloc TlsSetValue TlsGetValue 50750->50755 50756 42c260 IsDBCSLeadByte 50750->50756 50751->50726 50754->50750 50755->50750 50756->50750 50758 42e694 GetModuleHandleA GetProcAddress 50757->50758 50758->50152 50758->50154 50760 406aeb 50759->50760 50761 406b04 50760->50761 50762 406b0d 50760->50762 50763 4033cc 3 API calls 50761->50763 50765 403744 3 API calls 50762->50765 50764 406b0b 50763->50764 50764->50160 50765->50764 50766->50160 50768 42c448 IsDBCSLeadByte 50767->50768 50770 42c539 50768->50770 50769 42c583 50769->50169 50770->50769 50772 42c260 IsDBCSLeadByte 50770->50772 50772->50770 50773->50229 50774->50240 50775->50236 50776->50225 50777->50228 50779 42d054 50778->50779 50780 4034ac 3 API calls 50779->50780 50781 42d061 50780->50781 50782 403710 3 API calls 50781->50782 50783 42d069 50782->50783 50784 40341c 3 API calls 50783->50784 50785 42d081 50784->50785 50786 4033cc 3 API calls 50785->50786 50787 42d0a3 50786->50787 50787->50265 50788 4135a0 SetWindowLongA GetWindowLongA 50789 4135fd SetPropA SetPropA 50788->50789 50790 4135df GetWindowLongA 50788->50790 50794 41f27c 50789->50794 50790->50789 50791 4135ee SetWindowLongA 50790->50791 50791->50789 50799 4238f0 50794->50799 50806 41517c 50794->50806 50813 423a78 50794->50813 50795 41364d 50800 423900 50799->50800 50801 423979 50799->50801 50800->50801 50802 423906 EnumWindows 50800->50802 50801->50795 50802->50801 50803 423922 GetWindow GetWindowLongA 50802->50803 50907 423888 GetWindow 50802->50907 50804 423941 50803->50804 50804->50801 50805 42396d SetWindowPos 50804->50805 50805->50801 50805->50804 50807 415189 50806->50807 50808 4151e4 50807->50808 50809 4151ef 50807->50809 50812 4151ed 50807->50812 50808->50812 50911 414f68 43 API calls 50808->50911 50910 4249f8 11 API calls 50809->50910 50812->50795 50815 423aae 50813->50815 50833 423acf 50815->50833 50912 4239d4 50815->50912 50817 423b58 50819 423b93 50817->50819 50820 423b5f 50817->50820 50818 423af9 50821 423aff 50818->50821 50822 423bbc 50818->50822 50823 423f06 IsIconic 50819->50823 50824 423b9e 50819->50824 50827 423b65 50820->50827 50828 423e1d 50820->50828 50829 423b31 50821->50829 50830 423b04 50821->50830 50825 423bd7 50822->50825 50826 423bce 50822->50826 50823->50833 50837 423f1a GetFocus 50823->50837 50831 423f42 50824->50831 50832 423ba7 50824->50832 50918 424000 11 API calls 50825->50918 50834 423be4 50826->50834 50835 423bd5 50826->50835 50838 423b73 50827->50838 50839 423d7f SendMessageA 50827->50839 50828->50833 50880 423e43 IsWindowEnabled 50828->50880 50829->50833 50853 423b4a 50829->50853 50854 423cab 50829->50854 50840 423c62 50830->50840 50841 423b0a 50830->50841 50943 4246bc WinHelpA PostMessageA 50831->50943 50846 423f59 50832->50846 50863 423b2c 50832->50863 50833->50795 50919 424048 10 API calls 50834->50919 50920 4239f0 NtdllDefWindowProc_A 50835->50920 50837->50833 50848 423f2b 50837->50848 50838->50833 50838->50863 50876 423dc2 50838->50876 50839->50833 50924 4239f0 NtdllDefWindowProc_A 50840->50924 50842 423b13 50841->50842 50843 423c8a PostMessageA 50841->50843 50849 423d11 50842->50849 50850 423b1c 50842->50850 50930 4239f0 NtdllDefWindowProc_A 50843->50930 50851 423f62 50846->50851 50852 423f77 50846->50852 50942 41eed4 GetCurrentThreadId 73EA5940 50848->50942 50860 423d1a 50849->50860 50861 423d4b 50849->50861 50858 423b25 50850->50858 50859 423c3a IsIconic 50850->50859 50944 424340 50851->50944 50950 424398 LocalAlloc TlsSetValue TlsGetValue SendMessageA 50852->50950 50853->50863 50864 423c77 50853->50864 50916 4239f0 NtdllDefWindowProc_A 50854->50916 50858->50863 50878 423bfd 50858->50878 50871 423c56 50859->50871 50872 423c4a 50859->50872 50932 423980 LocalAlloc TlsSetValue TlsGetValue SetWindowPos 50860->50932 50935 4239f0 NtdllDefWindowProc_A 50861->50935 50863->50833 50917 4239f0 NtdllDefWindowProc_A 50863->50917 50925 423fe4 50864->50925 50867 423f32 50867->50833 50868 423f3a SetFocus 50867->50868 50868->50833 50870 423ca5 50870->50833 50923 4239f0 NtdllDefWindowProc_A 50871->50923 50922 423a2c 14 API calls 50872->50922 50876->50833 50897 423de4 IsWindowEnabled 50876->50897 50877 423cb1 50884 423cef 50877->50884 50885 423ccd 50877->50885 50878->50833 50921 422ab8 ShowWindow PostMessageA PostQuitMessage 50878->50921 50879 423d22 50888 423d34 50879->50888 50933 41ee38 LocalAlloc TlsSetValue TlsGetValue IsWindow EnableWindow 50879->50933 50880->50833 50889 423e51 50880->50889 50883 423d51 50890 423d69 50883->50890 50936 41ed84 GetCurrentThreadId 73EA5940 50883->50936 50886 4238f0 6 API calls 50884->50886 50931 423980 LocalAlloc TlsSetValue TlsGetValue SetWindowPos 50885->50931 50892 423cf7 PostMessageA 50886->50892 50934 4239f0 NtdllDefWindowProc_A 50888->50934 50900 423e58 IsWindowVisible 50889->50900 50896 4238f0 6 API calls 50890->50896 50892->50833 50896->50833 50897->50833 50899 423df2 50897->50899 50898 423cd5 PostMessageA 50898->50833 50937 412274 6 API calls 50899->50937 50900->50833 50902 423e66 GetFocus 50900->50902 50938 4180cc 50902->50938 50904 423e7b SetFocus 50940 41514c 50904->50940 50908 4238a9 GetWindowLongA 50907->50908 50909 4238b5 50907->50909 50908->50909 50910->50812 50911->50812 50913 4239e9 50912->50913 50914 4239de 50912->50914 50913->50817 50913->50818 50914->50913 50951 408688 GetSystemDefaultLCID 50914->50951 50916->50877 50917->50833 50918->50833 50919->50833 50920->50833 50921->50833 50922->50833 50923->50833 50924->50833 51014 41da10 50925->51014 50928 423ff0 LoadIconA 50929 423ffc 50928->50929 50929->50833 50930->50870 50931->50898 50932->50879 50933->50888 50934->50833 50935->50883 50936->50890 50937->50833 50939 4180d6 50938->50939 50939->50904 50941 415167 SetFocus 50940->50941 50941->50833 50942->50867 50943->50870 50945 424366 50944->50945 50946 42434c 50944->50946 50949 402630 3 API calls 50945->50949 50947 42437b 50946->50947 50948 424353 SendMessageA 50946->50948 50947->50833 50948->50947 50949->50947 50950->50870 51006 4084d0 GetLocaleInfoA 50951->51006 50954 40341c 3 API calls 50955 4086c8 50954->50955 50956 4084d0 4 API calls 50955->50956 50957 4086dd 50956->50957 50958 4084d0 4 API calls 50957->50958 50959 408701 50958->50959 51012 40851c GetLocaleInfoA 50959->51012 50962 40851c GetLocaleInfoA 50963 408731 50962->50963 50964 4084d0 4 API calls 50963->50964 50965 40874b 50964->50965 50966 40851c GetLocaleInfoA 50965->50966 50967 408768 50966->50967 50968 4084d0 4 API calls 50967->50968 50969 408782 50968->50969 50970 40341c 3 API calls 50969->50970 50971 40878f 50970->50971 50972 4084d0 4 API calls 50971->50972 50973 4087a4 50972->50973 50974 40341c 3 API calls 50973->50974 50975 4087b1 50974->50975 50976 40851c GetLocaleInfoA 50975->50976 50977 4087bf 50976->50977 50978 4084d0 4 API calls 50977->50978 50979 4087d9 50978->50979 50980 40341c 3 API calls 50979->50980 50981 4087e6 50980->50981 50982 4084d0 4 API calls 50981->50982 50983 4087fb 50982->50983 50984 40341c 3 API calls 50983->50984 50985 408808 50984->50985 50986 4084d0 4 API calls 50985->50986 50987 40881d 50986->50987 50988 40883a 50987->50988 50989 40882b 50987->50989 50991 403460 3 API calls 50988->50991 50990 403460 3 API calls 50989->50990 50992 408838 50990->50992 50991->50992 50993 4084d0 4 API calls 50992->50993 50994 40885c 50993->50994 50995 408879 50994->50995 50996 40886a 50994->50996 50998 4033cc 3 API calls 50995->50998 50997 403460 3 API calls 50996->50997 50999 408877 50997->50999 50998->50999 51000 403600 3 API calls 50999->51000 51001 40889b 51000->51001 51002 403600 3 API calls 51001->51002 51003 4088b5 51002->51003 51004 4033ec 3 API calls 51003->51004 51005 4088cf 51004->51005 51005->50913 51007 4084f7 51006->51007 51008 408509 51006->51008 51009 4034ac 3 API calls 51007->51009 51010 403460 3 API calls 51008->51010 51011 408507 51009->51011 51010->51011 51011->50954 51013 408538 51012->51013 51013->50962 51017 41da34 51014->51017 51018 41da1a 51017->51018 51019 41da41 51017->51019 51018->50928 51018->50929 51019->51018 51026 40cbe0 LocalAlloc TlsSetValue TlsGetValue LoadStringA 51019->51026 51021 41da5e 51021->51018 51022 41da78 51021->51022 51023 41da6b 51021->51023 51027 41bc6c 10 API calls 51022->51027 51028 41b268 LocalAlloc TlsSetValue TlsGetValue LoadStringA 51023->51028 51026->51021 51027->51018 51028->51018 51029 416a42 51030 416aea 51029->51030 51031 416a5a 51029->51031 51048 415228 LocalAlloc TlsSetValue TlsGetValue 51030->51048 51033 416a74 SendMessageA 51031->51033 51034 416a68 51031->51034 51044 416ac8 51033->51044 51035 416a72 CallWindowProcA 51034->51035 51036 416a8e 51034->51036 51035->51044 51045 419f48 GetSysColor 51036->51045 51039 416a99 SetTextColor 51040 416aae 51039->51040 51046 419f48 GetSysColor 51040->51046 51042 416ab3 SetBkColor 51047 41a5d0 GetSysColor CreateBrushIndirect 51042->51047 51045->51039 51046->51042 51047->51044 51048->51044 51049 416544 51050 416551 51049->51050 51051 4165ab 51049->51051 51056 416450 CreateWindowExA 51050->51056 51052 416558 SetPropA SetPropA 51052->51051 51053 41658b 51052->51053 51054 41659e SetWindowPos 51053->51054 51054->51051 51056->51052 51057 424268 PeekMessageA 51058 42430c 51057->51058 51059 42428b 51057->51059 51059->51058 51069 424238 51059->51069 51068 4242f6 TranslateMessage DispatchMessageA 51068->51058 51070 424260 51069->51070 51071 424249 51069->51071 51070->51058 51073 424184 51070->51073 51071->51070 51088 424b24 UnhookWindowsHookEx TerminateThread KillTimer IsWindowVisible ShowWindow 51071->51088 51074 424194 51073->51074 51075 4241ce 51073->51075 51074->51075 51076 4241bb TranslateMDISysAccel 51074->51076 51075->51058 51077 4241d4 51075->51077 51076->51075 51078 424230 51077->51078 51079 4241e9 51077->51079 51078->51058 51085 424160 51078->51085 51079->51078 51080 4241f1 GetCapture 51079->51080 51080->51078 51081 4241fa 51080->51081 51082 424213 SendMessageA 51081->51082 51084 42420c 51081->51084 51082->51078 51083 42422e 51082->51083 51083->51078 51084->51082 51086 424173 IsDialogMessage 51085->51086 51087 424180 51085->51087 51086->51087 51087->51058 51087->51068 51088->51070 51089 47e8ec 51094 453d08 51089->51094 51091 47e900 51104 47da30 51091->51104 51093 47e924 51095 453d15 51094->51095 51097 453d69 51095->51097 51113 408b74 LocalAlloc TlsSetValue TlsGetValue 51095->51113 51110 453ba4 51097->51110 51101 453d91 51102 453dd4 51101->51102 51115 408b74 LocalAlloc TlsSetValue TlsGetValue 51101->51115 51102->51091 51120 40b528 51104->51120 51106 47da9d 51106->51093 51109 47da52 51109->51106 51124 4068cc 51109->51124 51127 475894 51109->51127 51116 453b50 51110->51116 51113->51097 51114 408b74 LocalAlloc TlsSetValue TlsGetValue 51114->51101 51115->51102 51117 453b73 51116->51117 51118 453b62 51116->51118 51117->51101 51117->51114 51119 453b67 InterlockedExchange 51118->51119 51119->51117 51121 40b533 51120->51121 51122 40b553 51121->51122 51143 402660 LocalAlloc TlsSetValue TlsGetValue 51121->51143 51122->51109 51125 402630 3 API calls 51124->51125 51126 4068d7 51125->51126 51126->51109 51130 47590e 51127->51130 51140 4758c5 51127->51140 51128 475959 51144 453f78 51128->51144 51130->51128 51133 403870 3 API calls 51130->51133 51138 403710 3 API calls 51130->51138 51139 40341c 3 API calls 51130->51139 51142 453f78 22 API calls 51130->51142 51131 403870 3 API calls 51131->51140 51132 475970 51134 4033ec 3 API calls 51132->51134 51133->51130 51135 47598a 51134->51135 51135->51109 51136 403710 3 API calls 51136->51140 51137 40341c 3 API calls 51137->51140 51138->51130 51139->51130 51140->51130 51140->51131 51140->51136 51140->51137 51141 453f78 22 API calls 51140->51141 51141->51140 51142->51130 51143->51122 51145 453f93 51144->51145 51146 453f88 51144->51146 51163 453f1c 20 API calls 51145->51163 51152 45f598 51146->51152 51148 453f91 51148->51132 51149 453f9e 51149->51148 51164 408b74 LocalAlloc TlsSetValue TlsGetValue 51149->51164 51153 45f5ad 51152->51153 51155 45f5bc 51153->51155 51168 45f4bc 18 API calls 51153->51168 51156 45f5f6 51155->51156 51169 45f4bc 18 API calls 51155->51169 51158 45f60a 51156->51158 51170 45f4bc 18 API calls 51156->51170 51162 45f636 51158->51162 51165 45f540 51158->51165 51162->51148 51163->51149 51164->51148 51166 45f561 VirtualAlloc 51165->51166 51167 45f54f VirtualFree 51165->51167 51166->51162 51167->51166 51168->51155 51169->51156 51170->51158 51171 40256c 51172 402580 51171->51172 51173 402593 51171->51173 51201 4019b4 RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 51172->51201 51175 4025b4 51173->51175 51176 4025aa RtlEnterCriticalSection 51173->51176 51187 40239c 13 API calls 51175->51187 51176->51175 51177 402585 51177->51173 51179 402589 51177->51179 51180 4025bd 51181 4025c1 51180->51181 51188 402070 51180->51188 51183 402613 RtlLeaveCriticalSection 51181->51183 51184 40261d 51181->51184 51183->51184 51185 4025cd 51185->51181 51202 4021f8 9 API calls 51185->51202 51187->51180 51189 402084 51188->51189 51190 402097 51188->51190 51209 4019b4 RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 51189->51209 51192 4020ae RtlEnterCriticalSection 51190->51192 51195 4020b8 51190->51195 51192->51195 51193 402089 51193->51190 51194 40208d 51193->51194 51198 4020ee 51194->51198 51195->51198 51203 401f7c 51195->51203 51198->51185 51199 4021e3 51199->51185 51200 4021d9 RtlLeaveCriticalSection 51200->51199 51201->51177 51202->51181 51206 401f8c 51203->51206 51204 401fb8 51208 401fdc 51204->51208 51215 401d9c 51204->51215 51206->51204 51206->51208 51210 401ef4 51206->51210 51208->51199 51208->51200 51209->51193 51219 401774 51210->51219 51213 401f11 51213->51206 51216 401dea 51215->51216 51217 401dba 51215->51217 51216->51217 51242 401d04 51216->51242 51217->51208 51222 401790 51219->51222 51221 40179a 51238 401660 VirtualAlloc 51221->51238 51222->51221 51224 4017f7 51222->51224 51227 4017eb 51222->51227 51230 4014dc 51222->51230 51239 4013e8 LocalAlloc 51222->51239 51224->51213 51229 401e68 9 API calls 51224->51229 51226 4017a6 51226->51224 51240 4015b8 VirtualFree 51227->51240 51229->51213 51231 4014eb VirtualAlloc 51230->51231 51233 401518 51231->51233 51234 40153b 51231->51234 51241 4013ac LocalAlloc 51233->51241 51234->51222 51236 401524 51236->51234 51237 401528 VirtualFree 51236->51237 51237->51234 51238->51226 51239->51222 51240->51224 51241->51236 51243 401d16 51242->51243 51244 401d39 51243->51244 51245 401d4b 51243->51245 51255 401928 51244->51255 51246 401928 3 API calls 51245->51246 51248 401d49 51246->51248 51254 401d61 51248->51254 51265 401be0 9 API calls 51248->51265 51250 401d70 51251 401d8a 51250->51251 51266 401c34 9 API calls 51250->51266 51267 40144c LocalAlloc 51251->51267 51254->51217 51256 40194e 51255->51256 51264 4019a7 51255->51264 51268 4016f4 51256->51268 51260 40196b 51262 401982 51260->51262 51273 4015b8 VirtualFree 51260->51273 51262->51264 51274 40144c LocalAlloc 51262->51274 51264->51248 51265->51250 51266->51251 51267->51254 51270 40172b 51268->51270 51269 40176b 51272 4013e8 LocalAlloc 51269->51272 51270->51269 51271 401745 VirtualFree 51270->51271 51271->51270 51272->51260 51273->51262 51274->51264 51275 4164ec 73EA5CF0 51276 497f84 51332 40332c 51276->51332 51278 497f92 51335 405600 51278->51335 51280 497f97 51338 4098b4 51280->51338 51284 497fa1 51348 4108c4 51284->51348 51286 497fa6 51352 41288c 51286->51352 51288 497fb0 51357 418f30 GetVersion 51288->51357 51290 497fb5 51362 4304e0 51290->51362 51292 497fc4 51366 452750 51292->51366 51294 497fce 51372 452b30 GetVersionExA 51294->51372 51296 497fd3 51374 455378 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 51296->51374 51302 497fe7 51390 464184 51302->51390 51304 497ff1 51393 46bf28 51304->51393 51306 497ff6 51396 477704 GetModuleHandleA GetProcAddress GetProcAddress 51306->51396 51308 497ffb 51397 481a64 51308->51397 51310 498000 51403 4951e0 RegisterClipboardFormatA 51310->51403 51315 424340 4 API calls 51316 498034 51315->51316 51409 497ddc 51316->51409 51318 498039 51431 424130 51318->51431 51320 49807b ShowWindow 51321 4980a3 51320->51321 51437 47df40 51321->51437 51323 4980a8 51577 424424 51323->51577 51598 4032e4 51332->51598 51334 403331 GetModuleHandleA GetCommandLineA 51334->51278 51337 40563b 51335->51337 51599 403398 LocalAlloc TlsSetValue TlsGetValue 51335->51599 51337->51280 51600 408f8c 51338->51600 51343 408688 6 API calls 51344 4098d7 51343->51344 51615 408fd8 GetVersionExA 51344->51615 51347 409ae8 6F9C1CD0 51347->51284 51349 4108ce 51348->51349 51350 41090d GetCurrentThreadId 51349->51350 51351 410928 51350->51351 51351->51286 51628 40ae6c 51352->51628 51356 4128b8 51356->51288 51640 41dd04 8 API calls 51357->51640 51359 418f49 51642 418e28 GetCurrentProcessId 51359->51642 51361 418f4e 51361->51290 51363 4304ea 51362->51363 51750 43042c RegisterClipboardFormatA RegisterClipboardFormatA GetCurrentThreadId 51363->51750 51365 4304ef 51365->51292 51367 45275a 51366->51367 51753 4526e0 51367->51753 51373 452b48 51372->51373 51373->51296 51375 4553cb 51374->51375 51376 42e09c 2 API calls 51375->51376 51377 4553ee 51376->51377 51378 42e50c 4 API calls 51377->51378 51379 4553fb 51378->51379 51380 4033cc 3 API calls 51379->51380 51381 455410 51380->51381 51382 458938 51381->51382 51383 458942 51382->51383 51765 4588cc CoInitialize 51383->51765 51385 458947 51386 459788 51385->51386 51387 4597a6 51386->51387 51770 459198 GetSystemTimeAsFileTime FileTimeToLocalFileTime 51387->51770 51389 4597ab 51389->51302 51391 44e68c 49 API calls 51390->51391 51392 464189 LoadLibraryA GetProcAddress 51391->51392 51392->51304 51394 42e09c 2 API calls 51393->51394 51395 46bf3c GetProcAddress 51394->51395 51395->51306 51396->51308 51398 481a82 51397->51398 51772 481560 GetModuleHandleA GetProcAddress 51398->51772 51402 481a96 51402->51310 51404 49520c 51403->51404 51405 495216 SetErrorMode 51403->51405 51792 42e5f0 GetModuleHandleA GetProcAddress InterlockedExchange ChangeWindowMessageFilter 51404->51792 51407 497d94 GetModuleHandleA GetProcAddress 51405->51407 51408 497dad 51407->51408 51408->51315 51793 42d178 GetCommandLineA 51409->51793 51411 497e5c 51415 42d1d4 5 API calls 51411->51415 51412 497ee1 51413 497ee8 51412->51413 51414 497eee 51412->51414 51417 497eec 51413->51417 51418 497f06 51413->51418 51807 497278 47 API calls 51414->51807 51420 497e6c 51415->51420 51416 42d1d4 LocalAlloc TlsSetValue TlsGetValue GetModuleFileNameA GetCommandLineA 51429 497e01 51416->51429 51425 4033cc 3 API calls 51417->51425 51808 49784c 157 API calls 51418->51808 51800 45345c 51420->51800 51423 497e7b 51806 4533f8 19 API calls 51423->51806 51424 497efa 51424->51417 51427 497f4c 51425->51427 51426 497e27 51426->51411 51426->51412 51427->51318 51429->51416 51429->51426 51430 497ea9 51430->51318 51432 424150 51431->51432 51433 42413c 51431->51433 51434 40341c 3 API calls 51432->51434 51435 424143 SetWindowTextA 51433->51435 51436 42415a 51434->51436 51435->51320 51436->51320 51813 47d1f4 51437->51813 51441 47df8c 51442 47dfe6 51441->51442 51443 47df9d 51441->51443 51445 42d1d4 5 API calls 51442->51445 51907 47d294 19 API calls 51443->51907 51447 47dff8 51445->51447 51446 47dfb1 51908 47d294 19 API calls 51446->51908 51448 40341c 3 API calls 51447->51448 51450 47dfe4 51448->51450 51836 42c62c 51450->51836 51451 47dfc5 51909 47d294 19 API calls 51451->51909 51455 47dfd2 51457 40341c 3 API calls 51455->51457 51456 40341c 3 API calls 51458 47e028 51456->51458 51457->51450 51459 42d178 4 API calls 51458->51459 51532 47e03c 51459->51532 51460 47e3d9 51461 47e3ec 51460->51461 51911 4784c8 LocalAlloc TlsSetValue TlsGetValue GetPrivateProfileStringA GetProfileStringA 51460->51911 51464 40341c 3 API calls 51461->51464 51462 457f24 6 API calls 51462->51532 51465 47e415 51464->51465 51466 40341c 3 API calls 51465->51466 51467 47e424 51466->51467 51468 40341c 3 API calls 51467->51468 51470 47e433 51468->51470 51469 4033cc 3 API calls 51469->51532 51471 47e43c 51470->51471 51472 47e48a 51470->51472 51912 42c2d0 LocalAlloc TlsSetValue TlsGetValue IsDBCSLeadByte 51471->51912 51473 403460 3 API calls 51472->51473 51476 47e498 51473->51476 51474 403460 3 API calls 51474->51532 51478 45345c 21 API calls 51476->51478 51477 47e44e 51479 40358c 3 API calls 51477->51479 51483 47e4ad 51478->51483 51480 47e461 51479->51480 51913 42caac GetFileAttributesA 51480->51913 51482 47e469 51482->51476 51484 42c6b4 4 API calls 51482->51484 51487 47d52c 36 API calls 51483->51487 51490 47e4e8 51483->51490 51485 47e47b 51484->51485 51914 47d550 36 API calls 51485->51914 51487->51490 51488 47e488 51488->51476 51489 47e503 51492 453d08 4 API calls 51489->51492 51490->51489 51491 47d52c 36 API calls 51490->51491 51491->51489 51493 47e525 51492->51493 51494 475894 22 API calls 51493->51494 51495 47e54c 51494->51495 51496 47da30 22 API calls 51495->51496 51497 47e55f 51496->51497 51498 47da30 22 API calls 51497->51498 51499 47e573 51498->51499 51500 47da30 22 API calls 51499->51500 51501 47e587 51500->51501 51841 47daa4 51501->51841 51506 47e5ee 51510 42e66c 5 API calls 51506->51510 51507 478358 LocalAlloc TlsSetValue TlsGetValue 51507->51532 51508 478184 LocalAlloc TlsSetValue TlsGetValue 51508->51532 51511 47e601 51510->51511 51512 47e607 51511->51512 51513 47e611 51511->51513 51918 458988 30 API calls 51512->51918 51515 47e63c 51513->51515 51516 47e632 51513->51516 51517 47e63e 51513->51517 51521 4594dc 23 API calls 51515->51521 51919 4592c8 31 API calls 51516->51919 51920 459480 25 API calls 51517->51920 51518 47e5c2 51518->51506 51916 42d108 LocalAlloc TlsSetValue TlsGetValue GetCommandLineA 51518->51916 51523 47e687 51521->51523 51522 42c58c LocalAlloc TlsSetValue TlsGetValue GetFullPathNameA 51522->51532 51525 403460 3 API calls 51523->51525 51528 47e697 51525->51528 51526 40341c LocalAlloc TlsSetValue TlsGetValue 51526->51532 51527 47e5e3 51917 47cff0 44 API calls 51527->51917 51529 403548 3 API calls 51528->51529 51531 47e6a8 51529->51531 51533 4594dc 23 API calls 51531->51533 51532->51460 51532->51462 51532->51469 51532->51474 51532->51507 51532->51508 51532->51522 51532->51526 51562 406d00 18 API calls 51532->51562 51910 4771d0 40 API calls 51532->51910 51534 47e6b3 51533->51534 51535 403460 3 API calls 51534->51535 51536 47e6c3 51535->51536 51872 42d0b4 GetCommandLineA 51536->51872 51539 403548 3 API calls 51540 47e6df 51539->51540 51541 4594dc 23 API calls 51540->51541 51542 47e6ea 51541->51542 51877 47c738 51542->51877 51545 47daa4 22 API calls 51546 47e72b 51545->51546 51547 47daa4 22 API calls 51546->51547 51548 47e743 51547->51548 51549 47daa4 22 API calls 51548->51549 51550 47e763 51549->51550 51551 47daa4 22 API calls 51550->51551 51552 47e783 51551->51552 51553 47daa4 22 API calls 51552->51553 51554 47e7a3 51553->51554 51555 47daa4 22 API calls 51554->51555 51556 47e7c3 51555->51556 51557 47daa4 22 API calls 51556->51557 51559 47e7e3 51557->51559 51560 47daa4 22 API calls 51559->51560 51561 47e803 51560->51561 51563 47daa4 22 API calls 51561->51563 51562->51532 51564 47e823 51563->51564 51565 47daa4 22 API calls 51564->51565 51566 47e843 51565->51566 51567 47daa4 22 API calls 51566->51567 51568 47e863 51567->51568 51903 47d6f0 51568->51903 51570 47e871 51571 47d6f0 22 API calls 51570->51571 51573 47e87e 51571->51573 51572 47e8cf 51572->51323 51575 47e8a7 51573->51575 51921 47d654 51573->51921 51575->51572 51576 47d654 22 API calls 51575->51576 51576->51572 51578 424439 51577->51578 52066 47fa40 51578->52066 51598->51334 51599->51337 51617 408c24 51600->51617 51603 408544 GetSystemDefaultLCID 51605 40857a 51603->51605 51604 406d54 LocalAlloc TlsSetValue TlsGetValue LoadStringA 51604->51605 51605->51604 51606 4084d0 LocalAlloc TlsSetValue TlsGetValue GetLocaleInfoA 51605->51606 51607 40341c LocalAlloc TlsSetValue TlsGetValue 51605->51607 51610 4085dc 51605->51610 51606->51605 51607->51605 51608 406d54 LocalAlloc TlsSetValue TlsGetValue LoadStringA 51608->51610 51609 4084d0 LocalAlloc TlsSetValue TlsGetValue GetLocaleInfoA 51609->51610 51610->51608 51610->51609 51611 40341c LocalAlloc TlsSetValue TlsGetValue 51610->51611 51612 40865f 51610->51612 51611->51610 51613 4033ec 3 API calls 51612->51613 51614 408679 51613->51614 51614->51343 51616 408fef 51615->51616 51616->51347 51618 408c30 51617->51618 51625 406d54 LoadStringA 51618->51625 51621 40341c 3 API calls 51622 408c61 51621->51622 51623 4033cc 3 API calls 51622->51623 51624 408c76 51623->51624 51624->51603 51626 4034ac 3 API calls 51625->51626 51627 406d81 51626->51627 51627->51621 51630 40ae73 51628->51630 51629 40ae92 51632 410f7c 51629->51632 51630->51629 51639 40ada4 18 API calls 51630->51639 51635 410f9e 51632->51635 51633 406d54 4 API calls 51633->51635 51634 40341c 3 API calls 51634->51635 51635->51633 51635->51634 51636 410fbd 51635->51636 51637 4033cc 3 API calls 51636->51637 51638 410fd2 51637->51638 51638->51356 51639->51630 51641 41dd7e 51640->51641 51641->51359 51658 407828 51642->51658 51645 407828 18 API calls 51646 418e89 GlobalAddAtomA 51645->51646 51647 418ea1 51646->51647 51648 40b528 3 API calls 51647->51648 51649 418eb5 51648->51649 51662 422f34 51649->51662 51655 418ee0 51692 406914 51655->51692 51657 418ef6 51657->51361 51659 40783b 51658->51659 51660 407520 18 API calls 51659->51660 51661 40784f GlobalAddAtomA GetCurrentThreadId 51660->51661 51661->51645 51663 422f3e 51662->51663 51695 410190 51663->51695 51667 422f5b 51668 422f85 73E9A570 EnumFontsA 73EA4620 73E9A480 51667->51668 51669 418ec3 51668->51669 51670 4234f8 51669->51670 51671 423507 51670->51671 51672 410190 4 API calls 51671->51672 51673 42351d 51672->51673 51674 423578 LoadIconA 51673->51674 51708 41dc80 51674->51708 51676 423596 GetModuleFileNameA OemToCharA 51677 4235da 51676->51677 51678 423600 CharLowerA 51677->51678 51679 423620 51678->51679 51680 418ed6 51679->51680 51710 4236e0 51679->51710 51682 41eff8 51680->51682 51683 41f006 GetVersion 51682->51683 51684 41f15e 51682->51684 51685 41f041 51683->51685 51686 41f012 51683->51686 51684->51655 51685->51684 51687 41f061 GetProcAddress 51685->51687 51686->51685 51688 41f01d SetErrorMode LoadLibraryA SetErrorMode 51686->51688 51689 41f082 51687->51689 51688->51685 51690 41f149 FreeLibrary 51689->51690 51691 41f08a 9 API calls 51689->51691 51690->51684 51691->51684 51693 402630 3 API calls 51692->51693 51694 406921 51693->51694 51694->51657 51696 410197 51695->51696 51697 4101ba 51696->51697 51704 410328 LocalAlloc TlsSetValue TlsGetValue LoadStringA 51696->51704 51699 4230a8 LoadCursorA 51697->51699 51700 4230c7 51699->51700 51701 4230db LoadCursorA 51700->51701 51703 4230f8 51700->51703 51705 42319c 51701->51705 51703->51667 51704->51697 51706 402630 3 API calls 51705->51706 51707 4231af 51706->51707 51707->51700 51709 41dc8c 51708->51709 51709->51676 51711 423813 51710->51711 51712 4236f0 51710->51712 51711->51680 51734 41f2a4 51712->51734 51714 4236fb GetClassInfoA 51715 423743 GetSystemMetrics 51714->51715 51716 423714 RegisterClassA 51714->51716 51718 423751 GetSystemMetrics 51715->51718 51719 42374e 51715->51719 51716->51715 51717 42372d 51716->51717 51720 408c24 4 API calls 51717->51720 51721 42375d 51718->51721 51719->51718 51722 42373e 51720->51722 51737 406288 CreateWindowExA 51721->51737 51722->51715 51724 42378a 51725 4033cc 3 API calls 51724->51725 51726 423795 51725->51726 51738 4234b8 51726->51738 51729 4237d6 GetSystemMenu DeleteMenu DeleteMenu 51729->51711 51732 423806 DeleteMenu 51729->51732 51730 4237be 51731 423fe4 11 API calls 51730->51731 51733 4237c5 SendMessageA 51731->51733 51732->51711 51733->51729 51735 41f2b4 VirtualAlloc 51734->51735 51736 41f2e2 51734->51736 51735->51736 51736->51714 51737->51724 51746 423464 SystemParametersInfoA 51738->51746 51741 4234d1 ShowWindow 51743 4234e3 SetWindowLongA 51741->51743 51744 4234dc 51741->51744 51743->51729 51743->51730 51749 423494 SystemParametersInfoA 51744->51749 51747 423482 51746->51747 51747->51741 51748 423494 SystemParametersInfoA 51747->51748 51748->51741 51749->51743 51751 407828 18 API calls 51750->51751 51752 43047d GlobalAddAtomA 51751->51752 51752->51365 51754 4526f6 GetVersionExA 51753->51754 51755 452713 51753->51755 51754->51755 51756 452707 51754->51756 51757 44e68c 51755->51757 51756->51755 51758 44ea11 GetModuleHandleA GetProcAddress 51757->51758 51759 44e6a1 51757->51759 51758->51294 51764 44e638 GetVersionExA 51759->51764 51761 44e6a6 51761->51758 51762 44e6ae LoadLibraryA 51761->51762 51762->51758 51763 44e6c3 47 API calls 51762->51763 51763->51758 51764->51761 51766 4588e0 51765->51766 51767 458900 51766->51767 51769 408ba8 18 API calls 51766->51769 51767->51385 51769->51767 51771 4591b8 51770->51771 51771->51389 51773 4815ec GetSystemInfo 51772->51773 51774 481587 GetNativeSystemInfo GetProcAddress 51772->51774 51776 4815f6 51773->51776 51775 48159f GetCurrentProcess 51774->51775 51774->51776 51777 4815a8 51775->51777 51781 48188c GetVersionExA 51776->51781 51777->51776 51778 4815bb GetProcAddress 51777->51778 51778->51776 51779 4815ca GetModuleHandleA GetProcAddress 51778->51779 51779->51776 51780 4815e3 51779->51780 51780->51776 51782 48193e 51781->51782 51783 4818a7 51781->51783 51782->51402 51783->51782 51784 4818d9 GetVersionExA 51783->51784 51785 48192f 51783->51785 51784->51782 51786 4818f5 51784->51786 51785->51782 51790 4816a8 RegOpenKeyExA RegQueryValueExA RegCloseKey 51785->51790 51786->51782 51788 481939 51791 481750 7 API calls 51788->51791 51790->51788 51791->51782 51792->51405 51794 42d028 3 API calls 51793->51794 51795 42d19b 51794->51795 51796 42d1ad 51795->51796 51797 42d028 3 API calls 51795->51797 51798 4033cc 3 API calls 51796->51798 51797->51795 51799 42d1c2 51798->51799 51799->51429 51801 453466 51800->51801 51809 4534f4 51801->51809 51802 453492 51803 4534a6 51802->51803 51812 4533e4 20 API calls 51802->51812 51803->51423 51806->51430 51807->51424 51808->51424 51810 403704 51809->51810 51811 453533 CreateFileA 51810->51811 51811->51802 51812->51803 51931 42df84 51813->51931 51816 47d20c 51934 402760 GetSystemTime 51816->51934 51819 47d220 51820 457f24 51819->51820 51821 42d1d4 5 API calls 51820->51821 51822 457f4a 51821->51822 51823 457f8b 51822->51823 51958 42c7f8 IsDBCSLeadByte 51822->51958 51824 40341c 3 API calls 51823->51824 51825 457f95 51824->51825 51827 4033cc 3 API calls 51825->51827 51835 457f89 51827->51835 51828 457f62 51828->51823 51829 457f68 51828->51829 51831 403744 3 API calls 51829->51831 51830 4033cc 3 API calls 51832 457fb1 51830->51832 51833 457f78 51831->51833 51832->51441 51834 403744 3 API calls 51833->51834 51834->51835 51835->51830 51837 42c524 IsDBCSLeadByte 51836->51837 51838 42c63c 51837->51838 51839 403744 3 API calls 51838->51839 51840 42c64d 51839->51840 51840->51456 51842 47dae3 51841->51842 51843 47dabd 51841->51843 51844 40b528 3 API calls 51842->51844 51845 40b528 3 API calls 51843->51845 51849 47daf5 51844->51849 51845->51842 51846 47dba6 51851 47c564 51846->51851 51847 4068cc 3 API calls 51847->51849 51848 475894 22 API calls 51848->51849 51849->51846 51849->51847 51849->51848 51959 475850 LocalAlloc TlsSetValue TlsGetValue 51849->51959 51852 47c5c2 51851->51852 51858 47c57f 51851->51858 51853 47c5cf 51852->51853 51854 47c5cb 51852->51854 51999 42e120 10 API calls 51853->51999 51855 47c5d8 GetUserDefaultLangID 51854->51855 51862 47c5cd 51854->51862 51855->51862 51857 47c5d4 51857->51862 51858->51852 51863 47c5ab 51858->51863 51859 47c680 51860 47c3a0 8 API calls 51859->51860 51861 47c5b2 51860->51861 51861->51506 51915 477004 24 API calls 51861->51915 51862->51859 51865 47c62f 51862->51865 51866 47c622 51862->51866 51867 47c618 GetACP 51862->51867 51960 47c3a0 51863->51960 51865->51859 51869 47c673 51865->51869 51870 47c669 GetACP 51865->51870 51868 47c3a0 8 API calls 51866->51868 51867->51862 51867->51866 51868->51861 51871 47c3a0 8 API calls 51869->51871 51870->51865 51870->51869 51871->51861 51873 42d028 3 API calls 51872->51873 51874 42d0d9 51873->51874 51875 4033cc 3 API calls 51874->51875 51876 42d0f7 51875->51876 51876->51539 51878 47c761 51877->51878 51879 47c7ba 51877->51879 52063 406c94 18 API calls 51878->52063 52055 4596e8 51879->52055 51883 47c776 51885 40358c 3 API calls 51883->51885 51884 4596e8 23 API calls 51886 47c843 51884->51886 51887 47c786 51885->51887 51888 4596e8 23 API calls 51886->51888 51887->51879 52064 406c94 18 API calls 51887->52064 51889 47c867 51888->51889 51892 47c883 51889->51892 51895 47c885 51889->51895 51896 47c879 51889->51896 51891 47c7aa 51893 403600 3 API calls 51891->51893 51894 4033ec 3 API calls 51892->51894 51893->51879 51897 47c8be 51894->51897 51899 47c88e 51895->51899 51900 47c89a 51895->51900 51898 4594dc 23 API calls 51896->51898 51897->51545 51898->51892 51902 4594dc 23 API calls 51899->51902 51901 4594dc 23 API calls 51900->51901 51901->51892 51902->51892 51904 47d706 51903->51904 51905 47d654 22 API calls 51904->51905 51906 47d721 51905->51906 51906->51570 51907->51446 51908->51451 51909->51455 51910->51532 51911->51461 51912->51477 51913->51482 51914->51488 51915->51518 51916->51527 51917->51506 51918->51513 51919->51515 51920->51515 51922 402630 3 API calls 51921->51922 51923 47d66c 51922->51923 51924 453f78 22 API calls 51923->51924 51925 47d68c 51924->51925 51926 47d6c5 51925->51926 51929 453f78 22 API calls 51925->51929 52065 40cc18 LocalAlloc TlsSetValue TlsGetValue LoadStringA 51925->52065 51927 402648 3 API calls 51926->51927 51928 47d6df 51927->51928 51928->51575 51929->51925 51936 42dd68 51931->51936 51933 42df8e 51933->51816 51935 42df90 18 API calls 51933->51935 51934->51819 51935->51816 51937 42dd84 AllocateAndInitializeSid 51936->51937 51938 42dd7b 51936->51938 51937->51938 51939 42ddaf GetVersion 51937->51939 51938->51933 51940 42dde5 51939->51940 51941 42ddce GetModuleHandleA GetProcAddress 51939->51941 51942 42dde9 FreeSid 51940->51942 51943 42de0e GetCurrentThread OpenThreadToken 51940->51943 51941->51940 51942->51933 51944 42de2a GetLastError 51943->51944 51945 42de5f GetTokenInformation 51943->51945 51948 42de40 GetCurrentProcess OpenProcessToken 51944->51948 51953 42de36 51944->51953 51946 42dea2 51945->51946 51947 42de89 GetLastError 51945->51947 51950 402630 3 API calls 51946->51950 51947->51946 51947->51953 51948->51945 51948->51953 51951 42deaa GetTokenInformation 51950->51951 51952 42ded4 51951->51952 51951->51953 51954 42dee1 EqualSid 51952->51954 51957 42df05 51952->51957 51953->51938 51954->51952 51955 402648 3 API calls 51956 42df24 CloseHandle 51955->51956 51956->51933 51957->51955 51958->51828 51959->51849 51961 47c55d 51960->51961 51962 47c3b2 51960->51962 51961->51861 51963 403710 3 API calls 51962->51963 51964 47c3d1 51963->51964 52000 4541b4 51964->52000 51968 47c3ec 52026 403a98 51968->52026 51971 47c40e 51973 40341c 3 API calls 51971->51973 51972 47c41d 51974 40341c 3 API calls 51972->51974 51975 47c41b 51973->51975 51974->51975 51976 47c433 51975->51976 51977 47c442 51975->51977 51978 40341c 3 API calls 51976->51978 51979 40341c 3 API calls 51977->51979 51980 47c440 51978->51980 51979->51980 51981 47c467 51980->51981 51982 47c458 51980->51982 51983 40341c 3 API calls 51981->51983 51984 40341c 3 API calls 51982->51984 51985 47c465 51983->51985 51984->51985 52030 42e9dc 51985->52030 51987 47c494 51988 42e9dc 3 API calls 51987->51988 51989 47c4a7 51988->51989 51990 42e9dc 3 API calls 51989->51990 51991 47c4ba 51990->51991 51992 42e9dc 3 API calls 51991->51992 51993 47c4cd 51992->51993 51994 424130 4 API calls 51993->51994 51997 47c4dd 51994->51997 51995 47c53e 51995->51961 51996 47c547 SendNotifyMessageA 51995->51996 51996->51961 51997->51995 51998 40341c LocalAlloc TlsSetValue TlsGetValue 51997->51998 51998->51997 51999->51857 52001 4541c2 52000->52001 52003 4541da 52001->52003 52035 45416c LocalAlloc TlsSetValue TlsGetValue 52001->52035 52005 4541fe 52003->52005 52036 45416c LocalAlloc TlsSetValue TlsGetValue 52003->52036 52006 453ba4 InterlockedExchange 52005->52006 52007 454219 52006->52007 52011 45422c 52007->52011 52037 45416c LocalAlloc TlsSetValue TlsGetValue 52007->52037 52010 4034ac 3 API calls 52010->52011 52011->52010 52012 45425b 52011->52012 52038 45416c LocalAlloc TlsSetValue TlsGetValue 52011->52038 52013 403a8c 52012->52013 52014 403a04 52013->52014 52015 403a28 52014->52015 52016 403a3e 52014->52016 52020 403a23 52014->52020 52021 403a58 52014->52021 52017 403a40 52015->52017 52018 403a39 52015->52018 52016->51968 52019 4033ec 3 API calls 52017->52019 52022 4033cc 3 API calls 52018->52022 52019->52016 52020->52015 52023 403a74 52020->52023 52021->52016 52039 403a04 LocalAlloc TlsSetValue TlsGetValue 52021->52039 52022->52016 52023->52016 52040 4039dc LocalAlloc TlsSetValue TlsGetValue 52023->52040 52028 403aaa 52026->52028 52029 403abc 52028->52029 52041 403b40 52028->52041 52029->51971 52029->51972 52050 4074ac 52030->52050 52033 42ea08 52033->51987 52035->52003 52036->52005 52037->52011 52038->52011 52039->52021 52040->52023 52042 403ac0 52041->52042 52043 403aee 52042->52043 52044 403ada 52042->52044 52045 403afd 52042->52045 52043->52028 52044->52043 52049 403ac0 LocalAlloc TlsSetValue TlsGetValue VariantClear VariantCopy 52044->52049 52045->52043 52048 404778 LocalAlloc TlsSetValue TlsGetValue VariantClear VariantCopy 52045->52048 52048->52045 52049->52043 52051 4074b0 52050->52051 52052 4074ba 52050->52052 52053 402648 3 API calls 52051->52053 52052->52033 52054 407480 LocalAlloc TlsSetValue TlsGetValue 52052->52054 52053->52052 52054->52033 52056 45970d 52055->52056 52057 45972d 52056->52057 52058 40785c 18 API calls 52056->52058 52060 4033cc 3 API calls 52057->52060 52059 459725 52058->52059 52061 4594dc 23 API calls 52059->52061 52062 459742 52060->52062 52061->52057 52062->51884 52063->51883 52064->51891 52065->51925 52067 47fa52 52066->52067 52097 494dd4 52067->52097 52072 47fae3 52076 45412c 3 API calls 52072->52076 52073 47fa8f 52119 420e40 12 API calls 52073->52119 52074 47fa9a 52077 47fa98 52074->52077 52120 420e40 12 API calls 52074->52120 52078 47fafc 52076->52078 52098 494ddd 52097->52098 52122 42008c 52098->52122 52100 494e04 52101 47fa76 52100->52101 52131 4212b8 SetFocus GetFocus 52100->52131 52103 4950b4 52101->52103 52309 494a34 52103->52309 52107 4950e9 52108 47fa7d 52107->52108 52344 494cb4 MulDiv MulDiv MulDiv MulDiv 52107->52344 52108->52072 52108->52073 52108->52074 52110 495114 MulDiv MulDiv 52110->52108 52119->52077 52120->52077 52123 42009c 52122->52123 52132 4201c8 52123->52132 52125 4200b4 52126 4201ac 52125->52126 52140 40b0d8 52125->52140 52126->52100 52128 4200ec 52130 420124 52128->52130 52144 408c94 18 API calls 52128->52144 52130->52100 52131->52101 52133 4201d2 52132->52133 52145 41fb30 52133->52145 52135 4201e8 52149 41a688 52135->52149 52137 420283 52157 4141f4 52137->52157 52139 420294 52139->52125 52141 40b0e9 52140->52141 52206 40b040 52141->52206 52143 40b105 52143->52128 52144->52130 52146 41fb36 52145->52146 52161 41584c 52146->52161 52148 41fb4b 52148->52135 52150 41a68f 52149->52150 52151 419fd4 3 API calls 52150->52151 52152 41a6b0 52151->52152 52201 41a31c 52152->52201 52155 41a4d4 3 API calls 52156 41a6e6 52155->52156 52156->52137 52158 414206 52157->52158 52159 4141ff 52157->52159 52158->52139 52205 4141c0 24 API calls 52159->52205 52162 415856 52161->52162 52171 41420c 52162->52171 52165 41f2a4 VirtualAlloc 52166 415877 52165->52166 52177 41a4d4 52166->52177 52172 414216 52171->52172 52173 410190 4 API calls 52172->52173 52174 41422c 52173->52174 52185 419fd4 52174->52185 52178 41a4da 52177->52178 52179 419a4c 3 API calls 52178->52179 52180 415889 52179->52180 52181 41a59c 52180->52181 52182 41a5ae 52181->52182 52193 41a584 52182->52193 52186 419fda 52185->52186 52189 419a4c 52186->52189 52188 414242 52188->52165 52190 419a5f 52189->52190 52191 402630 LocalAlloc TlsSetValue TlsGetValue 52190->52191 52192 419a94 52190->52192 52191->52192 52192->52188 52196 419b18 52193->52196 52197 419a4c LocalAlloc TlsSetValue TlsGetValue 52196->52197 52198 419b31 52197->52198 52199 419ac8 LocalAlloc TlsSetValue TlsGetValue DeleteObject 52198->52199 52200 41589b 52199->52200 52200->52148 52202 41a322 52201->52202 52203 419a4c 3 API calls 52202->52203 52204 41a33d 52203->52204 52204->52155 52205->52158 52207 40b06b 52206->52207 52215 40b0af 52206->52215 52210 40b040 57 API calls 52207->52210 52207->52215 52208 4033cc 3 API calls 52209 40b0c6 52208->52209 52209->52143 52211 40b083 52210->52211 52216 4034ec 52211->52216 52215->52208 52217 4034ac 3 API calls 52216->52217 52218 4034f6 52217->52218 52219 40af38 52218->52219 52220 403704 52219->52220 52221 40af4b FindResourceA 52220->52221 52222 40af62 FreeResource 52221->52222 52223 40afb9 52221->52223 52224 40d0ac 22 API calls 52222->52224 52223->52215 52225 40af7d 52224->52225 52228 40cd04 52225->52228 52233 40d224 52228->52233 52234 40d22e 52233->52234 52235 402630 3 API calls 52234->52235 52236 40cd20 52235->52236 52237 40e7cc 52236->52237 52262 40eaa8 52237->52262 52263 40d8e0 LocalAlloc TlsSetValue TlsGetValue LoadStringA 52262->52263 52264 40eab5 52263->52264 52265 40e7f9 52264->52265 52266 40d5a0 LocalAlloc TlsSetValue TlsGetValue LoadStringA 52264->52266 52267 40e0b4 52265->52267 52266->52265 52268 40d8c4 LocalAlloc TlsSetValue TlsGetValue LoadStringA 52267->52268 52310 494a6c 52309->52310 52311 494af1 52309->52311 52345 42e024 73E9A570 EnumFontsA 73E9A480 52310->52345 52353 42e468 6 API calls 52311->52353 52314 494afc 52354 41a234 LocalAlloc TlsSetValue TlsGetValue DeleteObject 52314->52354 52315 494a73 52316 494ab0 52315->52316 52317 494a77 52315->52317 52316->52311 52349 42e024 73E9A570 EnumFontsA 73E9A480 52316->52349 52346 41a234 LocalAlloc TlsSetValue TlsGetValue DeleteObject 52317->52346 52321 494b1f 52355 494a1c MulDiv 52321->52355 52322 494abb 52322->52311 52325 494abf 52322->52325 52323 494a96 52347 494a1c MulDiv 52323->52347 52350 41a234 LocalAlloc TlsSetValue TlsGetValue DeleteObject 52325->52350 52327 494b27 52356 41a1f4 LocalAlloc TlsSetValue TlsGetValue DeleteObject 52327->52356 52328 494a9e 52348 41a1f4 LocalAlloc TlsSetValue TlsGetValue DeleteObject 52328->52348 52331 494aa7 52333 4033cc 3 API calls 52331->52333 52335 494b48 52333->52335 52334 494ade 52351 494a1c MulDiv 52334->52351 52339 494b5c 73E9A570 52335->52339 52337 494ae6 52352 41a1f4 LocalAlloc TlsSetValue TlsGetValue DeleteObject 52337->52352 52357 41a0d8 52339->52357 52342 494bb8 52343 494bbb GetTextMetricsA 73E9A480 52342->52343 52343->52107 52344->52110 52345->52315 52346->52323 52347->52328 52348->52331 52349->52322 52350->52334 52351->52337 52352->52331 52353->52314 52354->52321 52355->52327 52356->52331 52358 41a103 52357->52358 52359 41a19f 52357->52359 52362 4034ec 3 API calls 52358->52362 52360 4033cc 3 API calls 52359->52360 52361 41a1b7 SelectObject GetTextExtentPointA 52360->52361 52361->52342 52361->52343 52363 41a15b 52362->52363 52364 41a193 CreateFontIndirectA 52363->52364 52364->52359 53090 4226cc 53091 4226fc 53090->53091 53092 4226df 53090->53092 53094 42290d 53091->53094 53095 422736 53091->53095 53099 42296b 53091->53099 53092->53091 53093 408c24 4 API calls 53092->53093 53093->53091 53096 422955 53094->53096 53097 42295f 53094->53097 53116 42278d 53095->53116 53130 423014 GetSystemMetrics 53095->53130 53133 421ca4 10 API calls 53096->53133 53097->53099 53102 4229a3 53097->53102 53103 422984 53097->53103 53100 422835 53104 422841 53100->53104 53105 422877 53100->53105 53101 4228e8 53108 422902 ShowWindow 53101->53108 53112 4229ad GetActiveWindow 53102->53112 53111 42299b SetWindowPos 53103->53111 53109 42284b SendMessageA 53104->53109 53110 422891 ShowWindow 53105->53110 53107 4227cf 53131 42300c GetSystemMetrics 53107->53131 53108->53099 53113 4180cc 53109->53113 53115 4180cc 53110->53115 53111->53099 53117 4229b8 53112->53117 53118 4229d7 53112->53118 53119 42286f ShowWindow 53113->53119 53120 4228b3 CallWindowProcA 53115->53120 53116->53100 53116->53101 53123 4229c0 IsIconic 53117->53123 53121 422a02 53118->53121 53122 4229dd 53118->53122 53124 4228c6 SendMessageA 53119->53124 53132 414bdc 53120->53132 53128 422a0c ShowWindow 53121->53128 53127 4229f4 SetWindowPos SetActiveWindow 53122->53127 53123->53118 53126 4229ca 53123->53126 53124->53099 53134 41eed4 GetCurrentThreadId 73EA5940 53126->53134 53127->53099 53128->53099 53130->53107 53131->53116 53132->53124 53133->53097 53134->53118 53135 40cd94 53138 406e78 WriteFile 53135->53138 53139 406e95 53138->53139 53140 42e0f7 SetErrorMode 53141 44e4dc 53142 44e4ea 53141->53142 53144 44e509 53141->53144 53143 44e3c0 10 API calls 53142->53143 53142->53144 53143->53144 53145 41fa38 53146 41fa41 53145->53146 53149 41fcdc 53146->53149 53148 41fa4e 53150 41fdce 53149->53150 53151 41fcf3 53149->53151 53150->53148 53151->53150 53170 41f89c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53151->53170 53153 41fd29 53154 41fd53 53153->53154 53155 41fd2d 53153->53155 53180 41f89c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53154->53180 53171 41fa7c 53155->53171 53159 41fd61 53161 41fd65 53159->53161 53162 41fd8b 53159->53162 53160 41fa7c 10 API calls 53164 41fd51 53160->53164 53165 41fa7c 10 API calls 53161->53165 53163 41fa7c 10 API calls 53162->53163 53166 41fd9d 53163->53166 53164->53148 53167 41fd77 53165->53167 53169 41fa7c 10 API calls 53166->53169 53168 41fa7c 10 API calls 53167->53168 53168->53164 53169->53164 53170->53153 53172 41fa97 53171->53172 53173 41faad 53172->53173 53174 41f81c 4 API calls 53172->53174 53181 41f81c 53173->53181 53174->53173 53176 41faf5 53177 41fb18 SetScrollInfo 53176->53177 53189 41f97c 53177->53189 53180->53159 53182 4180cc 53181->53182 53183 41f839 GetWindowLongA 53182->53183 53184 41f876 53183->53184 53185 41f856 53183->53185 53201 41f7a8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53184->53201 53200 41f7a8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53185->53200 53188 41f862 53188->53176 53190 41f98a 53189->53190 53192 41f992 53189->53192 53190->53160 53191 41f9cf 53197 41fa11 GetScrollPos 53191->53197 53192->53191 53193 41f9d1 53192->53193 53194 41f9c1 53192->53194 53203 417d34 IsWindowVisible ScrollWindow SetWindowPos 53193->53203 53202 417d34 IsWindowVisible ScrollWindow SetWindowPos 53194->53202 53197->53190 53198 41fa1c 53197->53198 53199 41fa2b SetScrollPos 53198->53199 53199->53190 53200->53188 53201->53188 53202->53191 53203->53191 53204 40cfdc 53205 40cfe4 53204->53205 53206 40d00e 53205->53206 53207 40d012 53205->53207 53208 40d007 53205->53208 53210 40d016 53207->53210 53211 40d028 53207->53211 53217 406228 GlobalHandle GlobalUnlock GlobalFree 53208->53217 53216 4061fc GlobalAlloc GlobalLock 53210->53216 53218 40620c GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 53211->53218 53214 40d024 53214->53206 53215 408c24 4 API calls 53214->53215 53215->53206 53216->53214 53217->53206 53218->53214 53219 42215c 53220 42216b 53219->53220 53225 4210f0 53220->53225 53223 42218b 53226 42115f 53225->53226 53239 4210ff 53225->53239 53228 421170 53226->53228 53250 412434 GetMenuItemCount GetMenuStringA GetMenuState 53226->53250 53229 42119e 53228->53229 53231 421236 53228->53231 53232 421211 53229->53232 53237 4211b9 53229->53237 53230 42120f 53233 421262 53230->53233 53252 421ca4 10 API calls 53230->53252 53231->53230 53234 42124a SetMenu 53231->53234 53232->53230 53240 421225 53232->53240 53253 421038 9 API calls 53233->53253 53234->53230 53237->53230 53243 4211dc GetMenu 53237->53243 53238 421269 53238->53223 53248 422060 10 API calls 53238->53248 53239->53226 53249 408c94 18 API calls 53239->53249 53242 42122e SetMenu 53240->53242 53242->53230 53244 4211e6 53243->53244 53245 4211ff 53243->53245 53247 4211f9 SetMenu 53244->53247 53251 412434 GetMenuItemCount GetMenuStringA GetMenuState 53245->53251 53247->53245 53248->53223 53249->53239 53250->53228 53251->53230 53252->53233 53253->53238

                                    Executed Functions

                                    Function 00423A78 Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 390 423a78-423aac 391 423ae0-423af7 call 4239d4 390->391 392 423aae-423aaf 390->392 398 423b58-423b5d 391->398 399 423af9 391->399 393 423ab1-423acd call 40b3ac 392->393 419 423acf-423ad7 393->419 420 423adc-423ade 393->420 400 423b93-423b98 398->400 401 423b5f 398->401 402 423aff-423b02 399->402 403 423bbc-423bcc 399->403 404 423f06-423f14 IsIconic 400->404 405 423b9e-423ba1 400->405 409 423b65-423b6d 401->409 410 423e1d-423e25 401->410 411 423b31-423b34 402->411 412 423b04 402->412 407 423bd7-423bdf call 424000 403->407 408 423bce-423bd3 403->408 416 423fbe-423fc6 404->416 424 423f1a-423f25 GetFocus 404->424 413 423f42-423f57 call 4246bc 405->413 414 423ba7-423ba8 405->414 407->416 421 423be4-423bec call 424048 408->421 422 423bd5-423bf8 call 4239f0 408->422 425 423b73-423b78 409->425 426 423d7f-423da6 SendMessageA 409->426 415 423e2b-423e36 call 4180cc 410->415 410->416 417 423c15-423c1c 411->417 418 423b3a-423b3b 411->418 427 423c62-423c72 call 4239f0 412->427 428 423b0a-423b0d 412->428 413->416 440 423f59-423f60 414->440 441 423bae-423bb1 414->441 415->416 472 423e3c-423e4b call 4180cc IsWindowEnabled 415->472 438 423fdd-423fe3 416->438 417->416 433 423c22-423c29 417->433 434 423b41-423b44 418->434 435 423dab-423db2 418->435 419->438 420->391 420->393 421->416 422->416 424->416 445 423f2b-423f34 call 41eed4 424->445 436 423eb6-423ec1 425->436 437 423b7e-423b7f 425->437 426->416 427->416 429 423b13-423b16 428->429 430 423c8a-423ca6 PostMessageA call 4239f0 428->430 446 423d11-423d18 429->446 447 423b1c-423b1f 429->447 430->416 433->416 452 423c2f-423c35 433->452 453 423b4a-423b4d 434->453 454 423cab-423ccb call 4239f0 434->454 435->416 462 423db8-423dbd call 404db3 435->462 436->416 458 423ec7-423ed9 436->458 455 423b85-423b88 437->455 456 423ede-423ee9 437->456 449 423f62-423f75 call 424340 440->449 450 423f77-423f8a call 424398 440->450 459 423bb7 441->459 460 423f8c-423f93 441->460 445->416 486 423f3a-423f40 SetFocus 445->486 469 423d1a-423d2d call 423980 446->469 470 423d4b-423d5c call 4239f0 446->470 467 423b25-423b26 447->467 468 423c3a-423c48 IsIconic 447->468 449->416 450->416 452->416 473 423b53 453->473 474 423c77-423c85 call 423fe4 453->474 513 423cef-423d0c call 4238f0 PostMessageA 454->513 514 423ccd-423cea call 423980 PostMessageA 454->514 478 423dc2-423dca 455->478 479 423b8e 455->479 456->416 481 423eef-423f01 456->481 458->416 480 423fb7-423fb8 call 4239f0 459->480 476 423fa6-423fb5 460->476 477 423f95-423fa4 460->477 462->416 487 423b2c 467->487 488 423bfd-423c05 467->488 494 423c56-423c5d call 4239f0 468->494 495 423c4a-423c51 call 423a2c 468->495 517 423d3f-423d46 call 4239f0 469->517 518 423d2f-423d39 call 41ee38 469->518 522 423d72-423d7a call 4238f0 470->522 523 423d5e-423d6c call 41ed84 470->523 472->416 519 423e51-423e60 call 4180cc IsWindowVisible 472->519 473->480 474->416 476->416 477->416 478->416 501 423dd0-423dd7 478->501 479->480 509 423fbd 480->509 481->416 486->416 487->480 488->416 503 423c0b-423c10 call 422ab8 488->503 494->416 495->416 501->416 512 423ddd-423dec call 4180cc IsWindowEnabled 501->512 503->416 509->416 512->416 535 423df2-423e08 call 412274 512->535 513->416 514->416 517->416 518->517 519->416 542 423e66-423eb1 GetFocus call 4180cc SetFocus call 41514c SetFocus 519->542 522->416 523->522 535->416 545 423e0e-423e18 535->545 542->416 545->416
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 40d8aa1a917655655c44719a997dd9a88a00d8547e1ba3369c895f105933f793
                                    • Instruction ID: 6a2bc29bd80c62eafa8d76e0cd015ddcf5ea8ab03f8ffc3fc813191b21aba187
                                    • Opcode Fuzzy Hash: 40d8aa1a917655655c44719a997dd9a88a00d8547e1ba3369c895f105933f793
                                    • Instruction Fuzzy Hash: D9E19C71B00124EBC710DF6AF685B9AB7B5AB18305FA540AAF4049B352D73CEF45DB48
                                    Function 004226CC Relevance: 18.3, APIs: 12, Instructions: 253windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 577 4226cc-4226dd 578 422701-422720 577->578 579 4226df-4226e9 577->579 580 422a12-422a29 578->580 581 422726-422730 578->581 579->578 582 4226eb-4226fc call 408c24 call 403104 579->582 583 422736-42277b call 402be8 581->583 584 42290d-422953 call 402be8 581->584 582->578 596 422781-42278b 583->596 597 42281b-42282f 583->597 594 422955-42295a call 421ca4 584->594 595 42295f-422969 584->595 594->595 599 42296b-422973 call 4165b0 595->599 600 422978-422982 595->600 601 4227c5-4227d9 call 423014 596->601 602 42278d-4227a4 call 4145e0 596->602 603 422835-42283f 597->603 604 4228e8-422908 call 4180cc ShowWindow 597->604 599->580 607 4229a3-4229b6 call 4180cc GetActiveWindow 600->607 608 422984-4229a1 call 4180cc SetWindowPos 600->608 622 4227db 601->622 623 4227de-4227f0 call 42300c 601->623 625 4227a6 602->625 626 4227a9-4227be call 414624 602->626 610 422841-422875 call 4180cc SendMessageA call 4180cc ShowWindow 603->610 611 422877-4228c1 call 4180cc ShowWindow call 4180cc CallWindowProcA call 414bdc 603->611 604->580 633 4229b8-4229c8 call 4180cc IsIconic 607->633 634 4229d9-4229db 607->634 608->580 643 4228c6-4228e3 SendMessageA 610->643 611->643 622->623 644 4227f2 623->644 645 4227f5-4227f7 623->645 625->626 626->645 649 4227c0-4227c3 626->649 633->634 650 4229ca-4229d7 call 4180cc call 41eed4 633->650 638 422a02-422a0d call 4180cc ShowWindow 634->638 639 4229dd-422a00 call 4180cc SetWindowPos SetActiveWindow 634->639 638->580 639->580 643->580 644->645 651 4227fb-4227fd 645->651 652 4227f9 645->652 649->645 650->634 656 422801-422816 651->656 657 4227ff 651->657 652->651 656->597 657->656
                                    APIs
                                    • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422860
                                    • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422A2A), ref: 00422870
                                    • SendMessageA.USER32(00000000,00000234,00000000,00000000), ref: 004228DE
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: MessageSend$ShowWindow
                                    • String ID:
                                    • API String ID: 187340077-0
                                    • Opcode ID: e4b20e3505f671d46c1f203916a80067cd972fa6cce068d0184c19c6329ae2ca
                                    • Instruction ID: 1c5397ddd569b8750afbec5c923037df8785f2093d408012863a70251365aefe
                                    • Opcode Fuzzy Hash: e4b20e3505f671d46c1f203916a80067cd972fa6cce068d0184c19c6329ae2ca
                                    • Instruction Fuzzy Hash: 64915470704214EFD711EBA9DA85F9E77F4AB18314F5500BAF504AB2A2C7B8EE409B58
                                    Function 00466E5C Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1637windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00494F24: GetWindowRect.USER32(00000000), ref: 00494F3A
                                    • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 0046722B
                                      • Part of subcall function 0041D590: GetObjectA.GDI32(?,00000018,00467245), ref: 0041D5BB
                                      • Part of subcall function 00466CB8: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00466D55
                                      • Part of subcall function 00466CB8: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466D7B
                                      • Part of subcall function 00466CB8: SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00466DD7
                                      • Part of subcall function 00466CB8: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466DFD
                                      • Part of subcall function 00494E74: 73E9A570.USER32(00000000,?,?,?), ref: 00494E96
                                      • Part of subcall function 00494E74: SelectObject.GDI32(?,00000000), ref: 00494EBC
                                      • Part of subcall function 00494E74: 73E9A480.USER32(00000000,?,00494F1A,00494F13,?,00000000,?,?,?), ref: 00494F0D
                                      • Part of subcall function 0049516C: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495176
                                      • Part of subcall function 0049517C: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495186
                                    • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,021BBCBC,021BD0FC,?,?,021BD124,?,?,021BD168,?), ref: 00467E80
                                    • AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00467E95
                                    • AppendMenuA.USER32(?,00000000,0000270F,00000000), ref: 00467EB0
                                      • Part of subcall function 00429EB8: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 00429ECE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Menu$AppendExtractFileIconInfoObject$A480A570BitmapLoadMessageRectSelectSendSystemWindow
                                    • String ID: $(Default)$STOPIMAGE
                                    • API String ID: 3433789705-770201673
                                    • Opcode ID: 56b61e005dada96a9cdf73b573d046f466001f0532ee282b672a2a75236b65c4
                                    • Instruction ID: 7fc4f75ca786013fdd3c743dc3da3a53859b29a4ebb685c64158e5d590b32cd5
                                    • Opcode Fuzzy Hash: 56b61e005dada96a9cdf73b573d046f466001f0532ee282b672a2a75236b65c4
                                    • Instruction Fuzzy Hash: E3F2F7386015109FCB00EF69D5D9F9A73F1BF49304F1542BAE9049B36ADB74AC46CB8A
                                    Function 0047DD1C Relevance: 9.1, APIs: 6, Instructions: 149fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1443 47dd1c-47dd88 call 403600 call 403704 FindFirstFileA 1448 47ddd7-47dddb 1443->1448 1449 47dd8a-47dd92 1443->1449 1450 47def2-47df17 call 4033ec call 4033cc 1448->1450 1451 47dde1-47de2a call 403460 call 403548 * 2 call 403704 FindFirstFileA 1448->1451 1452 47dd94-47dd98 1449->1452 1453 47ddba-47ddcc FindNextFileA 1449->1453 1451->1450 1470 47de30-47de3b 1451->1470 1454 47dd9e-47ddb5 call 4306b8 1452->1454 1455 47dd9a-47dd9c 1452->1455 1453->1449 1457 47ddce-47ddd2 FindClose 1453->1457 1454->1453 1455->1453 1455->1454 1457->1448 1471 47de3e-47de4b call 47bab0 1470->1471 1474 47de4d-47deb7 call 403460 call 403528 call 403548 * 2 call 47dd1c call 4306b8 1471->1474 1475 47debc-47dece FindNextFileA 1471->1475 1474->1475 1475->1471 1476 47ded4-47deea FindClose 1475->1476
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,0047DF18,?,00000000,00000000,?,?,0047F080,?,?,00000000), ref: 0047DD7C
                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,?,?,00000000,?,00000000,0047DF18,?,00000000,00000000,?,?,0047F080,?), ref: 0047DDC5
                                    • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,?,00000000,?,00000000,0047DF18,?,00000000,00000000,?,?,0047F080), ref: 0047DDD2
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,0047DF18,?,00000000,00000000,?,?,0047F080,?), ref: 0047DE1E
                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,0047DEEB,?,00000000,?,00000000,?,?,00000000,?,00000000,0047DF18,?,00000000), ref: 0047DEC7
                                    • FindClose.KERNEL32(000000FF,0047DEF2,0047DEEB,?,00000000,?,00000000,?,?,00000000,?,00000000,0047DF18,?,00000000,00000000), ref: 0047DEE5
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 3541575487-0
                                    • Opcode ID: 1d7ee52e05d0daac360a4d913ebdba1453b907e4f0e49e024ad677883544ad85
                                    • Instruction ID: 0a28e799e3d6cb721d3ce4109daa97c6a56513afa9bcea6d8d8c748fee5d4a36
                                    • Opcode Fuzzy Hash: 1d7ee52e05d0daac360a4d913ebdba1453b907e4f0e49e024ad677883544ad85
                                    • Instruction Fuzzy Hash: AF512B70D00658AFCB61DFA5CC85ADEBBBCEF89319F5084AAE408E7341D6389E458F54
                                    Function 004084D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4BC,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: 046ed9523e90c282feb94479477c99750b0ad33334c29b6fd3e7efd7f14ac63f
                                    • Instruction ID: 5e144986137827a5306b972d55a3073f6fc4c96d5b0476a2f09879ff4721630d
                                    • Opcode Fuzzy Hash: 046ed9523e90c282feb94479477c99750b0ad33334c29b6fd3e7efd7f14ac63f
                                    • Instruction Fuzzy Hash: B5E0D83270421827D711A9699C82AFB735C9B58714F00417FBD45E73C6EDB8DE404AED
                                    Function 004239F0 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00423FBD,?,00000000,00423FC8), ref: 00423A1A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: NtdllProc_Window
                                    • String ID:
                                    • API String ID: 4255912815-0
                                    • Opcode ID: 0c6817995100082513d47410abd1e0f3b508bd15d989544b3832c0ba8589c1c0
                                    • Instruction ID: c5566dd9b4183df5c5bf998bacf1aa1caa2654dbbaeb36921ce5aeb1358f4262
                                    • Opcode Fuzzy Hash: 0c6817995100082513d47410abd1e0f3b508bd15d989544b3832c0ba8589c1c0
                                    • Instruction Fuzzy Hash: A4F0C579205608AFCB40DF9DC588D4AFBE8FF4C260B058695B988CB321C234FD808F94
                                    Function 00481560 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 310 481560-481585 GetModuleHandleA GetProcAddress 311 4815ec-4815f1 GetSystemInfo 310->311 312 481587-48159d GetNativeSystemInfo GetProcAddress 310->312 313 4815f6-4815ff 311->313 312->313 314 48159f-4815aa GetCurrentProcess 312->314 315 48160f-481616 313->315 316 481601-481605 313->316 314->313 323 4815ac-4815b0 314->323 319 481631-481636 315->319 317 481618-48161f 316->317 318 481607-48160b 316->318 317->319 321 48160d-48162a 318->321 322 481621-481628 318->322 321->319 322->319 323->313 325 4815b2-4815b9 call 4548a4 323->325 325->313 328 4815bb-4815c8 GetProcAddress 325->328 328->313 329 4815ca-4815e1 GetModuleHandleA GetProcAddress 328->329 329->313 330 4815e3-4815ea 329->330 330->313
                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00481571
                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0048157E
                                    • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0048158C
                                    • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00481594
                                    • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 004815A0
                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 004815C1
                                    • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 004815D4
                                    • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 004815DA
                                    • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004815F1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                    • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                    • API String ID: 2230631259-2623177817
                                    • Opcode ID: ce1cf4f152834f1bf96de116489f2ab3941af7a89e76d64c77d4a58501672a03
                                    • Instruction ID: 7b50fa2c8cf5066df98ae2d98d0dcea782a7b6a4c16af68676bba973aa97d125
                                    • Opcode Fuzzy Hash: ce1cf4f152834f1bf96de116489f2ab3941af7a89e76d64c77d4a58501672a03
                                    • Instruction Fuzzy Hash: D8118B455497816ADA1173795C46B6F278C8B50709F184C3BAC82752F3EABCC897CB2F
                                    Function 0046880C Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 331 46880c-468844 call 47a8e0 334 468a26-468a40 call 4033ec 331->334 335 46884a-46885a call 4778e8 331->335 340 46885f-4688a4 call 40785c call 403704 call 42db00 335->340 346 4688a9-4688ab 340->346 347 4688b1-4688c6 346->347 348 468a1c-468a20 346->348 349 4688db-4688e2 347->349 350 4688c8-4688d6 call 42da30 347->350 348->334 348->340 352 4688e4-468906 call 42da30 call 42da48 349->352 353 46890f-468916 349->353 350->349 352->353 374 468908 352->374 354 46896f-468976 353->354 355 468918-46893d call 42da30 * 2 353->355 359 4689bc-4689c3 354->359 360 468978-46898a call 42da30 354->360 377 46893f-468948 call 478358 355->377 378 46894d-46895f call 42da30 355->378 362 4689c5-4689f9 call 42da30 * 3 359->362 363 4689fe-468a14 RegCloseKey 359->363 370 46898c-468995 call 478358 360->370 371 46899a-4689ac call 42da30 360->371 362->363 370->371 371->359 384 4689ae-4689b7 call 478358 371->384 374->353 377->378 378->354 388 468961-46896a call 478358 378->388 384->359 388->354
                                    APIs
                                      • Part of subcall function 0042DB00: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004816C7,?,00000001,?,?,004816C7,?,00000001,00000000), ref: 0042DB1C
                                    • RegCloseKey.ADVAPI32(?,00468A26,?,?,00000001,00000000,00000000,00468A41,?,00000000,00000000,?), ref: 00468A0F
                                    Strings
                                    • Inno Setup: User Info: Name, xrefs: 004689CB
                                    • Inno Setup: Icon Group, xrefs: 004688EA
                                    • Inno Setup: App Path, xrefs: 004688CE
                                    • Inno Setup: Deselected Tasks, xrefs: 0046899D
                                    • Inno Setup: Selected Components, xrefs: 0046892E
                                    • Inno Setup: Setup Type, xrefs: 0046891E
                                    • Inno Setup: Selected Tasks, xrefs: 0046897B
                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0046886B
                                    • Inno Setup: Deselected Components, xrefs: 00468950
                                    • Inno Setup: User Info: Serial, xrefs: 004689F1
                                    • %s\%s_is1, xrefs: 00468889
                                    • Inno Setup: User Info: Organization, xrefs: 004689DE
                                    • Inno Setup: No Icons, xrefs: 004688F7
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseOpen
                                    • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                    • API String ID: 47109696-1093091907
                                    • Opcode ID: a262abd676a22c8cb0bf900f610969a1c019692f8ed6fb013760993412781eff
                                    • Instruction ID: d60340a5909afdacdec0102aaf95ab1c993806a29d69ff67025cddfb0f082cbb
                                    • Opcode Fuzzy Hash: a262abd676a22c8cb0bf900f610969a1c019692f8ed6fb013760993412781eff
                                    • Instruction Fuzzy Hash: FD51B070A002489BCB14DBA5D852BDFB7F5EB44304F60856FE841A7391EB38AE05CB5E
                                    Function 004236E0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 0041F2A4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EC84,?,004236FB,00423A78,0041EC84), ref: 0041F2C2
                                    • GetClassInfoA.USER32(00400000,004234E8), ref: 0042370B
                                    • RegisterClassA.USER32(00499630), ref: 00423723
                                    • GetSystemMetrics.USER32(00000000), ref: 00423745
                                    • GetSystemMetrics.USER32(00000001), ref: 00423754
                                    • SetWindowLongA.USER32(004105C0,000000FC,004234F8), ref: 004237B0
                                    • SendMessageA.USER32(004105C0,00000080,00000001,00000000), ref: 004237D1
                                    • GetSystemMenu.USER32(004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423A78,0041EC84), ref: 004237DC
                                    • DeleteMenu.USER32(00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423A78,0041EC84), ref: 004237EB
                                    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 004237F8
                                    • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000), ref: 0042380E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                    • String ID: 4B
                                    • API String ID: 183575631-3351857111
                                    • Opcode ID: 76a5f6db28f4493511ac1cc929dd11cc0f06948be884217d2d6d6f6875d84a19
                                    • Instruction ID: a6a1c51652b04f8d2cbc945b3159b055946de1f2c8b017f3a57cedb2f996a6ff
                                    • Opcode Fuzzy Hash: 76a5f6db28f4493511ac1cc929dd11cc0f06948be884217d2d6d6f6875d84a19
                                    • Instruction Fuzzy Hash: ED3174B17402106AEB10AF69ED82F6A36989B14709F50417BBA41EF2D3D6BDED00476D
                                    Function 00455378 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00455411,?,?,?,?,00000000,?,00497FDD), ref: 00455398
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045539E
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00455411,?,?,?,?,00000000,?,00497FDD), ref: 004553B2
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004553B8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                    • API String ID: 1646373207-2130885113
                                    • Opcode ID: c7cd6082a351737dac4b32e5fd2222921f3f5612fd3e054ca0704960d228a33a
                                    • Instruction ID: b9ab7f78e8c38726f39b7e5737be4e0282f1af46c2d5ac79c39c48d502f9e90f
                                    • Opcode Fuzzy Hash: c7cd6082a351737dac4b32e5fd2222921f3f5612fd3e054ca0704960d228a33a
                                    • Instruction Fuzzy Hash: F401D830210B04BED700AB62AC22B3A3768D34674BF608437FC04D91D2D7BC68998F6D
                                    Function 0047B338 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 95libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1299 47b338-47b38e call 42c218 call 40358c call 47afd4 call 454760 1308 47b390-47b395 call 4554cc 1299->1308 1309 47b39a-47b3a9 call 454760 1299->1309 1308->1309 1313 47b3c3-47b3c9 1309->1313 1314 47b3ab-47b3b1 1309->1314 1317 47b3e0-47b408 call 42e09c * 2 1313->1317 1318 47b3cb-47b3d1 1313->1318 1315 47b3d3-47b3db call 403460 1314->1315 1316 47b3b3-47b3b9 1314->1316 1315->1317 1316->1313 1319 47b3bb-47b3c1 1316->1319 1325 47b42f-47b449 GetProcAddress 1317->1325 1326 47b40a-47b42a call 40785c call 4554cc 1317->1326 1318->1315 1318->1317 1319->1313 1319->1315 1328 47b455-47b472 call 4033cc * 2 1325->1328 1329 47b44b-47b450 call 4554cc 1325->1329 1326->1325 1329->1328
                                    APIs
                                    • GetProcAddress.KERNEL32(74A90000,SHGetFolderPathA), ref: 0047B43A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc
                                    • String ID: Failed to get version numbers of _shfoldr.dll$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                    • API String ID: 190572456-3722718423
                                    • Opcode ID: d2a158589b7e10ea92fefefe46f070777df622a4e0e6ad75a711779f13001bc1
                                    • Instruction ID: 2c4c323a5b7497ca77402485c7af1906e7ba5cbab449db1b84a7ad4c8d3175d4
                                    • Opcode Fuzzy Hash: d2a158589b7e10ea92fefefe46f070777df622a4e0e6ad75a711779f13001bc1
                                    • Instruction Fuzzy Hash: 2531FF30A00209DBCB00EF95D991BEEB7B5EB44704B508576E908E7242D7789E458BAD
                                    Function 0043042C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430434
                                    • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430443
                                    • GetCurrentThreadId.KERNEL32 ref: 0043045D
                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 0043047E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                    • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                    • API String ID: 4130936913-2943970505
                                    • Opcode ID: 1f3bdf435fb6c279c56ae62f34b295cf4bab9413abcc49597096f0300a1ca4f9
                                    • Instruction ID: f4322c02a0ab8d455b53bf3264e96075bff1e2b32616a0cb7d86ae663479331c
                                    • Opcode Fuzzy Hash: 1f3bdf435fb6c279c56ae62f34b295cf4bab9413abcc49597096f0300a1ca4f9
                                    • Instruction Fuzzy Hash: 75F08C744483408AD300EB75994271E7BD0EB68718F40467FF9D8A23A1E73D9A008F6F
                                    Function 0047B02C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 108COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047B19F,?,?,00000000,0049B624,00000000,00000000,?,004979B5,00000000,00497B5E,?,00000000), ref: 0047B0BF
                                    • GetLastError.KERNEL32(00000000,00000000,00000000,0047B19F,?,?,00000000,0049B624,00000000,00000000,?,004979B5,00000000,00497B5E,?,00000000), ref: 0047B0C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CreateDirectoryErrorLast
                                    • String ID: REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup
                                    • API String ID: 1375471231-2403759895
                                    • Opcode ID: 9c2a13a5d9200b196129ede735f00a7743ebd4a1f3cba5b994df55db2ed3b024
                                    • Instruction ID: 4680d89e1f78b2411227b3f6bd025a20c48f0d4d88da989384f3e1d8b347909e
                                    • Opcode Fuzzy Hash: 9c2a13a5d9200b196129ede735f00a7743ebd4a1f3cba5b994df55db2ed3b024
                                    • Instruction Fuzzy Hash: 7A411974A001099BDB01EF95C892ADEB7B5EB44305F50857BE91077392DB38AE05CFAD
                                    Function 004234F8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1392 4234f8-423505 1393 423507-42350a call 402d18 1392->1393 1394 42350f-4235dc call 410190 call 402b18 * 2 call 41d8f4 LoadIconA call 41dc80 GetModuleFileNameA OemToCharA call 407428 1392->1394 1393->1394 1408 4235de-4235e7 call 407290 1394->1408 1409 4235ec-4235fb call 407408 1394->1409 1408->1409 1413 423600-423627 CharLowerA call 403528 1409->1413 1414 4235fd 1409->1414 1417 423630-42363c 1413->1417 1418 423629-42362b call 4236e0 1413->1418 1414->1413 1420 423648-42364f 1417->1420 1421 42363e-423645 1417->1421 1418->1417 1421->1420
                                    APIs
                                    • LoadIconA.USER32(00400000,MAINICON), ref: 00423588
                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418ED6,00000000,?,?,?,00000001), ref: 004235B5
                                    • OemToCharA.USER32(?,?), ref: 004235C8
                                    • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418ED6,00000000,?,?,?,00000001), ref: 00423608
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Char$FileIconLoadLowerModuleName
                                    • String ID: 2$MAINICON
                                    • API String ID: 3935243913-3181700818
                                    • Opcode ID: 2fbc7ff9f555c8f05b95e43cf9ffb3d3eb0ff907e41b23a34fb4b0cb02cb9d40
                                    • Instruction ID: 90324bcac7407c1ff6ac1a4ae1442f5a1ef05c9ebeec5e423d0193f577541d8c
                                    • Opcode Fuzzy Hash: 2fbc7ff9f555c8f05b95e43cf9ffb3d3eb0ff907e41b23a34fb4b0cb02cb9d40
                                    • Instruction Fuzzy Hash: 1831B571A042559ADB10EF69D8C57CA3BE8AF14308F4440BAE844DB387D7FED988CB95
                                    Function 00418E28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcessId.KERNEL32(00000000), ref: 00418E2D
                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 00418E4E
                                    • GetCurrentThreadId.KERNEL32 ref: 00418E69
                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 00418E8A
                                      • Part of subcall function 00422F34: 73E9A570.USER32(00000000,?,?,00000000,?,00418EC3,00000000,?,?,?,00000001), ref: 00422F8A
                                      • Part of subcall function 00422F34: EnumFontsA.GDI32(00000000,00000000,00422ED4,004105C0,00000000,?,?,00000000,?,00418EC3,00000000,?,?,?,00000001), ref: 00422F9D
                                      • Part of subcall function 00422F34: 73EA4620.GDI32(00000000,0000005A,00000000,00000000,00422ED4,004105C0,00000000,?,?,00000000,?,00418EC3,00000000), ref: 00422FA5
                                      • Part of subcall function 00422F34: 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00422ED4,004105C0,00000000,?,?,00000000,?,00418EC3,00000000), ref: 00422FB0
                                      • Part of subcall function 004234F8: LoadIconA.USER32(00400000,MAINICON), ref: 00423588
                                      • Part of subcall function 004234F8: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418ED6,00000000,?,?,?,00000001), ref: 004235B5
                                      • Part of subcall function 004234F8: OemToCharA.USER32(?,?), ref: 004235C8
                                      • Part of subcall function 004234F8: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418ED6,00000000,?,?,?,00000001), ref: 00423608
                                      • Part of subcall function 0041EFF8: GetVersion.KERNEL32(?,00418EE0,00000000,?,?,?,00000001), ref: 0041F006
                                      • Part of subcall function 0041EFF8: SetErrorMode.KERNEL32(00008000,?,00418EE0,00000000,?,?,?,00000001), ref: 0041F022
                                      • Part of subcall function 0041EFF8: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418EE0,00000000,?,?,?,00000001), ref: 0041F02E
                                      • Part of subcall function 0041EFF8: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418EE0,00000000,?,?,?,00000001), ref: 0041F03C
                                      • Part of subcall function 0041EFF8: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F06C
                                      • Part of subcall function 0041EFF8: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F095
                                      • Part of subcall function 0041EFF8: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F0AA
                                      • Part of subcall function 0041EFF8: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F0BF
                                      • Part of subcall function 0041EFF8: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F0D4
                                      • Part of subcall function 0041EFF8: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F0E9
                                      • Part of subcall function 0041EFF8: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F0FE
                                      • Part of subcall function 0041EFF8: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F113
                                      • Part of subcall function 0041EFF8: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F128
                                      • Part of subcall function 0041EFF8: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F13D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A4620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                    • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                    • API String ID: 1580766901-2767913252
                                    • Opcode ID: f41ce3b252c5cd19fbe273756357701117d294d610aa64439fd758e89341946e
                                    • Instruction ID: 624a0dd4411b59e8630dff09fce8d021df1623c8f7724684bc2727f0a93cc9e8
                                    • Opcode Fuzzy Hash: f41ce3b252c5cd19fbe273756357701117d294d610aa64439fd758e89341946e
                                    • Instruction Fuzzy Hash: 10114F706042409AC700FB6AAA4675E76E1EFA431CF80943FF844EB391DB3999458B5F
                                    Function 004135A0 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1488 4135a0-4135dd SetWindowLongA GetWindowLongA 1489 4135fd-413647 SetPropA * 2 call 41f27c 1488->1489 1490 4135df-4135ec GetWindowLongA 1488->1490 1492 41364d-413655 1489->1492 1490->1489 1491 4135ee-4135f8 SetWindowLongA 1490->1491 1491->1489
                                    APIs
                                    • SetWindowLongA.USER32(?,000000FC,?), ref: 004135C8
                                    • GetWindowLongA.USER32(?,000000F0), ref: 004135D3
                                    • GetWindowLongA.USER32(?,000000F4), ref: 004135E5
                                    • SetWindowLongA.USER32(?,000000F4,?), ref: 004135F8
                                    • SetPropA.USER32(?,00000000,00000000), ref: 0041360F
                                    • SetPropA.USER32(?,00000000,00000000), ref: 00413626
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: LongWindow$Prop
                                    • String ID:
                                    • API String ID: 3887896539-0
                                    • Opcode ID: 0109f29762427a304726c7437d1aa9b3a8d8d44821e9f82935cdae3fe3caa537
                                    • Instruction ID: 7ce6441027cd3d8ce855841aec1bf33605fa90e7714f9129d0ca612a9a15c391
                                    • Opcode Fuzzy Hash: 0109f29762427a304726c7437d1aa9b3a8d8d44821e9f82935cdae3fe3caa537
                                    • Instruction Fuzzy Hash: CB11D6B5100254BFDB00DF9DDC84EDA37E8AB08364F104666B918DB2A1C738D9908B64
                                    Function 00466CB8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00466D55
                                    • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466D7B
                                      • Part of subcall function 00466BF8: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00466C90
                                      • Part of subcall function 00466BF8: DestroyCursor.USER32(00000000), ref: 00466CA6
                                    • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00466DD7
                                    • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466DFD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Icon$ExtractFileInfo$CursorDestroyDraw
                                    • String ID: c:\directory
                                    • API String ID: 2926980410-3984940477
                                    • Opcode ID: cd74a12996e7d6ca7d50bf13c31fc513304b5b6b45df0792c4a6e10e4b511727
                                    • Instruction ID: 379b36947c318f810ff39d15ddb05cb7eef18c1f03a4f08ecc199c27b54dc914
                                    • Opcode Fuzzy Hash: cd74a12996e7d6ca7d50bf13c31fc513304b5b6b45df0792c4a6e10e4b511727
                                    • Instruction Fuzzy Hash: EB418C74600248AFDB10DF65CC8AFDFB7E8EB48344F5240A6F904D7381D679AE808A69
                                    Function 00454698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • 751C1520.VERSION(00000000,?,?,?,?), ref: 004546B8
                                    • 751C1500.VERSION(00000000,?,00000000,?,00000000,00454733,?,00000000,?,?,?,?), ref: 004546E5
                                    • 751C1540.VERSION(?,0045475C,?,?,00000000,?,00000000,?,00000000,00454733,?,00000000,?,?,?,?), ref: 004546FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: C1500C1520C1540
                                    • String ID: mGE
                                    • API String ID: 1315064709-113307068
                                    • Opcode ID: 563e849e1f7a43f86785efcb339022ddfea886c8106deb9f4c8ba985c567d769
                                    • Instruction ID: 9da7749d357a430d001cc9179e620f0f6e7d42c962a42ba08436c7d4451d1c0b
                                    • Opcode Fuzzy Hash: 563e849e1f7a43f86785efcb339022ddfea886c8106deb9f4c8ba985c567d769
                                    • Instruction Fuzzy Hash: 0921C535600548AFCB01DAA98C819AFB7FCDB89314F01407AF814E7382D7799E058B65
                                    Function 004210F0 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetMenu.USER32(00000000), ref: 004211DD
                                    • SetMenu.USER32(00000000,00000000), ref: 004211FA
                                    • SetMenu.USER32(00000000,00000000), ref: 0042122F
                                    • SetMenu.USER32(00000000,00000000), ref: 0042124B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Menu
                                    • String ID:
                                    • API String ID: 3711407533-0
                                    • Opcode ID: 248656314f65fc68bfa9a39cfdb6ae1aad14d47f32d371796169453542c0bd80
                                    • Instruction ID: 2b658bb5cdfc5df1d502cf8e7c53c744a1eb2d85cf8ff98b6a1d4f584073ec61
                                    • Opcode Fuzzy Hash: 248656314f65fc68bfa9a39cfdb6ae1aad14d47f32d371796169453542c0bd80
                                    • Instruction Fuzzy Hash: 8741A03070522497DB20AB2A9D857AB26958F64348F4800BFFD45DB367CA7DCC5582AD
                                    Function 00416A42 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(?,?,?,?), ref: 00416A84
                                    • SetTextColor.GDI32(?,00000000), ref: 00416A9E
                                    • SetBkColor.GDI32(?,00000000), ref: 00416AB8
                                    • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416AE0
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Color$CallMessageProcSendTextWindow
                                    • String ID:
                                    • API String ID: 601730667-0
                                    • Opcode ID: 68c403e1bcdf6a4f97734815cac07752a1affe1d828a6352c60159e1fd0d5726
                                    • Instruction ID: 2df8a8ab3f424e914224603de9c6e79835da5fe84b1b8e87dbd84a5b98e26cfc
                                    • Opcode Fuzzy Hash: 68c403e1bcdf6a4f97734815cac07752a1affe1d828a6352c60159e1fd0d5726
                                    • Instruction Fuzzy Hash: 7C1151B2604600AFD710EF6ECC80E8B73ECEF49350B15887EB559DB612C678EC418B69
                                    Function 004238F0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnumWindows.USER32(00423888), ref: 00423914
                                    • GetWindow.USER32(?,00000003), ref: 00423929
                                    • GetWindowLongA.USER32(?,000000EC), ref: 00423938
                                    • SetWindowPos.USER32(00000000,00423FC8,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424017,?,?,00423BDF), ref: 0042396E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$EnumLongWindows
                                    • String ID:
                                    • API String ID: 4191631535-0
                                    • Opcode ID: 44569caef343063003603d1842182b1e4b35ab3b99520e7c1db5b09c9d369220
                                    • Instruction ID: bd4cbf3e13fd1902f7a723a9010392fa47c496a654a4ba97ca64ae82e0ef0334
                                    • Opcode Fuzzy Hash: 44569caef343063003603d1842182b1e4b35ab3b99520e7c1db5b09c9d369220
                                    • Instruction Fuzzy Hash: DE1173B0704610AFDB10AF68DC85F5673E4EB09715F50026AF954AB2E6C37CDC80CB58
                                    Function 00422F34 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • 73E9A570.USER32(00000000,?,?,00000000,?,00418EC3,00000000,?,?,?,00000001), ref: 00422F8A
                                    • EnumFontsA.GDI32(00000000,00000000,00422ED4,004105C0,00000000,?,?,00000000,?,00418EC3,00000000,?,?,?,00000001), ref: 00422F9D
                                    • 73EA4620.GDI32(00000000,0000005A,00000000,00000000,00422ED4,004105C0,00000000,?,?,00000000,?,00418EC3,00000000), ref: 00422FA5
                                    • 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00422ED4,004105C0,00000000,?,?,00000000,?,00418EC3,00000000), ref: 00422FB0
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: A4620A480A570EnumFonts
                                    • String ID:
                                    • API String ID: 178811091-0
                                    • Opcode ID: cdff41eef5ceb4fdf3836be220edb302b8d15f0df983b9503689766daee44521
                                    • Instruction ID: f3da3185eb816fa6877706b3729b853e8a19d58889f25601bf4031d882abec12
                                    • Opcode Fuzzy Hash: cdff41eef5ceb4fdf3836be220edb302b8d15f0df983b9503689766daee44521
                                    • Instruction Fuzzy Hash: 920192617056006EE700EF695D82B9A3BA4AF45318F51027BF904BF2C7D6BE9C0487AE
                                    Function 0040D170 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D187
                                    • LoadResource.KERNEL32(00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?,?,0047AFF0,0000000A,REGDLL_EXE), ref: 0040D1A1
                                    • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?,?,0047AFF0), ref: 0040D1BB
                                    • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?), ref: 0040D1C5
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID:
                                    • API String ID: 3473537107-0
                                    • Opcode ID: 50e8620556f8ba275d04aefae3b44d0dba4ceba8b05e8bbe70f6eea0658c1a2c
                                    • Instruction ID: db7e9a1768fdc396caddf7f9e93d16fdea650d020c2cd504871af93397587a59
                                    • Opcode Fuzzy Hash: 50e8620556f8ba275d04aefae3b44d0dba4ceba8b05e8bbe70f6eea0658c1a2c
                                    • Instruction Fuzzy Hash: E8F062B2601604AF9B04EE9D9881D6B77ECDE48264310013FF90CEB246DE38DD018778
                                    Function 00497F84 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040332C: GetModuleHandleA.KERNEL32(00000000,00497F92), ref: 00403333
                                      • Part of subcall function 0040332C: GetCommandLineA.KERNEL32(00000000,00497F92), ref: 0040333E
                                      • Part of subcall function 00409AE8: 6F9C1CD0.COMCTL32(00497FA1), ref: 00409AE8
                                      • Part of subcall function 004108C4: GetCurrentThreadId.KERNEL32 ref: 00410912
                                      • Part of subcall function 00418F30: GetVersion.KERNEL32(00497FB5), ref: 00418F30
                                      • Part of subcall function 00452750: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00497FCE), ref: 0045278B
                                      • Part of subcall function 00452750: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00452791
                                      • Part of subcall function 00452B30: GetVersionExA.KERNEL32(0049B7CC,00497FD3), ref: 00452B3F
                                      • Part of subcall function 00455378: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00455411,?,?,?,?,00000000,?,00497FDD), ref: 00455398
                                      • Part of subcall function 00455378: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045539E
                                      • Part of subcall function 00455378: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00455411,?,?,?,?,00000000,?,00497FDD), ref: 004553B2
                                      • Part of subcall function 00455378: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004553B8
                                      • Part of subcall function 00464184: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00497FF1), ref: 00464193
                                      • Part of subcall function 00464184: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464199
                                      • Part of subcall function 0046BF28: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BF3D
                                      • Part of subcall function 00477704: GetModuleHandleA.KERNEL32(kernel32.dll,?,00497FFB), ref: 0047770A
                                      • Part of subcall function 00477704: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00477717
                                      • Part of subcall function 00477704: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00477727
                                      • Part of subcall function 004951E0: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 004951F9
                                    • SetErrorMode.KERNEL32(00000001,00000000,00498043), ref: 00498015
                                      • Part of subcall function 00497D94: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049801F,00000001,00000000,00498043), ref: 00497D9E
                                      • Part of subcall function 00497D94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00497DA4
                                      • Part of subcall function 00424340: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0042435F
                                      • Part of subcall function 00424130: SetWindowTextA.USER32(?,00000000), ref: 00424148
                                    • ShowWindow.USER32(?,00000005,00000000,00498043), ref: 00498086
                                      • Part of subcall function 00480478: SetActiveWindow.USER32(?), ref: 0048051C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModeRegisterSendShowTextThread
                                    • String ID: Setup
                                    • API String ID: 4266685988-3839654196
                                    • Opcode ID: d6c146692b17b8537dc98b59b3abf4782f041549204b2aa809248b62de68a187
                                    • Instruction ID: 15e743bda7e5848285baff67775c4bfe93fb4ed1e0bbf7bc3237d0628bc4929c
                                    • Opcode Fuzzy Hash: d6c146692b17b8537dc98b59b3abf4782f041549204b2aa809248b62de68a187
                                    • Instruction Fuzzy Hash: 8C31E5312146008FD601BBBAED539693BE4DF9A708B51457FF90082663DE3D58018A7E
                                    Function 00455BAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00455C9B,?,?,00000000,0049B624,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00455BF2
                                    • GetLastError.KERNEL32(00000000,00000000,?,00000000,00455C9B,?,?,00000000,0049B624,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00455BFB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CreateDirectoryErrorLast
                                    • String ID: .tmp
                                    • API String ID: 1375471231-2986845003
                                    • Opcode ID: 689dee66bf5b1b80508cf60f1ae381583896755be67de497c6767b9fb71d9907
                                    • Instruction ID: 329235ae348e9a92bcb45e7f468a7add90cc7347c38a05b755c3e4bbaba7c6c1
                                    • Opcode Fuzzy Hash: 689dee66bf5b1b80508cf60f1ae381583896755be67de497c6767b9fb71d9907
                                    • Instruction Fuzzy Hash: 2F216A74A003089BDB01EFE5C8969EEB7B9EB44305F10447BE801A7342DA7CAE058A69
                                    Function 0047AB60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047ADE6,00000000,0047ADFC,?,?,?,?,00000000), ref: 0047ABC2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Close
                                    • String ID: RegisteredOrganization$RegisteredOwner
                                    • API String ID: 3535843008-1113070880
                                    • Opcode ID: 27871da9cd4640c907a37bb24e0d73b22cb01843422fd88b67085cbcc3e96b8d
                                    • Instruction ID: 56a1c62c59b6e0662297db1e16d95cb56762b7195cf6fea7f96c61979e11ac6d
                                    • Opcode Fuzzy Hash: 27871da9cd4640c907a37bb24e0d73b22cb01843422fd88b67085cbcc3e96b8d
                                    • Instruction Fuzzy Hash: B0F0B430B041086FDB00DA64ACD3F9F775AD782304F60807BA2058B352D6BDAE11D75D
                                    Function 0046BF28 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042E09C: SetErrorMode.KERNEL32(00008000), ref: 0042E0A6
                                      • Part of subcall function 0042E09C: LoadLibraryA.KERNEL32(00000000,00000000,0042E0F0,?,00000000,0042E10E,?,00008000), ref: 0042E0D5
                                    • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BF3D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressErrorLibraryLoadModeProc
                                    • String ID: SHPathPrepareForWriteA$shell32.dll
                                    • API String ID: 2492108670-2683653824
                                    • Opcode ID: b3ec74a559185d8fed5035e7eb7df388bf59efd338d0ae0bb9e38621c29f6922
                                    • Instruction ID: 41ae563709d295421c92d982f7b888c95354fa67af0210ea1bee29005f3e7720
                                    • Opcode Fuzzy Hash: b3ec74a559185d8fed5035e7eb7df388bf59efd338d0ae0bb9e38621c29f6922
                                    • Instruction Fuzzy Hash: 8EB09290F0071096C6047BB65C8260B2964D781704B60C07BB508EA2E6EB7D88869FAE
                                    Function 00420478 Relevance: 4.6, APIs: 3, Instructions: 139COMMON
                                    Download Yara Rule
                                    APIs
                                    • MulDiv.KERNEL32(00000000,?,00000000), ref: 00420523
                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00420598
                                    • MulDiv.KERNEL32(?,00000000,00000000), ref: 004205C4
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fe9352e6d730550fdb3757bb38c6750f2ecd3cb249db57b519639d17fdd28cb9
                                    • Instruction ID: c3ed94b46a531dd96ae70044e4c839e01caaf6301d85368e846d913af1b91088
                                    • Opcode Fuzzy Hash: fe9352e6d730550fdb3757bb38c6750f2ecd3cb249db57b519639d17fdd28cb9
                                    • Instruction Fuzzy Hash: D351E470B00118EFDB54DB59D685ADEB7F5AF48304F6540B6E808EB362C778EE819B44
                                    Function 0047FA40 Relevance: 4.6, APIs: 3, Instructions: 100windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMenu.USER32(00000000,00000000,00000000,0047FB81), ref: 0047FB19
                                    • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0047FB2A
                                    • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 0047FB42
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Menu$Append$System
                                    • String ID:
                                    • API String ID: 1489644407-0
                                    • Opcode ID: 337bf3d9cca7ae162364b616f636644b9bc17a460a6abbaf28a8f6ae4d4f728f
                                    • Instruction ID: 60c5570c297fd22cd82e2342f3b7a4f752f941b99b4031602514322f08241f32
                                    • Opcode Fuzzy Hash: 337bf3d9cca7ae162364b616f636644b9bc17a460a6abbaf28a8f6ae4d4f728f
                                    • Instruction Fuzzy Hash: A531CD307043445AEB10EB769CC7BAA3AA59B55318F50547FF908AB2D3CA7C9C08869D
                                    Function 0044E3C0 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                    • 73E9A570.USER32(00000000,?,00000000,00000000,0044E4C1,?,00480493,?,?), ref: 0044E435
                                    • SelectObject.GDI32(?,00000000), ref: 0044E458
                                    • 73E9A480.USER32(00000000,?,0044E498,00000000,0044E491,?,00000000,?,00000000,00000000,0044E4C1,?,00480493,?,?), ref: 0044E48B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: A480A570ObjectSelect
                                    • String ID:
                                    • API String ID: 1230475511-0
                                    • Opcode ID: e1abf2f8414ba0d49f96e63fccef2c5b9f169715c445d682f33c64c6a59cce7c
                                    • Instruction ID: 957a9ec501291f703853487a2f36032c7e10fecb01e41e3a9ab29eb73b2a9549
                                    • Opcode Fuzzy Hash: e1abf2f8414ba0d49f96e63fccef2c5b9f169715c445d682f33c64c6a59cce7c
                                    • Instruction Fuzzy Hash: 3F217770E042446FEB15DFA6C841BAE7BB8FF49704F5184BAF504A7281D67C9940CB59
                                    Function 0044E0F4 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044E180,?,00480493,?,?), ref: 0044E152
                                    • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044E165
                                    • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044E199
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: DrawText$ByteCharMultiWide
                                    • String ID:
                                    • API String ID: 65125430-0
                                    • Opcode ID: 388f7ed2ff10412938fa1c06fe8de735f6a13820798650dd75fb4b9736833849
                                    • Instruction ID: 5ffdfa1e54c537cc1c97f97b7b58ea425818d4edff8499069b8c927e8798da2f
                                    • Opcode Fuzzy Hash: 388f7ed2ff10412938fa1c06fe8de735f6a13820798650dd75fb4b9736833849
                                    • Instruction Fuzzy Hash: 4F1186B6704604BFE710DA9BDC81D6FBBEDEB48724B20417BF604D32D0D6399D018668
                                    Function 00424268 Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042427E
                                    • TranslateMessage.USER32(?), ref: 004242FB
                                    • DispatchMessageA.USER32(?), ref: 00424305
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Message$DispatchPeekTranslate
                                    • String ID:
                                    • API String ID: 4217535847-0
                                    • Opcode ID: 46cd83d2062e77e6ac488b404df7c68bff2bd3a72e3119424af159714aa1e0a9
                                    • Instruction ID: 2e55f2006b5cbf76dee632701f6d7d44b5f483ef4a64f43d6280bd078066d361
                                    • Opcode Fuzzy Hash: 46cd83d2062e77e6ac488b404df7c68bff2bd3a72e3119424af159714aa1e0a9
                                    • Instruction Fuzzy Hash: E811943030431056EA20D664A945B9B73E8DFD0744F408C5EFD8997382D77D9D498BAA
                                    Function 00416544 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetPropA.USER32(00000000,00000000), ref: 0041656A
                                    • SetPropA.USER32(00000000,00000000), ref: 0041657F
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004165A6
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Prop$Window
                                    • String ID:
                                    • API String ID: 3363284559-0
                                    • Opcode ID: 5d309bd032752ca4e78739e1d137cf2ca7578e299d13c2bcf3da46b2b7374f05
                                    • Instruction ID: 736d00bac81c32e7343f5a759c53f1ca3182cfe69e645b7a84cf88b0edd26200
                                    • Opcode Fuzzy Hash: 5d309bd032752ca4e78739e1d137cf2ca7578e299d13c2bcf3da46b2b7374f05
                                    • Instruction Fuzzy Hash: F4F0FF71702220ABEB10AB599C85FA722DCAB09715F16057ABA05EF286C668DC40C7A8
                                    Function 004014DC Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017D5), ref: 0040150B
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017D5), ref: 00401532
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID: LBg
                                    • API String ID: 2087232378-2539156682
                                    • Opcode ID: 10de141531addcb55eeb0b48b47a7913986a6b34b19c7552e58845457d06de4c
                                    • Instruction ID: 1e8ec766b7b30991279b4b7a492d3f1f50e07ee0db48a7dbce0b132055252d24
                                    • Opcode Fuzzy Hash: 10de141531addcb55eeb0b48b47a7913986a6b34b19c7552e58845457d06de4c
                                    • Instruction Fuzzy Hash: 9EF02773B0062027EB20666A1C81F535AD49F85B94F150077FE08FF3E9C2B98C0142A9
                                    Function 00480478 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetActiveWindow.USER32(?), ref: 0048051C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ActiveWindow
                                    • String ID: InitializeWizard
                                    • API String ID: 2558294473-2356795471
                                    • Opcode ID: 07639720e89de197f0ac75007526f0a0ddfd327010f1ed776c04084632d8c1ed
                                    • Instruction ID: 4126059f32c64cd3337f9b94584f16b952915fcbe026ba99f3b152d416697169
                                    • Opcode Fuzzy Hash: 07639720e89de197f0ac75007526f0a0ddfd327010f1ed776c04084632d8c1ed
                                    • Instruction Fuzzy Hash: 5211A331294100EFE754EB69FC91B193BE4E769718F60447BF900876A0D67AAC04CB6D
                                    Function 0047AA7C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042DB00: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004816C7,?,00000001,?,?,004816C7,?,00000001,00000000), ref: 0042DB1C
                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047ACC2,00000000,0047ADFC), ref: 0047AAC1
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047AA91
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseOpen
                                    • String ID: Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 47109696-1019749484
                                    • Opcode ID: 0637670d85f1339fb1b822e8d52b416028d2f21e10a265a06c2a4c64cd42a6ec
                                    • Instruction ID: 7d7c973696c12571ba5dbe7aa41b2db54b5edb2d14477833032947e3bf7010b2
                                    • Opcode Fuzzy Hash: 0637670d85f1339fb1b822e8d52b416028d2f21e10a265a06c2a4c64cd42a6ec
                                    • Instruction Fuzzy Hash: 28F0273170021427EA00A55A6D42AAFA28DCBC4719F20503BF60CE7342EEB9DE02835D
                                    Function 0042DB00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004816C7,?,00000001,?,?,004816C7,?,00000001,00000000), ref: 0042DB1C
                                    Strings
                                    • System\CurrentControlSet\Control\Windows, xrefs: 0042DB1A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Open
                                    • String ID: System\CurrentControlSet\Control\Windows
                                    • API String ID: 71445658-1109719901
                                    • Opcode ID: 60893886e744a4ba9f087ebcf7c59855e373f36008a7c5694fe0460631461674
                                    • Instruction ID: 4c2560f3b6ef1950fb0585b5fcca1fab2771ddbdf479f091e3f436ec234ae377
                                    • Opcode Fuzzy Hash: 60893886e744a4ba9f087ebcf7c59855e373f36008a7c5694fe0460631461674
                                    • Instruction Fuzzy Hash: A9D0C972A50128BBEB109A89EC42DFB779DDB593A0F45802AFD049B200C2B4FC519BF4
                                    Function 0042D8E4 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DA1C), ref: 0042D920
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DA1C), ref: 0042D990
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: 8be327522a94f2bc2921d223ef29355ec12a2978e4e9885cdf97bf2b0a96eb8a
                                    • Instruction ID: b34df4eafdc74a2c9ae49c1730a570564fa86b3ac192af5ddb4b0dfa25f81068
                                    • Opcode Fuzzy Hash: 8be327522a94f2bc2921d223ef29355ec12a2978e4e9885cdf97bf2b0a96eb8a
                                    • Instruction Fuzzy Hash: 53416FB1E04129AFDB10DF95D881BAFB7B8AB04705F95456AE800F7281D738EE40CB99
                                    Function 0040AF38 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AF52
                                    • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B0AF,00000000,0040B0C7,?,?,?,00000000), ref: 0040AF63
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Resource$FindFree
                                    • String ID:
                                    • API String ID: 4097029671-0
                                    • Opcode ID: 4bac71705ca514c68e7801ed1e7c7c0c1c266c1fd752732a27f663d62b8c25bd
                                    • Instruction ID: f3b4f502c7d2587da6f8d32fa1686108a310075fa9b3e0f44a1ae286d926cc0a
                                    • Opcode Fuzzy Hash: 4bac71705ca514c68e7801ed1e7c7c0c1c266c1fd752732a27f663d62b8c25bd
                                    • Instruction Fuzzy Hash: 3501F7B1304700AFD704EF69EC92E1BB7ADDB85718B11807AF600A73D1DA399C109A69
                                    Function 004016F4 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,0040195B), ref: 0040174E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID: LBg
                                    • API String ID: 1263568516-2539156682
                                    • Opcode ID: e5ec40b93cf897a30af751c00ed2b7165f98d1c4f7c1aeb5a8a1834e52b6ef1d
                                    • Instruction ID: 9a9eb2da5c3445de1c4f25ce131342b2e13795c33d85743971845a4a3ba01176
                                    • Opcode Fuzzy Hash: e5ec40b93cf897a30af751c00ed2b7165f98d1c4f7c1aeb5a8a1834e52b6ef1d
                                    • Instruction Fuzzy Hash: C201F7766443144FC310AE28DDC0A2A77E4DB94724F15453ED984A7392D33A6C0287E8
                                    Function 004230A8 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadCursorA.USER32(00000000,00007F00), ref: 004230B5
                                    • LoadCursorA.USER32(00000000,00000000), ref: 004230DF
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CursorLoad
                                    • String ID:
                                    • API String ID: 3238433803-0
                                    • Opcode ID: a863a57c0ebb4d5f9667c73535674e4b5e559d3fb3a0ada59239f11e31d1388a
                                    • Instruction ID: c817df65656e34e188dd4e56b05d73056dbdee0ee9d245cbd093d1cf75f88354
                                    • Opcode Fuzzy Hash: a863a57c0ebb4d5f9667c73535674e4b5e559d3fb3a0ada59239f11e31d1388a
                                    • Instruction Fuzzy Hash: 5BF0A7117005142AD6101D7E6CC0D7F72A8CB85736B60033BF93AC72D5C72D6C41566D
                                    Function 0042E09C Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00008000), ref: 0042E0A6
                                    • LoadLibraryA.KERNEL32(00000000,00000000,0042E0F0,?,00000000,0042E10E,?,00008000), ref: 0042E0D5
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorLibraryLoadMode
                                    • String ID:
                                    • API String ID: 2987862817-0
                                    • Opcode ID: 04c23f94794bd97ab03bf8965e475622f0b3ed02ff1c71fd112b0682443376f2
                                    • Instruction ID: ae850e36e33ce8f56b748af99869ed802bba8c5239d3133194a93c5b555024f9
                                    • Opcode Fuzzy Hash: 04c23f94794bd97ab03bf8965e475622f0b3ed02ff1c71fd112b0682443376f2
                                    • Instruction Fuzzy Hash: A7F082B0714714BEDF119F779C5282BBAECE70DB1479288B6F900A2691E97D5820C968
                                    Function 004061FC Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Global$AllocLock
                                    • String ID:
                                    • API String ID: 15508794-0
                                    • Opcode ID: 82aef5c85611366c9b0d3e1afc9cbe9229dc9028b6e36b5810925ffca49bd481
                                    • Instruction ID: d3131fee1644888f7c531803613ad63d1d6a4baad062b13815878aef5d7c4646
                                    • Opcode Fuzzy Hash: 82aef5c85611366c9b0d3e1afc9cbe9229dc9028b6e36b5810925ffca49bd481
                                    • Instruction Fuzzy Hash: 269002C4C00B01A4DC0072B20C0AE3F041CD8C073C3C0486E3004B60C3883C8C104D39
                                    Function 0047C3A0 Relevance: 1.6, APIs: 1, Instructions: 128windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendNotifyMessageA.USER32(000103BC,00000496,00002711,00000000), ref: 0047C558
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: MessageNotifySend
                                    • String ID:
                                    • API String ID: 3556456075-0
                                    • Opcode ID: 87078ba78efd00049a50e7f1ca9bb2cd5c2e14ca447226ddb79527f3730dfb80
                                    • Instruction ID: a586c591694e5ec1453d44eb988509943f7cc53e193c60e92d85b792e642409e
                                    • Opcode Fuzzy Hash: 87078ba78efd00049a50e7f1ca9bb2cd5c2e14ca447226ddb79527f3730dfb80
                                    • Instruction Fuzzy Hash: F84145716001148BCB11EF6AEDC199A7B95EB94709B50C17FA8049F366CB3CED42CB9D
                                    Function 00408544 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDefaultLCID.KERNEL32(00000000,0040867A), ref: 00408563
                                      • Part of subcall function 00406D54: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406D71
                                      • Part of subcall function 004084D0: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4BC,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: DefaultInfoLoadLocaleStringSystem
                                    • String ID:
                                    • API String ID: 1658689577-0
                                    • Opcode ID: 83147c8ae9878e5e8653ad9264bf2053822cadb6b756815280b3f83239da2d8a
                                    • Instruction ID: 72247cf8bd506dd89ecfcfeec582d362eb3e3c5b2c55bccfc50da2949a3959e4
                                    • Opcode Fuzzy Hash: 83147c8ae9878e5e8653ad9264bf2053822cadb6b756815280b3f83239da2d8a
                                    • Instruction Fuzzy Hash: 83314031E00119ABCF00DB95CCC19EEB779EF84314F158577E815AB285E738AE058B94
                                    Function 0041FA7C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FB19
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: InfoScroll
                                    • String ID:
                                    • API String ID: 629608716-0
                                    • Opcode ID: 74a1ef28962fff8b683c41cd84721cb9e8fe1c91c3e605a87a8e1fd14feb4a1b
                                    • Instruction ID: b33af1f6b06df34fdae406b09a4f138a1d33ac4c0177d151b4f668dd54600465
                                    • Opcode Fuzzy Hash: 74a1ef28962fff8b683c41cd84721cb9e8fe1c91c3e605a87a8e1fd14feb4a1b
                                    • Instruction Fuzzy Hash: 51214271604745AFC350DF399440697BBE4BB48344F048A3EE098C3741E778D999CBD6
                                    Function 00416450 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416485
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 0e6fce5dc35e0c9e1f8d8aef304156e1913467c2af53777ba06d593938a52e0c
                                    • Instruction ID: 140ea2fc41585b25cf988bc4c72f9280e43d4e5fe5238baddfe4407d351e9ba1
                                    • Opcode Fuzzy Hash: 0e6fce5dc35e0c9e1f8d8aef304156e1913467c2af53777ba06d593938a52e0c
                                    • Instruction Fuzzy Hash: EFF02BB2200510AFDB84DF9CD9C0F9373ECEB0C214B0481A6FA08CF20AD220EC108BB0
                                    Function 004148CC Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414907
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CallbackDispatcherUser
                                    • String ID:
                                    • API String ID: 2492992576-0
                                    • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                    • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                    • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                    • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                    Function 0042CA54 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesA.KERNEL32(00000000,00000000,0042CA9C,?,00000001,?,?,00000000,?,0042CAEE,00000000,00454BAD,00000000,00454BCE,?,00000000), ref: 0042CA7F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: bb27d65d224648709faf5b99a6930cf217008328bf3134ddb1f8e3b87c477ed5
                                    • Instruction ID: e0ddbaa0de0cb1d72f84e17a3687b2d41922827581682e372e31921cbb278ec7
                                    • Opcode Fuzzy Hash: bb27d65d224648709faf5b99a6930cf217008328bf3134ddb1f8e3b87c477ed5
                                    • Instruction Fuzzy Hash: D5E02B71300708BFD701EFA2DC83E1EBBECDB49718B914476F800E3241D578AE008518
                                    Function 004534F4 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00453534
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 70c3fc8d735ee544cd7fd24f7ff08135e9fa3a6e5bf2cae660584d9d308858ac
                                    • Instruction ID: 9cdb49b7a9ef993696f5dde1c9afee02c6f99de1b51364e3d79a65dec67121fe
                                    • Opcode Fuzzy Hash: 70c3fc8d735ee544cd7fd24f7ff08135e9fa3a6e5bf2cae660584d9d308858ac
                                    • Instruction Fuzzy Hash: ACE012653441486EE380DEADBC41F9777DCD71D728F008037B598D7251C965DD119BA8
                                    Function 0042E50C Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004553FB,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E52B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FormatMessage
                                    • String ID:
                                    • API String ID: 1306739567-0
                                    • Opcode ID: b6f407d21faf8b7194aca57f49db4c9863bcfc2be54e12bdb0e79143c1f97f8a
                                    • Instruction ID: b596be7ba24695fedb4a45320aae49ce61774f821b075c54ae680d4449d7345e
                                    • Opcode Fuzzy Hash: b6f407d21faf8b7194aca57f49db4c9863bcfc2be54e12bdb0e79143c1f97f8a
                                    • Instruction Fuzzy Hash: 6AE0D8617E475136F6251895BC83B77530E43C0708FD44026B740DD3D2EABEDD8A415E
                                    Function 00406288 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExA.USER32(00000000,004234E8,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423A78), ref: 004062B1
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: e3714cad1c9f34a46d3dc216f3ad21bd635b8ec02505eb91f910449672cbc28c
                                    • Instruction ID: a147f95ab2e7a13111811b8307f431208f548e9b1b8aaedca69ed5c0993eeeeb
                                    • Opcode Fuzzy Hash: e3714cad1c9f34a46d3dc216f3ad21bd635b8ec02505eb91f910449672cbc28c
                                    • Instruction Fuzzy Hash: 4AE002B2204349BFDB00DE8ADCC1DABB7ACFB4C654F848105BB1C972428275AC608B71
                                    Function 00406E78 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406E8C
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FileWrite
                                    • String ID:
                                    • API String ID: 3934441357-0
                                    • Opcode ID: 5f4dbf4e9b964e836555cf1e7d1cd38755e31665f1261513b7c6ee95ba0193e1
                                    • Instruction ID: eb871d9fba6634337184fbf6c9050bbcd952a34e42a86691c85fcd560ea38081
                                    • Opcode Fuzzy Hash: 5f4dbf4e9b964e836555cf1e7d1cd38755e31665f1261513b7c6ee95ba0193e1
                                    • Instruction Fuzzy Hash: C5D05B763082107AD220A55F9C84DA76BDCCFC9770F11073EB558C71C1D7748C018675
                                    Function 004234B8 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00423464: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 00423479
                                    • ShowWindow.USER32(004105C0,00000009,?,00000000,0041EC84,004237A6,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423A78), ref: 004234D3
                                      • Part of subcall function 00423494: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 004234B0
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: InfoParametersSystem$ShowWindow
                                    • String ID:
                                    • API String ID: 3202724764-0
                                    • Opcode ID: 4cb1217dc779a14262a6367be341612073207d9bf5f5532ab7546a3a881f6d1f
                                    • Instruction ID: 394c6509b1780666e35e08e9c5d4399b0115664db770d69dab82bd8b18d39576
                                    • Opcode Fuzzy Hash: 4cb1217dc779a14262a6367be341612073207d9bf5f5532ab7546a3a881f6d1f
                                    • Instruction Fuzzy Hash: 88D0A512741370210713F9773405D8782B84DC625F3C844B77444C7307D51D8D0555FC
                                    Function 00424130 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowTextA.USER32(?,00000000), ref: 00424148
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: TextWindow
                                    • String ID:
                                    • API String ID: 530164218-0
                                    • Opcode ID: 002e80b7b9bf013caaa9325d165e776319b4d22cb2b10deccf5e5f4800943bae
                                    • Instruction ID: e2ec05e2cc7a8d7579080198e5407e7ef0898304a2350d3fd8a8c51ad05eabe9
                                    • Opcode Fuzzy Hash: 002e80b7b9bf013caaa9325d165e776319b4d22cb2b10deccf5e5f4800943bae
                                    • Instruction Fuzzy Hash: ABD05BE270053057D701BBED58C4AD667CC5B8825671840B7F914DB357C638CD508794
                                    Function 004145A8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserCallbackDispatcher.NTDLL(0049503E,?,?,00000000,0049503E,?,?), ref: 004145C1
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CallbackDispatcherUser
                                    • String ID:
                                    • API String ID: 2492992576-0
                                    • Opcode ID: c377ba7f7355c5aa676be68bef59863d9bb2c227309eb4dd02442c2688cba537
                                    • Instruction ID: 5b8a9f82cc441f615bfefd8715e7fd69627fac6e7dd34f19aa61d7ad55b42e03
                                    • Opcode Fuzzy Hash: c377ba7f7355c5aa676be68bef59863d9bb2c227309eb4dd02442c2688cba537
                                    • Instruction Fuzzy Hash: 69D09E717002269F9744CE9DD5C8C56FB69FB4D261345C3A5A5088B306DB71AC40CAE0
                                    Function 00406E28 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A834,0040CDE0,?,00000000,?), ref: 00406E45
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 7653a0f8f711fe27be4d777bd7cf576125642a5da637cdd49478306de3221390
                                    • Instruction ID: f6c145c872d80b3c1d91be0bd7b4e180a83351b1b570efd536713790883b9fa4
                                    • Opcode Fuzzy Hash: 7653a0f8f711fe27be4d777bd7cf576125642a5da637cdd49478306de3221390
                                    • Instruction Fuzzy Hash: DCC048A0380300B2F52026AA1CC7F1A444C6708B1AE60842AB340BF1D2C8E9A804151C
                                    Function 0042E0F7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(?,0042E115), ref: 0042E108
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: ea0da4c9d807fc7e9819791902dc1d8c328a5628f632760f1dea36cf8bee8260
                                    • Instruction ID: 4327ed8a948d2070d06d635ff4efcadd15feb94e4ec8e3181c4556033c78feaf
                                    • Opcode Fuzzy Hash: ea0da4c9d807fc7e9819791902dc1d8c328a5628f632760f1dea36cf8bee8260
                                    • Instruction Fuzzy Hash: DBB09B7671C6045DEB099A95785342963D4D7C87103E14477F004D7581D93D5410491C
                                    Function 004164EC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 824ccf4e8b1975641a6b3a89364f35963a725c575e1864201608d8230ebaa1cc
                                    • Instruction ID: 6d0977af118f8c85fe5c905820c4ecdbd4e530e236b765672e423f8575f07e12
                                    • Opcode Fuzzy Hash: 824ccf4e8b1975641a6b3a89364f35963a725c575e1864201608d8230ebaa1cc
                                    • Instruction Fuzzy Hash: 1DA002655116019ADE04A7A5C85DF6626A8BF44205FC945FA71049B092C53C94008A18
                                    Function 0045F598 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0045F628
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: ad386caf314a8b694bbaba686acb71165ba6f2bc1a12af4bc14e0e664bc4da9d
                                    • Instruction ID: 3f82bbf9741b55c3a41f4024eb900aac99e92a814942850d7857290a03bcea92
                                    • Opcode Fuzzy Hash: ad386caf314a8b694bbaba686acb71165ba6f2bc1a12af4bc14e0e664bc4da9d
                                    • Instruction Fuzzy Hash: 3D1172716002049BDB00AE19C8C1B5B3794AF81359F14807EFD589B3C7DB78EC098BAB
                                    Function 0041F2A4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EC84,?,004236FB,00423A78,0041EC84), ref: 0041F2C2
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 57f90ed134dba8f179fe120fc2457f2ef474867e1c6f6b232603c9c2753e5f36
                                    • Instruction ID: 2b4a896afd4bc6ecbc016aa70493554de3218c0f9c7174f3e6f422833746db1a
                                    • Opcode Fuzzy Hash: 57f90ed134dba8f179fe120fc2457f2ef474867e1c6f6b232603c9c2753e5f36
                                    • Instruction Fuzzy Hash: E0115A782407059FD710DF19D881B82FBE5EF98390F20C57AE9988B385D374E8498BA9
                                    Function 0045F540 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,0045F61E), ref: 0045F557
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-0
                                    • Opcode ID: 35fd4e5243f90f09261d36095e7221ebe0b5f84740c786d1e4cdf9c10a95499c
                                    • Instruction ID: fc083b737264b1c3d6c5b63cf61fbfcf0f67c4599b1a65fcbd40f10ea694d4f0
                                    • Opcode Fuzzy Hash: 35fd4e5243f90f09261d36095e7221ebe0b5f84740c786d1e4cdf9c10a95499c
                                    • Instruction Fuzzy Hash: EFD0EAB1755705ABEF90EEB98CC1B1237D8BB08A41F1045BAA908EB286E674D804CA19
                                    Function 00406EB0 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: ca728db07f90d051b538295a207cdf5b276de78629ca9df2bbfcb0378dcfc150
                                    • Instruction ID: c94158d82116293269b9ff53cf1606e13e4023764a8a74393531a2a2798bf9b0
                                    • Opcode Fuzzy Hash: ca728db07f90d051b538295a207cdf5b276de78629ca9df2bbfcb0378dcfc150
                                    • Instruction Fuzzy Hash:

                                    Non-executed Functions

                                    Function 0044E68C Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0044E638: GetVersionExA.KERNEL32(00000094), ref: 0044E655
                                    • LoadLibraryA.KERNEL32(uxtheme.dll,?,00452781,00497FCE), ref: 0044E6B3
                                    • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044E6CB
                                    • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044E6DD
                                    • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044E6EF
                                    • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044E701
                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044E713
                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044E725
                                    • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044E737
                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044E749
                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044E75B
                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044E76D
                                    • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044E77F
                                    • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044E791
                                    • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044E7A3
                                    • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044E7B5
                                    • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044E7C7
                                    • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044E7D9
                                    • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044E7EB
                                    • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044E7FD
                                    • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044E80F
                                    • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044E821
                                    • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044E833
                                    • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044E845
                                    • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044E857
                                    • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044E869
                                    • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044E87B
                                    • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044E88D
                                    • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044E89F
                                    • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044E8B1
                                    • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044E8C3
                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044E8D5
                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044E8E7
                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044E8F9
                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044E90B
                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044E91D
                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044E92F
                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044E941
                                    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044E953
                                    • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044E965
                                    • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044E977
                                    • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044E989
                                    • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044E99B
                                    • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044E9AD
                                    • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044E9BF
                                    • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044E9D1
                                    • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044E9E3
                                    • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044E9F5
                                    • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044EA07
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc$LibraryLoadVersion
                                    • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                    • API String ID: 1968650500-2910565190
                                    • Opcode ID: 3b22ff5d6d032c356b9f1325334648c3e9a826a8587b9432308a3bb3b201872e
                                    • Instruction ID: d6586f7317c5164433225fe8b5fba142f404f38bb88e043a810ff61121b12e1e
                                    • Opcode Fuzzy Hash: 3b22ff5d6d032c356b9f1325334648c3e9a826a8587b9432308a3bb3b201872e
                                    • Instruction Fuzzy Hash: 359182B1940B14AFEB00EBB6E986A2A37E4FB5570432046BBF404DF295D7789811CF5D
                                    Function 00493114 Relevance: 33.6, APIs: 1, Strings: 18, Instructions: 359COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: BASE64DECRYPTSTRING$BASE64ENCRYPTSTRING$CUSTOMBASE64DECRYPTSTRING$CUSTOMBASE64ENCRYPTSTRING$DELEMPTYTREE$DISABLEDABOUTMENU$EXITWINDOWSEX$GETCRC32OFFILE$GETCRC32OFSTRING$GETCRC32OFUNICODESTRING$GETSHA1OFFILE$GETSHA1OFSTRING$GETSHA1OFUNICODESTRING$PROCESSMESSAGESEVENTS$RIGHTPOS$SETUNINSTEXEICONS$UPDATEICONS${tmp}\
                                    • API String ID: 0-3158843956
                                    • Opcode ID: 38dac86b58034fa8f0cf49667e97f839eaed3494dc6078c8d76819153e816f57
                                    • Instruction ID: 83524c70b9ef4de2bcfaf158bc72db2e4ed1e6ca33121aa383feaeb363d4cbbf
                                    • Opcode Fuzzy Hash: 38dac86b58034fa8f0cf49667e97f839eaed3494dc6078c8d76819153e816f57
                                    • Instruction Fuzzy Hash: 19C17574B042046BCF10FF6AC88189EBBA5AF99719B10887FB41197756CB3CDF068799
                                    Function 0045A2C8 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 186pipeprocessfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTickCount.KERNEL32 ref: 0045A32F
                                    • QueryPerformanceCounter.KERNEL32(021A3850,00000000,0045A5C2,?,?,021A3850,00000000,?,0045AC2E,?,021A3850,00000000), ref: 0045A338
                                    • GetSystemTimeAsFileTime.KERNEL32(021A3850,021A3850), ref: 0045A342
                                    • GetCurrentProcessId.KERNEL32(?,021A3850,00000000,0045A5C2,?,?,021A3850,00000000,?,0045AC2E,?,021A3850,00000000), ref: 0045A34B
                                    • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0045A3C1
                                    • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,021A3850,021A3850), ref: 0045A3CF
                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B1C,00000003,00000000,00000000,00000000,0045A57E), ref: 0045A417
                                    • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045A56D,?,00000000,C0000000,00000000,00499B1C,00000003,00000000,00000000,00000000,0045A57E), ref: 0045A450
                                      • Part of subcall function 0042D64C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D65F
                                    • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 0045A4F9
                                    • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045A52F
                                    • CloseHandle.KERNEL32(000000FF,0045A574,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 0045A567
                                      • Part of subcall function 00455624: GetLastError.KERNEL32(00000000,00456095,00000005,00000000,004560CA,?,?,00000000,0049B624,00000004,00000000,00000000,00000000,?,00497821,00000000), ref: 00455627
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                    • String ID: CreateFile$CreateNamedPipe$CreateProcess$D$SetNamedPipeHandleState$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                    • API String ID: 770386003-1568146631
                                    • Opcode ID: c22e73244b234c2128e1b49a4d3c8f3d40c273d7f4140c64a5145622b86861aa
                                    • Instruction ID: 2f7893363ea69a45ae1c83bf99792e6598f1f4d4e3bee8281d323032dd050583
                                    • Opcode Fuzzy Hash: c22e73244b234c2128e1b49a4d3c8f3d40c273d7f4140c64a5145622b86861aa
                                    • Instruction Fuzzy Hash: 6E7146B0A00344DEDB10DFA5CC55B9EBBF8EB05305F5045AAF908FB282D77899548F6A
                                    Function 0045E548 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersion.KERNEL32 ref: 0045E562
                                    • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045E582
                                    • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045E58F
                                    • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045E59C
                                    • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045E5AA
                                      • Part of subcall function 0045E454: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045E4F3,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045E4CD
                                    • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045E79D,?,?,00000000), ref: 0045E663
                                    • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045E79D,?,?,00000000), ref: 0045E66C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                    • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                    • API String ID: 59345061-4263478283
                                    • Opcode ID: ba4a515996f0ce237d3a67062a6578b60bc0e926687bf57ce281a0ff3d2e2f8c
                                    • Instruction ID: 8dce949b986a02aa90c6b3488b359c4d42d5ed0cd61c051fc211fbf2f26d5b01
                                    • Opcode Fuzzy Hash: ba4a515996f0ce237d3a67062a6578b60bc0e926687bf57ce281a0ff3d2e2f8c
                                    • Instruction Fuzzy Hash: EE51A671D00608AFDB14DF9AC841BEEBBB8EF0C311F10846AF915A7381D6399A45CF69
                                    Function 00477040 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 77COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00477093
                                    • GetLastError.KERNEL32(?,?), ref: 0047709C
                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004770E9
                                    • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0047710D
                                    • CloseHandle.KERNEL32(00000000,0047713E,00000000,00000000,000000FF,000000FF,00000000,00477137,?,?,?), ref: 00477131
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseCodeErrorExecuteExitHandleLastMultipleObjectsProcessShellWait
                                    • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                    • API String ID: 171997614-221126205
                                    • Opcode ID: 20b0563768e019a00271db1ef990c1df8e60629473ccfb4f73327f8243462f03
                                    • Instruction ID: 4f66059f0f5d1b4967fdefb2c64fe689fde330c6eb1156a0c4e136c693e2b6c3
                                    • Opcode Fuzzy Hash: 20b0563768e019a00271db1ef990c1df8e60629473ccfb4f73327f8243462f03
                                    • Instruction Fuzzy Hash: 22213670A046549ADB11EBEA9C51BDE76E8EB05308FD0817BF508E7382DB7C9D048B6D
                                    Function 0045822C Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 248comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysFreeString.OLEAUT32(?), ref: 004583FD
                                    • CoCreateInstance.OLE32(00499AC4,00000000,00000001,00499770,?,00000000,004584F8), ref: 0045826E
                                      • Part of subcall function 00403C70: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CAA
                                      • Part of subcall function 00403C70: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CB5
                                    • CoCreateInstance.OLE32(00499760,00000000,00000001,00499770,?,00000000,004584F8), ref: 00458294
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CreateInstanceString$AllocByteCharFreeMultiWide
                                    • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue$IShellLink::QueryInterface
                                    • API String ID: 2125489766-2052886881
                                    • Opcode ID: ddb07928d84fff7d2a850e39b21ef2a0aa3fb97333a4e0358580b179fdface2b
                                    • Instruction ID: f70f1cdb990f926d680bd0dc3c4201193a5e5db4bdbc5c1cebec2bf682adabe8
                                    • Opcode Fuzzy Hash: ddb07928d84fff7d2a850e39b21ef2a0aa3fb97333a4e0358580b179fdface2b
                                    • Instruction Fuzzy Hash: E0910C71A00105AFDB40DFA9C885BAE7BF8AF09705F14406AF904F7262DF789D49CB69
                                    Function 00418270 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsIconic.USER32(?), ref: 0041827F
                                    • GetWindowPlacement.USER32(?,0000002C), ref: 0041829C
                                    • GetWindowRect.USER32(?), ref: 004182B8
                                    • GetWindowLongA.USER32(?,000000F0), ref: 004182C6
                                    • GetWindowLongA.USER32(?,000000F8), ref: 004182DB
                                    • ScreenToClient.USER32(00000000), ref: 004182E4
                                    • ScreenToClient.USER32(00000000,?), ref: 004182EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$ClientLongScreen$IconicPlacementRect
                                    • String ID: ,
                                    • API String ID: 2266315723-3772416878
                                    • Opcode ID: 188c02fc3d9505a338acd5c0e85d70aacbe470a672cdad11fe6009549d686fe5
                                    • Instruction ID: d45fb4733fd10c4a97758098dfb4cbab90a60ca8a36e6e97bf26ee1bce93aec0
                                    • Opcode Fuzzy Hash: 188c02fc3d9505a338acd5c0e85d70aacbe470a672cdad11fe6009549d686fe5
                                    • Instruction Fuzzy Hash: 6C112BB1505601ABDB00EF69C885F9B77E8AF48314F14066EBE58DB286C738D900CB6A
                                    Function 00457550 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47shutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000028), ref: 00457565
                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0045756B
                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00457584
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004575AB
                                    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004575B0
                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 004575BF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                    • String ID: SeShutdownPrivilege
                                    • API String ID: 107509674-3733053543
                                    • Opcode ID: a1df959ded7e08a0a8e26c51493c89d64148484deb180206ce9030fad5e20e0f
                                    • Instruction ID: 6ea91036b6c7af4b179cab986164ea070cf6a191a027df2bf5ed98034cacb23e
                                    • Opcode Fuzzy Hash: a1df959ded7e08a0a8e26c51493c89d64148484deb180206ce9030fad5e20e0f
                                    • Instruction Fuzzy Hash: 84F0F4706483197AE610A7759C07F6B36CC8B40749F50483ABD09EA1C3F77DD9088A7A
                                    Function 00497520 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,0049765E,?,?,00000000,0049B624,?,004977E8,00000000,0049783C,?,?,00000000,0049B624), ref: 00497577
                                    • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 004975FA
                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00497636,?,00000000,?,00000000,0049765E,?,?,00000000,0049B624,?,004977E8,00000000), ref: 00497612
                                    • FindClose.KERNEL32(000000FF,0049763D,00497636,?,00000000,?,00000000,0049765E,?,?,00000000,0049B624,?,004977E8,00000000,0049783C), ref: 00497630
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FileFind$AttributesCloseFirstNext
                                    • String ID: isRS-$isRS-???.tmp
                                    • API String ID: 134685335-3422211394
                                    • Opcode ID: 376985fc961756a6e793b0b6fd7f6c922ddf2d2ecbf1629af8092a643b9b4ca2
                                    • Instruction ID: f3df112c037791d807fac9abe724eec5870b49f222eb60ee1ca190ac4069adce
                                    • Opcode Fuzzy Hash: 376985fc961756a6e793b0b6fd7f6c922ddf2d2ecbf1629af8092a643b9b4ca2
                                    • Instruction Fuzzy Hash: 68317471914618ABCF11EF65CC41ADEBBBCEB45324F5144FBA908B32A1DA389E41CF58
                                    Function 0047BC78 Relevance: 9.2, APIs: 6, Instructions: 195fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,?,?,?,00000000,0047BF3E,?,00000000,?,00000000,?,0047C082,00000000,00000000), ref: 0047BCD9
                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,0047BDE9,?,00000000,?,?,?,?,00000000,0047BF3E,?,00000000,?,00000000), ref: 0047BDC5
                                    • FindClose.KERNEL32(000000FF,0047BDF0,0047BDE9,?,00000000,?,?,?,?,00000000,0047BF3E,?,00000000,?,00000000), ref: 0047BDE3
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000,0047BF3E,?,00000000,?,00000000,?,0047C082,00000000), ref: 0047BE3C
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Find$File$First$CloseNext
                                    • String ID:
                                    • API String ID: 2001080981-0
                                    • Opcode ID: 6193e0a5cf8a39d49b62800656676aa93dcd3d90a58c3a37b8e4ee8bcbba3b74
                                    • Instruction ID: 5b729751879bc7847551b217a3c08fbcca6921545973acaea7a5f6f0eafe93fa
                                    • Opcode Fuzzy Hash: 6193e0a5cf8a39d49b62800656676aa93dcd3d90a58c3a37b8e4ee8bcbba3b74
                                    • Instruction Fuzzy Hash: DC711C7090021DAFCF21DFA5CC41BDFBBB9EF49308F5084AAE508A7291D7399A458F94
                                    Function 00457D8C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00457EC0), ref: 00457DBC
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00457DC2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                    • API String ID: 1646373207-3712701948
                                    • Opcode ID: 85ee7bb759b0629e3ddab955ac68b119df204b5c8f138bc6fe13e745bfdb8885
                                    • Instruction ID: 9f0f535b64d67d50b9f6f0bc0333979c30f2a57ce1f6c2240e7d2455be6a8b10
                                    • Opcode Fuzzy Hash: 85ee7bb759b0629e3ddab955ac68b119df204b5c8f138bc6fe13e745bfdb8885
                                    • Instruction Fuzzy Hash: 8D316471A04359AFCB01DBE5D8829EFB7B8EF49304F5145B6E800F7292D67C5D098B68
                                    Function 00474460 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,004745CA,?,?,00000001,0049C1A4), ref: 004744B9
                                    • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004745CA,?,?,00000001,0049C1A4), ref: 00474596
                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004745CA,?,?,00000001,0049C1A4), ref: 004745A4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseFirstNext
                                    • String ID: unins$unins???.*
                                    • API String ID: 3541575487-1009660736
                                    • Opcode ID: c573b44eddaac27a7afe5cb639f809236960168c0a6ed875899c09ab7f24ecc2
                                    • Instruction ID: 3a34f2fa1f8ffd96cb4fdd8f6f28ba57a45b784ed3f5ac5facf8dbffca881d10
                                    • Opcode Fuzzy Hash: c573b44eddaac27a7afe5cb639f809236960168c0a6ed875899c09ab7f24ecc2
                                    • Instruction Fuzzy Hash: E3314074600158AFCB10DF65C981AEEB7BDAF45314F5084F6A50CAB2A2DB38DF419B58
                                    Function 00417BBC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsIconic.USER32(?), ref: 00417BFB
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417C19
                                    • GetWindowPlacement.USER32(?,0000002C), ref: 00417C4F
                                    • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417C76
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$Placement$Iconic
                                    • String ID: ,
                                    • API String ID: 568898626-3772416878
                                    • Opcode ID: 59312dbf416edd2fa52e299f487073d822de6f9c9d74ba503412e22e9e0ca2e0
                                    • Instruction ID: 1c268ca9ee8e9c2c9c4415d56d6cb45dccc1a69ec59fc91fed81fec0fb174b75
                                    • Opcode Fuzzy Hash: 59312dbf416edd2fa52e299f487073d822de6f9c9d74ba503412e22e9e0ca2e0
                                    • Instruction Fuzzy Hash: D1212C71604204ABCF10EF69D8C1ADA77A9AB48314F11456AFD18DF346D738E984CBA8
                                    Function 0046386C Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001,00000000,00463A29), ref: 0046389D
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,004639FC,?,00000001,00000000,00463A29), ref: 0046392C
                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,004639DE,?,00000000,?,00000000,004639FC,?,00000001,00000000,00463A29), ref: 004639BE
                                    • FindClose.KERNEL32(000000FF,004639E5,004639DE,?,00000000,?,00000000,004639FC,?,00000001,00000000,00463A29), ref: 004639D8
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseErrorFirstModeNext
                                    • String ID:
                                    • API String ID: 4011626565-0
                                    • Opcode ID: d06a2809afc8362c8dfef0cd96939912f9d9ae516ebf9714b6da867621b1e52a
                                    • Instruction ID: fde6e89833619f7c0402440465321724470632128ddba946328f27529ee0c1d8
                                    • Opcode Fuzzy Hash: d06a2809afc8362c8dfef0cd96939912f9d9ae516ebf9714b6da867621b1e52a
                                    • Instruction Fuzzy Hash: 17418674A00658AFCB11DFA5CC86ADEB7B8EB49705F4044BAF404A7381E67C9F48CE59
                                    Function 00463CE8 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001,00000000,00463ECF), ref: 00463D5D
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00463E9A,?,00000001,00000000,00463ECF), ref: 00463DA3
                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00463E7C,?,00000000,?,00000000,00463E9A,?,00000001,00000000,00463ECF), ref: 00463E58
                                    • FindClose.KERNEL32(000000FF,00463E83,00463E7C,?,00000000,?,00000000,00463E9A,?,00000001,00000000,00463ECF), ref: 00463E76
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseErrorFirstModeNext
                                    • String ID:
                                    • API String ID: 4011626565-0
                                    • Opcode ID: b456768ac93f2dedc6138890880c3e2c0aa900453b95a3baf27d1a8e95ecb732
                                    • Instruction ID: 94ec898f59feb9234e218a3c8882afbdd500d772e241f6ae18d14e4a8152b62b
                                    • Opcode Fuzzy Hash: b456768ac93f2dedc6138890880c3e2c0aa900453b95a3baf27d1a8e95ecb732
                                    • Instruction Fuzzy Hash: 8A414F74A00658DBCB11DFA5CC859DEB7B9EB88706F4044AAA804EB341EA789E448E59
                                    Function 0042E578 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004550C7,00000000,004550E8), ref: 0042E59A
                                    • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E5C5
                                    • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004550C7,00000000,004550E8), ref: 0042E5D2
                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004550C7,00000000,004550E8), ref: 0042E5DA
                                    • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004550C7,00000000,004550E8), ref: 0042E5E0
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                    • String ID:
                                    • API String ID: 1177325624-0
                                    • Opcode ID: e764b1fbd9ebedb20184a4a840807776edb346e1ed791aa1efbe312ea21de2a5
                                    • Instruction ID: 0dae256a19f86a9904d11071a5b9b4fbb290fd116e1d7466d1f489725f753afc
                                    • Opcode Fuzzy Hash: e764b1fbd9ebedb20184a4a840807776edb346e1ed791aa1efbe312ea21de2a5
                                    • Instruction Fuzzy Hash: 3AF0F07139062479F62061BA6C87F7F028CC788B68F14423AB700FF1C1E9A84D06196C
                                    Function 00464184 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0044E68C: LoadLibraryA.KERNEL32(uxtheme.dll,?,00452781,00497FCE), ref: 0044E6B3
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044E6CB
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044E6DD
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044E6EF
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044E701
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044E713
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044E725
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044E737
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044E749
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044E75B
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044E76D
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044E77F
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044E791
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044E7A3
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044E7B5
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044E7C7
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044E7D9
                                      • Part of subcall function 0044E68C: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044E7EB
                                    • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00497FF1), ref: 00464193
                                    • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464199
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: SHPathPrepareForWriteA$shell32.dll
                                    • API String ID: 2238633743-2683653824
                                    • Opcode ID: afd88a7480bc5cdf981c15e684774cd126dd40f5d4b9fb5847ea588893833ff1
                                    • Instruction ID: 66f99fb81c164fda30d2e00d9a60dccdb16da285e5035ccd9ea6fa20c3b60b8b
                                    • Opcode Fuzzy Hash: afd88a7480bc5cdf981c15e684774cd126dd40f5d4b9fb5847ea588893833ff1
                                    • Instruction Fuzzy Hash: 3EB092D0981A00A9EA0037B25C4B94F3984A8A2708B61027FB404760C3ED7C04854A2E
                                    Function 00458D78 Relevance: 6.2, APIs: 4, Instructions: 241windownativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00458DF5
                                    • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00458E1C
                                    • SetForegroundWindow.USER32(?), ref: 00458E2D
                                    • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00459107,?,00000000,00459143), ref: 004590F2
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: MessagePostWindow$ForegroundNtdllProc_
                                    • String ID:
                                    • API String ID: 2236967946-0
                                    • Opcode ID: 12bb3441a74514268cd42413db208a55dea73f85b2c4e0381393abb96b9b294a
                                    • Instruction ID: 5106490bb6a5dbd0c9e9ac3ed4cff717f1bf54071f84acbaea8931f794899059
                                    • Opcode Fuzzy Hash: 12bb3441a74514268cd42413db208a55dea73f85b2c4e0381393abb96b9b294a
                                    • Instruction Fuzzy Hash: 7891BC34604204EFD715CF59D995F5ABBF9EB89700F21C4BAE804A7792CB39AE05CB18
                                    Function 00481420 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsIconic.USER32(?), ref: 0048145E
                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 0048147C
                                    • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C07C,00480CBA,00480CEE,00000000,00480D0E,?,?,00000001,0049C07C), ref: 0048149E
                                    • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C07C,00480CBA,00480CEE,00000000,00480D0E,?,?,00000001,0049C07C), ref: 004814B2
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$Show$IconicLong
                                    • String ID:
                                    • API String ID: 2754861897-0
                                    • Opcode ID: a5496fcf36285164dc628208fc61a160c2d554198a99bae5b98cba20c74712e7
                                    • Instruction ID: 22c182399657c03bfe5fe54d31be6ac9e7afd42aa0dd1bc2acaa167c7ced4dba
                                    • Opcode Fuzzy Hash: a5496fcf36285164dc628208fc61a160c2d554198a99bae5b98cba20c74712e7
                                    • Instruction Fuzzy Hash: B3015E70644240DAE710BBB5EC85F5B27985B2A709F25497BB850DB2F3CB2D9C458B1C
                                    Function 004622F4 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,004623C8), ref: 0046234C
                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,004623A8,?,00000000,?,00000000,004623C8), ref: 00462388
                                    • FindClose.KERNEL32(000000FF,004623AF,004623A8,?,00000000,?,00000000,004623C8), ref: 004623A2
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 3541575487-0
                                    • Opcode ID: 0334d7183b20f55051644fa7483b530bc0d8cdca859725f18f2f72abae4a7147
                                    • Instruction ID: f568cc08971db0aded4fb3923d0949eb5b8c9cd9dc153943e824e9720ae8e259
                                    • Opcode Fuzzy Hash: 0334d7183b20f55051644fa7483b530bc0d8cdca859725f18f2f72abae4a7147
                                    • Instruction Fuzzy Hash: C421A470504B08BEDB11DB758C41ADEBBACDB49704F5044B7AC08A3691E77C9A848A29
                                    Function 00424048 Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsIconic.USER32(?), ref: 00424050
                                    • SetActiveWindow.USER32(?,?,?,0046BEAC), ref: 0042405D
                                      • Part of subcall function 004234B8: ShowWindow.USER32(004105C0,00000009,?,00000000,0041EC84,004237A6,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423A78), ref: 004234D3
                                      • Part of subcall function 00423980: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021A25A4,00424076,?,?,?,0046BEAC), ref: 004239BB
                                    • SetFocus.USER32(00000000,?,?,?,0046BEAC), ref: 0042408A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$ActiveFocusIconicShow
                                    • String ID:
                                    • API String ID: 649377781-0
                                    • Opcode ID: 4634f2550b8facacc0ec1299132f2e17bfadfbe71fb07039896db4ee6b00994e
                                    • Instruction ID: 21b4ff9a86b706eb257611497d6c95fd8fc30f4693d45926d897a0ffda41f6c3
                                    • Opcode Fuzzy Hash: 4634f2550b8facacc0ec1299132f2e17bfadfbe71fb07039896db4ee6b00994e
                                    • Instruction Fuzzy Hash: 15F0546170112097CB00FFA9D884A9623A8EF48319F5540BBBD04DF347C73DDC4087A4
                                    Function 00417BBA Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsIconic.USER32(?), ref: 00417BFB
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417C19
                                    • GetWindowPlacement.USER32(?,0000002C), ref: 00417C4F
                                    • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417C76
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$Placement$Iconic
                                    • String ID:
                                    • API String ID: 568898626-0
                                    • Opcode ID: 8543598c2f4b1dc3fb3fa82bf453260b1160db68eb338aafb3621585499b61ef
                                    • Instruction ID: d2a3b17483d34fbc2a72f3d01a2542d6a5f564e3008a987eea189b47b69afbb7
                                    • Opcode Fuzzy Hash: 8543598c2f4b1dc3fb3fa82bf453260b1160db68eb338aafb3621585499b61ef
                                    • Instruction Fuzzy Hash: F8012C71308104ABDB10EE5ADCC1EEB73A9AB45364F154567FD08DF342D638EC8087A9
                                    Function 00454BE8 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00454C4B,?,?,-00000001,00000000), ref: 00454C25
                                    • GetLastError.KERNEL32(00000000,?,00000000,00454C4B,?,?,-00000001,00000000), ref: 00454C2D
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorFileFindFirstLast
                                    • String ID:
                                    • API String ID: 873889042-0
                                    • Opcode ID: d41a7e74fdcb19c4ca7e966f3245d70d161fbe8c9098ccef48d6a7e08a538f25
                                    • Instruction ID: 4d7c8374d14f989a8f64cd1f2b9ea90e0e536d5d854e609a6067045c104da340
                                    • Opcode Fuzzy Hash: d41a7e74fdcb19c4ca7e966f3245d70d161fbe8c9098ccef48d6a7e08a538f25
                                    • Instruction Fuzzy Hash: 83F02D35A04704AB8B11EFAA9C0149EF7ACEBC5739711467BFC14D7282EA794E04855C
                                    Function 00417494 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CaptureIconic
                                    • String ID:
                                    • API String ID: 2277910766-0
                                    • Opcode ID: 5712ba47d1fef32ebf13c6a330c5b0d79405e0ed758716212d519e269e87d516
                                    • Instruction ID: c103260fa28ada29285c2c0b3da17c5bc4cc11c90a258bb0f57bc44fc08980f6
                                    • Opcode Fuzzy Hash: 5712ba47d1fef32ebf13c6a330c5b0d79405e0ed758716212d519e269e87d516
                                    • Instruction Fuzzy Hash: 3EF0817230460157DB20DA3EC8C4AA766F5AF46344B14443BE455C7352DB3CECC5C658
                                    Function 00424000 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsIconic.USER32(?), ref: 00424007
                                      • Part of subcall function 004238F0: EnumWindows.USER32(00423888), ref: 00423914
                                      • Part of subcall function 004238F0: GetWindow.USER32(?,00000003), ref: 00423929
                                      • Part of subcall function 004238F0: GetWindowLongA.USER32(?,000000EC), ref: 00423938
                                      • Part of subcall function 004238F0: SetWindowPos.USER32(00000000,00423FC8,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424017,?,?,00423BDF), ref: 0042396E
                                    • SetActiveWindow.USER32(?,?,?,00423BDF,00000000,00423FC8), ref: 0042401B
                                      • Part of subcall function 004234B8: ShowWindow.USER32(004105C0,00000009,?,00000000,0041EC84,004237A6,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423A78), ref: 004234D3
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$ActiveEnumIconicLongShowWindows
                                    • String ID:
                                    • API String ID: 2671590913-0
                                    • Opcode ID: 3a059035db56b7f91133454de9b9ae49814a6610dd0173f802e953d79e728c3c
                                    • Instruction ID: 97d4abb0600349172b71e3256515f56579c4f2440b2809111d8125555cb65497
                                    • Opcode Fuzzy Hash: 3a059035db56b7f91133454de9b9ae49814a6610dd0173f802e953d79e728c3c
                                    • Instruction Fuzzy Hash: 01E01AA070021087DB00AF69D8C5B8B32A4BB48304F5401BABE08CF24BDA7DCC408724
                                    Function 0044C51C Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0044C717), ref: 0044C705
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: NtdllProc_Window
                                    • String ID:
                                    • API String ID: 4255912815-0
                                    • Opcode ID: 293f53d0e94d57d03e9a8a1e3b235dd5f060aa289aa836718f00f4ff4c23fc90
                                    • Instruction ID: fef0f3b8a2bc350c16fae8f3c50ab6c23b664832ae4f4a46a964fbf6b1483902
                                    • Opcode Fuzzy Hash: 293f53d0e94d57d03e9a8a1e3b235dd5f060aa289aa836718f00f4ff4c23fc90
                                    • Instruction Fuzzy Hash: 8C51BF31609205CFE790DF6AD5C1A5AF3E5EB98304B39D27BD805D7721DB38AC018B89
                                    Function 0041253C Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412739), ref: 00412727
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: NtdllProc_Window
                                    • String ID:
                                    • API String ID: 4255912815-0
                                    • Opcode ID: 7c7f4d92cf380e604d5ab09e17e9aa099d9c3513037a99c17b6489047eec62e4
                                    • Instruction ID: 3e147bb63f0ef733487746ee68d13b4811c5ba1e27db1cb7ec8dfd0ad8bc57bb
                                    • Opcode Fuzzy Hash: 7c7f4d92cf380e604d5ab09e17e9aa099d9c3513037a99c17b6489047eec62e4
                                    • Instruction Fuzzy Hash: AA51F4316082059FD714DF6AD68199BF3E1EF98304B34817BD814D33A1DBB8AC918B4C
                                    Function 004775A4 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004776F2
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: NtdllProc_Window
                                    • String ID:
                                    • API String ID: 4255912815-0
                                    • Opcode ID: 0f55a5451d83bc0495bf9023d448be50e28a048f49d37bd249b0a6b219e8dc99
                                    • Instruction ID: 2b8ac71919359ade9dffc0f2f1eb4728e87c53a16f0745162b04d0f51c4c1dbb
                                    • Opcode Fuzzy Hash: 0f55a5451d83bc0495bf9023d448be50e28a048f49d37bd249b0a6b219e8dc99
                                    • Instruction Fuzzy Hash: 71415735608504EFCB10CF5DC2948AAB7F5EB48320BA5C992E808DB319D338EE41DB54
                                    Function 0042FF34 Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042FF97
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: NtdllProc_Window
                                    • String ID:
                                    • API String ID: 4255912815-0
                                    • Opcode ID: 45e71c61c416b34e588a70e53cd81b1a2c94e706e1a3bf8269ea662d3f76c0df
                                    • Instruction ID: 0d17d2cacaacf47bff50edaa9f6f2ce5dcebf2bcecfd1382e7d0c48f7e2625df
                                    • Opcode Fuzzy Hash: 45e71c61c416b34e588a70e53cd81b1a2c94e706e1a3bf8269ea662d3f76c0df
                                    • Instruction Fuzzy Hash: 3DF0F672708214AF9B00DF99E981C9AB7FCEB0E3203A240B7F908D7240D234AC00CB74
                                    Function 00457508 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: a94f0eeb4948079cfd92e9f097aca6dc27fdbd4c99de779a19fb0e266f14b35a
                                    • Instruction ID: 0ad4edcf0d6c4e9fb82ec68931b45638c625719c38acc1e3bf65ab6640ada74b
                                    • Opcode Fuzzy Hash: a94f0eeb4948079cfd92e9f097aca6dc27fdbd4c99de779a19fb0e266f14b35a
                                    • Instruction Fuzzy Hash: 47D0C2B160820063C700AEA9AC8169631CC8B84312F20083F7C89C62D2FABCDE88436A
                                    Function 0042ED90 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042EDAC
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: NtdllProc_Window
                                    • String ID:
                                    • API String ID: 4255912815-0
                                    • Opcode ID: fd9854448371cf8f202cb062e5db5ce490b7e1ede4c65d5598d4e6847d5a2b15
                                    • Instruction ID: 15d0e8927d2903c4089f387d9e0c0dd6622dc191fbb865e3fb44d040e5df29b6
                                    • Opcode Fuzzy Hash: fd9854448371cf8f202cb062e5db5ce490b7e1ede4c65d5598d4e6847d5a2b15
                                    • Instruction Fuzzy Hash: 4CD0C77122021D6FDB40DD9ADC40DAF33BDDB88710B50C916F905C7255D634ED5197B9
                                    Function 0046EA04 Relevance: 70.5, APIs: 1, Strings: 39, Instructions: 467registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0046E7F0: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,0047549E,0049C1A4,?,0046EAF5,?,00000000,0046F02B,?,_is1), ref: 0046E813
                                    • RegCloseKey.ADVAPI32(?,0046F032,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F07D,?,?,00000001,0049C1A4), ref: 0046F025
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseValue
                                    • String ID: " /SILENT$5.3.6 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                    • API String ID: 3132538880-1365092397
                                    • Opcode ID: 337d1cffe95f04910839d4aa956bfd32f17b3ac17452bde8b775b932656cc4d7
                                    • Instruction ID: 766dcae398d83d9976c77dfc08d75106a93ededcb3411cf61692a8ad6bb410df
                                    • Opcode Fuzzy Hash: 337d1cffe95f04910839d4aa956bfd32f17b3ac17452bde8b775b932656cc4d7
                                    • Instruction Fuzzy Hash: 8F024634A001089FDB04EB96E891ADE73F5EB44304F60857BE800AB795EB79AD45CF5E
                                    Function 00491308 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000,00000000,004917FD,?,?,?,?,00000000,00000000,00000000), ref: 00491348
                                    • FindWindowA.USER32(00000000,00000000), ref: 00491379
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FindSleepWindow
                                    • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                    • API String ID: 3078808852-3310373309
                                    • Opcode ID: e368c7aa3b15dcc996d657c5d9fabe764cde5f522f92a85ccc8949d0048d112b
                                    • Instruction ID: f0af19b1898d6317c9e580f12ebbdcf879d100436c14384dab877bafa16ae603
                                    • Opcode Fuzzy Hash: e368c7aa3b15dcc996d657c5d9fabe764cde5f522f92a85ccc8949d0048d112b
                                    • Instruction Fuzzy Hash: 9DC19464B002155BDB14BFBE8C8661F59DA9F84708B21D87FB446DB39ACE3CDC06829D
                                    Function 0041EFF8 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersion.KERNEL32(?,00418EE0,00000000,?,?,?,00000001), ref: 0041F006
                                    • SetErrorMode.KERNEL32(00008000,?,00418EE0,00000000,?,?,?,00000001), ref: 0041F022
                                    • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418EE0,00000000,?,?,?,00000001), ref: 0041F02E
                                    • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418EE0,00000000,?,?,?,00000001), ref: 0041F03C
                                    • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F06C
                                    • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F095
                                    • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F0AA
                                    • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F0BF
                                    • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F0D4
                                    • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F0E9
                                    • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F0FE
                                    • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F113
                                    • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F128
                                    • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F13D
                                    • FreeLibrary.KERNEL32(00000001,?,00418EE0,00000000,?,?,?,00000001), ref: 0041F14F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                    • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                    • API String ID: 2323315520-3614243559
                                    • Opcode ID: 7baa42654e34f1fda4ecf90b3ea74d047d218536049d84beb6bdddb12116c00d
                                    • Instruction ID: eb77cefdbfd5002eeae2de18e89eadc7fae5a498c6e92965c9a609f095fb0b57
                                    • Opcode Fuzzy Hash: 7baa42654e34f1fda4ecf90b3ea74d047d218536049d84beb6bdddb12116c00d
                                    • Instruction Fuzzy Hash: 1531EC72A00604BFEB11ABB9EC46A6732A4E729314751493FF508D72A2D77C5C56CB1C
                                    Function 00459B18 Relevance: 38.7, APIs: 11, Strings: 11, Instructions: 237filesynchronizationprocessCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(00499B10,00000001,00000000,00000000,00459E4D,?,?,?,00000001,?,0045A053,00000000,0045A069,?,00000000,0049B624), ref: 00459B65
                                    • CreateFileMappingA.KERNEL32(000000FF,00499B10,00000004,00000000,00002018,00000000), ref: 00459B9D
                                    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,00459E23,?,00499B10,00000001,00000000,00000000,00459E4D,?,?,?), ref: 00459BC4
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00459CD1
                                    • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,00459E23,?,00499B10,00000001,00000000,00000000,00459E4D), ref: 00459C29
                                      • Part of subcall function 00455624: GetLastError.KERNEL32(00000000,00456095,00000005,00000000,004560CA,?,?,00000000,0049B624,00000004,00000000,00000000,00000000,?,00497821,00000000), ref: 00455627
                                    • CloseHandle.KERNEL32(0045A053,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00459CE8
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,0045A053,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00459D21
                                    • GetLastError.KERNEL32(00000000,000000FF,0045A053,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00459D33
                                    • UnmapViewOfFile.KERNEL32(00000000,00459E2A,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00459E05
                                    • CloseHandle.KERNEL32(00000000,00459E2A,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00459E14
                                    • CloseHandle.KERNEL32(00000000,00459E2A,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00459E1D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                    • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$ReleaseMutex$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
                                    • API String ID: 4012871263-4166201014
                                    • Opcode ID: d719c7451926045d45aed1fdbcc4a358799e9ba621729c3b41222cb9271af7fd
                                    • Instruction ID: 63c7a7695d260adbfc38f429b26d43dc7968c806ba1f18f599442ab15824924e
                                    • Opcode Fuzzy Hash: d719c7451926045d45aed1fdbcc4a358799e9ba621729c3b41222cb9271af7fd
                                    • Instruction Fuzzy Hash: A7914270A00619DFDB10EBA9C845BAEB7B4FB44305F50856AE814EB382D7789D48CF59
                                    Function 0041C8EC Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • 73E9A570.USER32(00000000,?,0041A834,?), ref: 0041C920
                                    • 73EA4C40.GDI32(?,00000000,?,0041A834,?), ref: 0041C92C
                                    • 73EA6180.GDI32(0041A834,?,00000001,00000001,00000000,00000000,0041CB42,?,?,00000000,?,0041A834,?), ref: 0041C950
                                    • 73EA4C00.GDI32(?,0041A834,?,00000000,0041CB42,?,?,00000000,?,0041A834,?), ref: 0041C960
                                    • SelectObject.GDI32(0041CD1C,00000000), ref: 0041C97B
                                    • FillRect.USER32(0041CD1C,?,?), ref: 0041C9B6
                                    • SetTextColor.GDI32(0041CD1C,00000000), ref: 0041C9CB
                                    • SetBkColor.GDI32(0041CD1C,00000000), ref: 0041C9E2
                                    • PatBlt.GDI32(0041CD1C,00000000,00000000,0041A834,?,00FF0062), ref: 0041C9F8
                                    • 73EA4C40.GDI32(?,00000000,0041CAFB,?,0041CD1C,00000000,?,0041A834,?,00000000,0041CB42,?,?,00000000,?,0041A834), ref: 0041CA0B
                                    • SelectObject.GDI32(00000000,00000000), ref: 0041CA3C
                                    • 73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CAEA,?,?,00000000,0041CAFB,?,0041CD1C,00000000,?,0041A834), ref: 0041CA54
                                    • 73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CAEA,?,?,00000000,0041CAFB,?,0041CD1C,00000000,?), ref: 0041CA5D
                                    • 73E98830.GDI32(0041CD1C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CAEA,?,?,00000000,0041CAFB), ref: 0041CA6C
                                    • 73E922A0.GDI32(0041CD1C,0041CD1C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CAEA,?,?,00000000,0041CAFB), ref: 0041CA75
                                    • SetTextColor.GDI32(00000000,00000000), ref: 0041CA8E
                                    • SetBkColor.GDI32(00000000,00000000), ref: 0041CAA5
                                    • 73EA4D40.GDI32(0041CD1C,00000000,00000000,0041A834,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CAEA,?,?,00000000), ref: 0041CAC1
                                    • SelectObject.GDI32(00000000,?), ref: 0041CACE
                                    • DeleteDC.GDI32(00000000), ref: 0041CAE4
                                      • Part of subcall function 00419F48: GetSysColor.USER32(?), ref: 00419F52
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Color$ObjectSelect$E922E98830Text$A570A6180DeleteFillRect
                                    • String ID:
                                    • API String ID: 1952589944-0
                                    • Opcode ID: e9305d77ececdc42362502e02eebccecc638fc7020293e0a24b4c3006d075ea9
                                    • Instruction ID: 2a5bf55b03c65e6cd00587cb758285784e9f5ca3ac854f4bdfb51c9342b014fe
                                    • Opcode Fuzzy Hash: e9305d77ececdc42362502e02eebccecc638fc7020293e0a24b4c3006d075ea9
                                    • Instruction Fuzzy Hash: 8161EF71A44609AFDF10EBE5DC96FAFB7B8EB08704F10446AB504F7281C67CA941CB69
                                    Function 0042DD68 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocateAndInitializeSid.ADVAPI32(00499784,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DDA2
                                    • GetVersion.KERNEL32(00000000,0042DF4C,?,00499784,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DDBF
                                    • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042DF4C,?,00499784,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DDD8
                                    • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DDDE
                                    • FreeSid.ADVAPI32(00000000,0042DF53,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF46
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressAllocateFreeHandleInitializeModuleProcVersion
                                    • String ID: CheckTokenMembership$advapi32.dll
                                    • API String ID: 1717332306-1888249752
                                    • Opcode ID: 36d0c88c0d7fa5940363bf3eb447e4ae69a96e1125b68612092dbc944a3d964f
                                    • Instruction ID: 2826b10b00e907c8605def9be8102760f5aa4aaea11af2c5bacb74e45be54e45
                                    • Opcode Fuzzy Hash: 36d0c88c0d7fa5940363bf3eb447e4ae69a96e1125b68612092dbc944a3d964f
                                    • Instruction Fuzzy Hash: 0451E271F046156AEB10EAE99942BBF77ACDF08304F91047BB505EB2C2DA7D99008B6D
                                    Function 0049784C Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 251synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(?,00000005,00000000,00497BE4,?,?,00000000,?,00000000,00000000,?,00497F19,00000000,00497F23,?,00000000), ref: 004978CF
                                    • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00497BE4,?,?,00000000,?,00000000,00000000,?,00497F19,00000000), ref: 004978E2
                                    • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00497BE4,?,?,00000000,?,00000000,00000000), ref: 004978F2
                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00497913
                                    • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00497BE4,?,?,00000000,?,00000000), ref: 00497923
                                      • Part of subcall function 0042D1D4: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D262,?,?,00000000,?,?,004972E0,00000000,004974A9,?,?,00000005), ref: 0042D209
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                    • String ID: .lst$.msg$/REG$/REGU$@5E$Inno-Setup-RegSvr-Mutex$Setup
                                    • API String ID: 2000705611-2914665152
                                    • Opcode ID: 3d2fa26d8874b9550e8be6fe62cbddfe5c5aa9636bc70f35e6e11ff41baa172d
                                    • Instruction ID: cbad1d7325b450ab9a9999f0e4269e705e8717d94b3f02fd666181749742a20c
                                    • Opcode Fuzzy Hash: 3d2fa26d8874b9550e8be6fe62cbddfe5c5aa9636bc70f35e6e11ff41baa172d
                                    • Instruction Fuzzy Hash: 5C91D330A182449FDF11EBA5C856FAEBFB5EB49308F514477F500AB682D63DA901CB19
                                    Function 0041B28C Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • 73EA4C40.GDI32(00000000,?,00000000,?), ref: 0041B2A3
                                    • 73EA4C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B2AD
                                    • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B2BF
                                    • 73EA6180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B2D6
                                    • 73E9A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B2E2
                                    • 73EA4C00.GDI32(00000000,0000000B,?,00000000,0041B33B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B30F
                                    • 73E9A480.USER32(00000000,00000000,0041B342,00000000,0041B33B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B335
                                    • SelectObject.GDI32(00000000,?), ref: 0041B350
                                    • SelectObject.GDI32(?,00000000), ref: 0041B35F
                                    • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B38B
                                    • SelectObject.GDI32(00000000,00000000), ref: 0041B399
                                    • SelectObject.GDI32(?,00000000), ref: 0041B3A7
                                    • DeleteDC.GDI32(00000000), ref: 0041B3B0
                                    • DeleteDC.GDI32(?), ref: 0041B3B9
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Object$Select$Delete$A480A570A6180Stretch
                                    • String ID:
                                    • API String ID: 1888863034-0
                                    • Opcode ID: 9558e35dfd56978dfdd1cf75b5b25b41f5053de2573c0879465a87f0691658fb
                                    • Instruction ID: 797c1b717c90e4316e7f31ba9f09bfa74b62e123bae0c09fadd8e1cda0f65e40
                                    • Opcode Fuzzy Hash: 9558e35dfd56978dfdd1cf75b5b25b41f5053de2573c0879465a87f0691658fb
                                    • Instruction Fuzzy Hash: DA41C171E44609AFDF10DAE9CC46FEFB7BCEB08704F100566B614FB281D67869408BA4
                                    Function 00496620 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 495COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$Long$Show
                                    • String ID: DeinitializeUninstall$InitializeUninstall$Original Uninstall EXE: $Setup version: Inno Setup version 5.3.6 (a)$Uninstall$Uninstall DAT: $Uninstall command line: $UninstallNeedRestart
                                    • API String ID: 3609083571-2250173534
                                    • Opcode ID: e83bac642c86f289039c03779822a42860277e3cf4cf1a4313b1dba486474469
                                    • Instruction ID: b2fc2d301f1486d80b06f03fd78cac30325bbb784c0abb4486304afcf406f4de
                                    • Opcode Fuzzy Hash: e83bac642c86f289039c03779822a42860277e3cf4cf1a4313b1dba486474469
                                    • Instruction Fuzzy Hash: 9E128E30644244AFDF11EF65E892B697FA0EB55308F51847BF800AB3A2D77C9845CB6D
                                    Function 004568B8 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042DB00: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004816C7,?,00000001,?,?,004816C7,?,00000001,00000000), ref: 0042DB1C
                                    • RegQueryValueExA.ADVAPI32(0045C5C2,00000000,00000000,?,00000000,?,00000000,00456B51,?,0045C5C2,00000003,00000000,00000000,00456B88), ref: 004569D1
                                      • Part of subcall function 0042E50C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004553FB,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E52B
                                    • RegQueryValueExA.ADVAPI32(0045C5C2,00000000,00000000,00000000,?,00000004,00000000,00456A9B,?,0045C5C2,00000000,00000000,?,00000000,?,00000000), ref: 00456A55
                                    • RegQueryValueExA.ADVAPI32(0045C5C2,00000000,00000000,00000000,?,00000004,00000000,00456A9B,?,0045C5C2,00000000,00000000,?,00000000,?,00000000), ref: 00456A84
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00456928
                                    • RegOpenKeyEx, xrefs: 00456954
                                    • , xrefs: 00456942
                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004568EF
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: QueryValue$FormatMessageOpen
                                    • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                    • API String ID: 2812809588-1577016196
                                    • Opcode ID: f37eb993d6601eb75e941beaef36cd83901e4c83f8625607f99559d6766ae85b
                                    • Instruction ID: fd635df961ce8298d33a8e390a159159f9c033d45fe952da87acdb28ef6ea992
                                    • Opcode Fuzzy Hash: f37eb993d6601eb75e941beaef36cd83901e4c83f8625607f99559d6766ae85b
                                    • Instruction Fuzzy Hash: 9A913371E04218AFDB00DFD5C942BDEB7B9EB09305F51847AF900F7282D679AE058B69
                                    Function 00472180 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 319COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042C58C: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C5B0
                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472313
                                    • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0047240A
                                    • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472420
                                    • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472445
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                    • String ID: .lnk$.pif$.url$Desktop.ini$target.lnk${group}\
                                    • API String ID: 971782779-3986285429
                                    • Opcode ID: 1d6736304f5788cfa969827c889910c75397fc1d411873358e6b082d9d45a27e
                                    • Instruction ID: 1c0f42174f9e9101f658e61d8853a978dfc5298e9395188c14c8465e804167d9
                                    • Opcode Fuzzy Hash: 1d6736304f5788cfa969827c889910c75397fc1d411873358e6b082d9d45a27e
                                    • Instruction Fuzzy Hash: 69D13374A00249AFDB01EFA5C981BDEBBF5BF08314F54506AF804B7391C678AE45CB69
                                    Function 0045656C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042DAC8: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DAF4
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00456743,?,00000000,00456807), ref: 00456693
                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00456743,?,00000000,00456807), ref: 004567CF
                                      • Part of subcall function 0042E50C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004553FB,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E52B
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004565DB
                                    • , xrefs: 004565F5
                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004565AB
                                    • RegCreateKeyEx, xrefs: 00456607
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseCreateFormatMessageQueryValue
                                    • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                    • API String ID: 2481121983-1280779767
                                    • Opcode ID: cd04931d3011eaf488063f7fe6f4475c5b5d2321a6db9f3c59a12410ca44546c
                                    • Instruction ID: 2dc0ce688da9091de010c15ee6aeb48b70a17a724dce6266a075654ea1ce47f6
                                    • Opcode Fuzzy Hash: cd04931d3011eaf488063f7fe6f4475c5b5d2321a6db9f3c59a12410ca44546c
                                    • Instruction Fuzzy Hash: 9E811075A00209AFDB00DFD5C985BEEB7B9EF48315F51443AF900F7281D778AA098B69
                                    Function 00496250 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00455A44: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!dI,_iu,?,00000000,00455B7E), ref: 00455B33
                                      • Part of subcall function 00455A44: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!dI,_iu,?,00000000,00455B7E), ref: 00455B43
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004962CD
                                    • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496421), ref: 004962EE
                                    • CreateWindowExA.USER32(00000000,STATIC,00496430,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496315
                                    • SetWindowLongA.USER32(?,000000FC,00495AC8), ref: 00496328
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004963F4,?,?,000000FC,00495AC8,00000000,STATIC,00496430), ref: 00496358
                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004963CC
                                    • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004963F4,?,?,000000FC,00495AC8,00000000), ref: 004963D8
                                      • Part of subcall function 00455D94: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00455E7B
                                    • 73EA5CF0.USER32(?,004963FB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004963F4,?,?,000000FC,00495AC8,00000000,STATIC), ref: 004963EE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                    • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                    • API String ID: 170458502-2312673372
                                    • Opcode ID: e0b1e2513d3b37e845eb0831c638b63d054116a8ebcaff6edfa9fd8c81573f21
                                    • Instruction ID: e60c0d8a3730507d234a0efc89d9eec309c4f26d787c2e7aa680061781914fb8
                                    • Opcode Fuzzy Hash: e0b1e2513d3b37e845eb0831c638b63d054116a8ebcaff6edfa9fd8c81573f21
                                    • Instruction Fuzzy Hash: 71417270A00204AFDF01EBA5DC52FAE7BB8EB09714F51457AF500F7292D7799A008BA8
                                    Function 00462594 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetActiveWindow.USER32 ref: 004625A0
                                    • GetModuleHandleA.KERNEL32(user32.dll), ref: 004625B4
                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004625C1
                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004625CE
                                    • GetWindowRect.USER32(?,00000000), ref: 0046261A
                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462658
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$AddressProc$ActiveHandleModuleRect
                                    • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                    • API String ID: 2610873146-3407710046
                                    • Opcode ID: 0e7e0350189bc9d8d88d05d1250fc55b0235045559820d883b5fe2fdfeb613ea
                                    • Instruction ID: 1ea1c58b29062d24ff2b2637e3cd204a870160e2b30e87e4d466d02a583f5235
                                    • Opcode Fuzzy Hash: 0e7e0350189bc9d8d88d05d1250fc55b0235045559820d883b5fe2fdfeb613ea
                                    • Instruction Fuzzy Hash: C7218376600A053BD210AA64CE45F3B37D5EB94700F05452EFD44EB396E6B8EC014B9A
                                    Function 0042EA7C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetActiveWindow.USER32 ref: 0042EA88
                                    • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042EA9C
                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042EAA9
                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042EAB6
                                    • GetWindowRect.USER32(?,00000000), ref: 0042EB02
                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042EB40
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$AddressProc$ActiveHandleModuleRect
                                    • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                    • API String ID: 2610873146-3407710046
                                    • Opcode ID: aee130be2583e095ed5a92f56869e7de557bafc86e803acc9c405ed248fc814b
                                    • Instruction ID: 8f171f690ff18d5b3b9c8eb115f21e9ad5ed55ba4d90e40c97150058dc376724
                                    • Opcode Fuzzy Hash: aee130be2583e095ed5a92f56869e7de557bafc86e803acc9c405ed248fc814b
                                    • Instruction Fuzzy Hash: 1521D4767006242BD300EA69DC51F3B7BE8DB84704F08452EFA45DB381DA78FC008B99
                                    Function 00401A78 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B50), ref: 00401AA5
                                    • LocalFree.KERNEL32(00674A48,00000000,00401B50), ref: 00401AB7
                                    • VirtualFree.KERNEL32(?,00000000,00008000,00674A48,00000000,00401B50), ref: 00401AD6
                                    • LocalFree.KERNEL32(00673C18,?,00000000,00008000,00674A48,00000000,00401B50), ref: 00401B15
                                    • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B57), ref: 00401B40
                                    • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B57), ref: 00401B4A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                    • String ID: HJg$LBg$lAg$|Ag
                                    • API String ID: 3782394904-3249802853
                                    • Opcode ID: 4c886bc154a1326132dadadc9c38afda3b0087b73a7498402942543d8a99aaec
                                    • Instruction ID: f93af2b188a495e9ac78a8c5c9374daf719485e8ce4bb9d90d3c5d9fff7236ae
                                    • Opcode Fuzzy Hash: 4c886bc154a1326132dadadc9c38afda3b0087b73a7498402942543d8a99aaec
                                    • Instruction Fuzzy Hash: 501181307406405AEB11A765BE85B163BA5D750708F48403BF400677F3D77C6850E7AE
                                    Function 0045A8C0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045AA9F,?,00000000,0045AB02,?,?,021A3850,00000000), ref: 0045A91D
                                    • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021A3850,?,00000000,0045AA34,?,00000000,00000001,00000000,00000000,00000000,0045AA9F), ref: 0045A97A
                                    • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021A3850,?,00000000,0045AA34,?,00000000,00000001,00000000,00000000,00000000,0045AA9F), ref: 0045A987
                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0045A9D3
                                    • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,0045AA0D,?,-00000020,0000000C,-00004034,00000014,021A3850,?,00000000,0045AA34,?,00000000), ref: 0045A9F9
                                    • GetLastError.KERNEL32(?,?,00000000,00000001,0045AA0D,?,-00000020,0000000C,-00004034,00000014,021A3850,?,00000000,0045AA34,?,00000000), ref: 0045AA00
                                      • Part of subcall function 00455624: GetLastError.KERNEL32(00000000,00456095,00000005,00000000,004560CA,?,?,00000000,0049B624,00000004,00000000,00000000,00000000,?,00497821,00000000), ref: 00455627
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                    • String ID: CreateEvent$TransactNamedPipe
                                    • API String ID: 2182916169-3012584893
                                    • Opcode ID: d76a066649a8d8edfad33ac3228657f777c54ac33a92c263e8d0dda44fb332e9
                                    • Instruction ID: 0b788553e1f473bd2e32747f890764243a476c1d1aa3d8e1e26744525a5d7b95
                                    • Opcode Fuzzy Hash: d76a066649a8d8edfad33ac3228657f777c54ac33a92c263e8d0dda44fb332e9
                                    • Instruction Fuzzy Hash: A941BF71A00608AFDB11DF95C981FAEB7F9FB08300F1181A6F904E7292C6789E54CB69
                                    Function 004586CC Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00458831,?,?,00000031,?), ref: 004586F4
                                    • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 004586FA
                                    • LoadTypeLib.OLEAUT32(00000000,?), ref: 00458747
                                      • Part of subcall function 00455624: GetLastError.KERNEL32(00000000,00456095,00000005,00000000,004560CA,?,?,00000000,0049B624,00000004,00000000,00000000,00000000,?,00497821,00000000), ref: 00455627
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressErrorHandleLastLoadModuleProcType
                                    • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                    • API String ID: 1914119943-2711329623
                                    • Opcode ID: 66769506804060850af148ce40a1e2267e3c44cfac5595663de214baa7bab884
                                    • Instruction ID: 6046ce7726684451a9d382063c2b5bd16faec43b67748da4b34724684f5228d9
                                    • Opcode Fuzzy Hash: 66769506804060850af148ce40a1e2267e3c44cfac5595663de214baa7bab884
                                    • Instruction Fuzzy Hash: BD318F75A00604AFD701EFAACC51D5BB7AAEB8C74576184AABC04E3752DE38D904CB68
                                    Function 0042E120 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E225,?,?,00000001,00000000,?,?,00000001,00000000,00000002,00000000,0047F1F9), ref: 0042E149
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E14F
                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E225,?,?,00000001,00000000,?,?,00000001), ref: 0042E19D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressCloseHandleModuleProc
                                    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                    • API String ID: 4190037839-2401316094
                                    • Opcode ID: 8415bed751bfec3efe21434c392c412ec00ccc1580a4ac617848cbd82fe80e12
                                    • Instruction ID: c49c9ae6200c9969334a5e6f31578285ccf71ac4306d47bcb485aa6eb227171d
                                    • Opcode Fuzzy Hash: 8415bed751bfec3efe21434c392c412ec00ccc1580a4ac617848cbd82fe80e12
                                    • Instruction Fuzzy Hash: 87212630B10215EBDB00EAA6DC56B9F77ACEB44704FA0447AA501E7281EB789A058B6D
                                    Function 00416C7C Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RectVisible.GDI32(?,?), ref: 00416D0F
                                    • SaveDC.GDI32(?), ref: 00416D23
                                    • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416D46
                                    • RestoreDC.GDI32(?,?), ref: 00416D61
                                    • CreateSolidBrush.GDI32(00000000), ref: 00416DE1
                                    • FrameRect.USER32(?,?,?), ref: 00416E14
                                    • DeleteObject.GDI32(?), ref: 00416E1E
                                    • CreateSolidBrush.GDI32(00000000), ref: 00416E2E
                                    • FrameRect.USER32(?,?,?), ref: 00416E61
                                    • DeleteObject.GDI32(?), ref: 00416E6B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                    • String ID:
                                    • API String ID: 375863564-0
                                    • Opcode ID: f0db003abaad79c5888bdfac317a4803aff7d024e963447387dcfd6c69f8af06
                                    • Instruction ID: e2b8be11b5fbdaac4e95cd506e8f6ae5723c71d624b696d8be894e74003e98b8
                                    • Opcode Fuzzy Hash: f0db003abaad79c5888bdfac317a4803aff7d024e963447387dcfd6c69f8af06
                                    • Instruction Fuzzy Hash: 24515C716046445FDB50EF69C8C0B9B77E8EF48314F15456AFD888B286C738EC81CB99
                                    Function 00404A2B Relevance: 15.1, APIs: 10, Instructions: 119fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404AAA
                                    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404ACE
                                    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404AEA
                                    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404B0B
                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404B34
                                    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404B3E
                                    • GetStdHandle.KERNEL32(000000F5), ref: 00404B5E
                                    • GetFileType.KERNEL32(?,000000F5), ref: 00404B75
                                    • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404B90
                                    • GetLastError.KERNEL32(000000F5), ref: 00404BAA
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                    • String ID:
                                    • API String ID: 1694776339-0
                                    • Opcode ID: 3bfb5afb3087beb5dd6b1b169d209d097c7497b26921680c5a83f8d0d60f0a81
                                    • Instruction ID: 0c3b93c923f27911bf6a0b20c7a302a5ce99a82c46747d2a3ab92556c7e0bf16
                                    • Opcode Fuzzy Hash: 3bfb5afb3087beb5dd6b1b169d209d097c7497b26921680c5a83f8d0d60f0a81
                                    • Instruction Fuzzy Hash: B141A2F02446009AEB305E24C905B2375E5EBC0724F20893FAB96B66E5D77DE8118B5D
                                    Function 00422060 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMenu.USER32(00000000,00000000), ref: 004220AB
                                    • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004220C9
                                    • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004220D6
                                    • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004220E3
                                    • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004220F0
                                    • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 004220FD
                                    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0042210A
                                    • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00422117
                                    • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00422135
                                    • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422151
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Menu$Delete$EnableItem$System
                                    • String ID:
                                    • API String ID: 3985193851-0
                                    • Opcode ID: b8fac23383d66549ee0ca3b24bc09c207a556ff66a7692a2234245b19d3bef90
                                    • Instruction ID: e2fefe031753982c101f8ace914109b436f0cca51571b8d32f866bfcd9bf737b
                                    • Opcode Fuzzy Hash: b8fac23383d66549ee0ca3b24bc09c207a556ff66a7692a2234245b19d3bef90
                                    • Instruction Fuzzy Hash: 28213E703407557AE7209A24CD8EFAB6BD89F04748F0440A6B7487F2D3C2FCAA908A5C
                                    Function 00455D94 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 225COMMON
                                    Download Yara Rule
                                    APIs
                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00455E7B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: PrivateProfileStringWrite
                                    • String ID: .tmp$@5E$@5E$MoveFileEx$NUL$WININIT.INI$[rename]
                                    • API String ID: 390214022-3913328528
                                    • Opcode ID: 8a70d6ef3cdad147b2b9220e4c0d423c860b7543426c4ccf8ac77106a2458aa7
                                    • Instruction ID: 14a9c7d465f9364fcad01b07e8e70e8595df4dc924ccc2d596f34006eea85149
                                    • Opcode Fuzzy Hash: 8a70d6ef3cdad147b2b9220e4c0d423c860b7543426c4ccf8ac77106a2458aa7
                                    • Instruction Fuzzy Hash: 73912830E005099BDF11EFA5C892BEEB7B5EF44306F518466E90077392D778AE09CB59
                                    Function 0042EDD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetActiveWindow.USER32 ref: 0042EDFF
                                    • GetFocus.USER32 ref: 0042EE07
                                    • RegisterClassA.USER32(004997A8), ref: 0042EE28
                                    • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042EEFC,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042EE66
                                    • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042EEAC
                                    • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042EEBD
                                    • SetFocus.USER32(00000000,00000000,0042EEDF,?,?,?,00000001,00000000,?,0045A016,00000000,0049B624), ref: 0042EEC4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                    • String ID: TWindowDisabler-Window
                                    • API String ID: 3167913817-1824977358
                                    • Opcode ID: d4ad71e7a27e8841ba0a1db9d17ff71eab38e05670c857df6a76f034f5fc3254
                                    • Instruction ID: a862d4bca06cf99acd6da145291f10dc65f0da1a13c550d982c7e26eee10b3a6
                                    • Opcode Fuzzy Hash: d4ad71e7a27e8841ba0a1db9d17ff71eab38e05670c857df6a76f034f5fc3254
                                    • Instruction Fuzzy Hash: 7021A371740710BAE210EB66ED03F1B76A4EB44B04F62853BF604BB2D1D7B96D1086DD
                                    Function 0046128C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetMalloc.SHELL32(?), ref: 004612C7
                                    • GetActiveWindow.USER32 ref: 0046132B
                                    • CoInitialize.OLE32(00000000), ref: 0046133F
                                    • SHBrowseForFolder.SHELL32(?), ref: 00461356
                                    • CoUninitialize.OLE32(00461397,00000000,?,?,?,?,?,00000000,0046141B), ref: 0046136B
                                    • SetActiveWindow.USER32(?,00461397,00000000,?,?,?,?,?,00000000,0046141B), ref: 00461381
                                    • SetActiveWindow.USER32(?,?,00461397,00000000,?,?,?,?,?,00000000,0046141B), ref: 0046138A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                    • String ID: A
                                    • API String ID: 2684663990-3554254475
                                    • Opcode ID: 367d668d001d9250bee640185a5e3a3aed7060aabaa3a8dccca4aeb3c7e315fd
                                    • Instruction ID: 311dcf2139a2b3534fb0928a1d6c974bd7786632ce71a320e5321d4e952717bd
                                    • Opcode Fuzzy Hash: 367d668d001d9250bee640185a5e3a3aed7060aabaa3a8dccca4aeb3c7e315fd
                                    • Instruction Fuzzy Hash: 683130B1D002589FDB10EFA6D885A9EBBF8EB08304F51847BF904E7651E7789A40CF59
                                    Function 004019B4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A6A,?,?,00402216,0049B460,00000000,00000000,?,?,00401C31,00401C46,00401D8A), ref: 004019CA
                                    • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A6A,?,?,00402216,0049B460,00000000,00000000,?,?,00401C31,00401C46,00401D8A), ref: 004019DD
                                    • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A6A,?,?,00402216,0049B460,00000000,00000000,?,?,00401C31,00401C46,00401D8A), ref: 00401A07
                                    • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A71,00000000,00401A6A,?,?,00402216,0049B460,00000000,00000000,?,?,00401C31,00401C46,00401D8A), ref: 00401A64
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                    • String ID: HJg$LBg$lAg$|Ag
                                    • API String ID: 730355536-3249802853
                                    • Opcode ID: a4b5ab44ab06c30555272aee31ad1bcb938afc24488a7ca308cef9d10d117d6e
                                    • Instruction ID: 9f32f6c786538bdfbaa69d985993cc9d3937e6df48f86ba27f82ebd753f1ed41
                                    • Opcode Fuzzy Hash: a4b5ab44ab06c30555272aee31ad1bcb938afc24488a7ca308cef9d10d117d6e
                                    • Instruction Fuzzy Hash: 7301C4706442409EFB15AB7ABA467253F94D794B08F15803BE440A77F3C7BC4840EBAD
                                    Function 0045EC2C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045EC35
                                    • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045EC45
                                    • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045EC55
                                    • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045EC65
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc
                                    • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                    • API String ID: 190572456-3516654456
                                    • Opcode ID: 291e6c31b2fe8c30e73f8754c28d9c225dd6739af33db4faba8e20a064fcebda
                                    • Instruction ID: 2bd35c1a908e4d9f354668280f52dd010c3b8eefff608f1293b631df4c965789
                                    • Opcode Fuzzy Hash: 291e6c31b2fe8c30e73f8754c28d9c225dd6739af33db4faba8e20a064fcebda
                                    • Instruction Fuzzy Hash: 450121B1900744DFE309DFA79E817163795E7A4B0AF10853B9904A52A2D3788559CF2C
                                    Function 0041A7CC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetBkColor.GDI32(?,00000000), ref: 0041A8A9
                                    • 73EA4D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041A8E3
                                    • SetBkColor.GDI32(?,?), ref: 0041A8F8
                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041A942
                                    • SetTextColor.GDI32(00000000,00000000), ref: 0041A94D
                                    • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041A95D
                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041A99C
                                    • SetTextColor.GDI32(00000000,00000000), ref: 0041A9A6
                                    • SetBkColor.GDI32(00000000,?), ref: 0041A9B3
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Color$StretchText
                                    • String ID:
                                    • API String ID: 2984075790-0
                                    • Opcode ID: 50d8f4bf502b99e914b600fd388646fb4137a426ed63ab2b683009b6c8e50394
                                    • Instruction ID: 4190274f74627202e87e0d10e97d82cb80ff86f425f935c8e1d9746265d170f9
                                    • Opcode Fuzzy Hash: 50d8f4bf502b99e914b600fd388646fb4137a426ed63ab2b683009b6c8e50394
                                    • Instruction Fuzzy Hash: 9261D6B5A00505AFCB40EFADD9C5E9AB7F8AF08314B10856AF918DB355C734ED418F98
                                    Function 0045019C Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    • OffsetRect.USER32(?,00000001,00000001), ref: 004501CD
                                    • GetSysColor.USER32(00000014), ref: 004501D4
                                    • SetTextColor.GDI32(00000000,00000000), ref: 004501EC
                                    • DrawTextA.USER32(00000000,00000000,00000000), ref: 00450215
                                    • OffsetRect.USER32(?,000000FF,000000FF), ref: 0045021F
                                    • GetSysColor.USER32(00000010), ref: 00450226
                                    • SetTextColor.GDI32(00000000,00000000), ref: 0045023E
                                    • DrawTextA.USER32(00000000,00000000,00000000), ref: 00450267
                                    • DrawTextA.USER32(00000000,00000000,00000000), ref: 00450292
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Text$Color$Draw$OffsetRect
                                    • String ID:
                                    • API String ID: 1005981011-0
                                    • Opcode ID: 877fe8219619571baa014e8a9f059208fb8391af037b98ecc88f888c2ca9e9dc
                                    • Instruction ID: afd032d47e661ffd9b2dd95fab3760a244d7672986f6d2d5516b714abe6b1ce9
                                    • Opcode Fuzzy Hash: 877fe8219619571baa014e8a9f059208fb8391af037b98ecc88f888c2ca9e9dc
                                    • Instruction Fuzzy Hash: ED21F0B43055106BD700FB6ECD8AE8BBBDC9F09319F00457AB914EB393C578DD404669
                                    Function 0045C1B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 199COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000000,0045C44A,?,?,?,?,?,00000006,?,00000000,00496E1A,?,00000000,00496EBD), ref: 0045C2FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: .chm$.chw$.fts$.gid$.hlp
                                    • API String ID: 1452528299-944893595
                                    • Opcode ID: cf5dcc6a2abf22bb47e92a552fb692996a4349cf7f576cf70b7dcc56e38165ed
                                    • Instruction ID: be168f5e1abe12585d9254e8fa248662e6add98ed5092c2bd70f017467d71cec
                                    • Opcode Fuzzy Hash: cf5dcc6a2abf22bb47e92a552fb692996a4349cf7f576cf70b7dcc56e38165ed
                                    • Instruction Fuzzy Hash: 7161A170B003049FDB00EBA988D1BAE77A5AB49319F50846AFC01EB383DA7C9D49C75D
                                    Function 0045B0A4 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 130registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0045AFC0: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,0045B0EE,00000000,0045B23B,?,00000000,00000000,00000000), ref: 0045B00D
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,0045B23B,?,00000000,00000000,00000000), ref: 0045B14A
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,0045B23B,?,00000000,00000000,00000000), ref: 0045B1B0
                                      • Part of subcall function 0042DB00: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004816C7,?,00000001,?,?,004816C7,?,00000001,00000000), ref: 0042DB1C
                                    Strings
                                    • .NET Framework version %s not found, xrefs: 0045B1EA
                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 0045B164
                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045B0FE
                                    • v2.0.50727, xrefs: 0045B13C
                                    • v1.1.4322, xrefs: 0045B1A2
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Close$Open
                                    • String ID: .NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$v1.1.4322$v2.0.50727
                                    • API String ID: 2976201327-190240045
                                    • Opcode ID: ae8bc9a6c0adc9c868e67fa54bbd3c2f016d946178f2adf587b86b8c8002e91b
                                    • Instruction ID: d9b7c367772dc380ea63b11d0b64daa452ead9b8d055b38c2a5d6a1b39996837
                                    • Opcode Fuzzy Hash: ae8bc9a6c0adc9c868e67fa54bbd3c2f016d946178f2adf587b86b8c8002e91b
                                    • Instruction Fuzzy Hash: 6141EA30A041499FCB00DFA5C8A1BEE77B5EB49305F5444BBE914DB282DB79960ECB98
                                    Function 004629D4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00416310: GetClassInfoA.USER32(00400000,?,?), ref: 0041637F
                                      • Part of subcall function 00416310: UnregisterClassA.USER32(?,00400000), ref: 004163AB
                                      • Part of subcall function 00416310: RegisterClassA.USER32(?), ref: 004163CE
                                    • GetVersion.KERNEL32 ref: 00462A04
                                    • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462A42
                                    • SHGetFileInfo.SHELL32(00462AE0,00000000,?,00000160,00004011), ref: 00462A5F
                                    • LoadCursorA.USER32(00000000,00007F02), ref: 00462A7D
                                    • SetCursor.USER32(00000000,00000000,00007F02,00462AE0,00000000,?,00000160,00004011), ref: 00462A83
                                    • SetCursor.USER32(?,00462AC3,00007F02,00462AE0,00000000,?,00000160,00004011), ref: 00462AB6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                    • String ID: Explorer
                                    • API String ID: 2594429197-512347832
                                    • Opcode ID: 46d779ce4d759988f7bebdbc411afe2a00febd26640da47e186540b101d817e8
                                    • Instruction ID: a4d411fa1905ee4ad7ace10da5ef87061ce9e0219e12f73296a8aa458b225f13
                                    • Opcode Fuzzy Hash: 46d779ce4d759988f7bebdbc411afe2a00febd26640da47e186540b101d817e8
                                    • Instruction Fuzzy Hash: 5121A5707447056AE720BBB59D46F9B36989B48708F4544BFBA05EA1C3EAFC8804866D
                                    Function 00422CBC Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCapture.USER32 ref: 00422D10
                                    • GetCapture.USER32 ref: 00422D1F
                                    • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422D25
                                    • ReleaseCapture.USER32 ref: 00422D2A
                                    • GetActiveWindow.USER32 ref: 00422D39
                                    • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422DB8
                                    • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422E1C
                                    • GetActiveWindow.USER32 ref: 00422E2B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CaptureMessageSend$ActiveWindow$Release
                                    • String ID:
                                    • API String ID: 862346643-0
                                    • Opcode ID: 6735fa7bd4e0ac856f5db9820fa6f4351459639d3c4fa51414441295840f7139
                                    • Instruction ID: efc85323a12eb97d11965a978d8a8585d265fc1e718e6203307ca4d81742c5c6
                                    • Opcode Fuzzy Hash: 6735fa7bd4e0ac856f5db9820fa6f4351459639d3c4fa51414441295840f7139
                                    • Instruction Fuzzy Hash: 23416670B00204EFDB10EF6ADA41B9E77F1EF04714F5140BAE500AB2A2D7B85E40DB49
                                    Function 004292DC Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • 73E9A570.USER32(00000000), ref: 004292E6
                                    • GetTextMetricsA.GDI32(00000000), ref: 004292EF
                                      • Part of subcall function 0041A0D8: CreateFontIndirectA.GDI32(?), ref: 0041A197
                                    • SelectObject.GDI32(00000000,00000000), ref: 004292FE
                                    • GetTextMetricsA.GDI32(00000000,?), ref: 0042930B
                                    • SelectObject.GDI32(00000000,00000000), ref: 00429312
                                    • 73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0042931A
                                    • GetSystemMetrics.USER32(00000006), ref: 0042933F
                                    • GetSystemMetrics.USER32(00000006), ref: 00429359
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                    • String ID:
                                    • API String ID: 361401722-0
                                    • Opcode ID: eb83e19c727c8d10f8a33b97145a555cf82c2cd109262cdffa95f62d9f27247a
                                    • Instruction ID: 978bc893b2b260433d1ea83a4e5e07dc37fffa2c043a10d0bf5726b6c8f3fb2c
                                    • Opcode Fuzzy Hash: eb83e19c727c8d10f8a33b97145a555cf82c2cd109262cdffa95f62d9f27247a
                                    • Instruction Fuzzy Hash: 450100917047102BF720A27A8CC2F6F56CCDB8835CF84053BFA46DA3C2D66C8C40876A
                                    Function 0041DD04 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • 73E9A570.USER32(00000000,?,00418F49,00497FB5), ref: 0041DD07
                                    • 73EA4620.GDI32(00000000,0000005A,00000000,?,00418F49,00497FB5), ref: 0041DD11
                                    • 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00418F49,00497FB5), ref: 0041DD1E
                                    • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DD2D
                                    • GetStockObject.GDI32(00000007), ref: 0041DD3B
                                    • GetStockObject.GDI32(00000005), ref: 0041DD47
                                    • GetStockObject.GDI32(0000000D), ref: 0041DD53
                                    • LoadIconA.USER32(00000000,00007F00), ref: 0041DD64
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ObjectStock$A4620A480A570IconLoad
                                    • String ID:
                                    • API String ID: 2905290459-0
                                    • Opcode ID: 08d24c252a8ce41110ca94d3346de55efc83bb5d313233c7ad25f77106f385dc
                                    • Instruction ID: 56edc23db513f38df3a07ddf7ffbed94b2d1826ce130c52929af7fe326a746f6
                                    • Opcode Fuzzy Hash: 08d24c252a8ce41110ca94d3346de55efc83bb5d313233c7ad25f77106f385dc
                                    • Instruction Fuzzy Hash: 5A1100B06446455EE740BFB66952BAA37A4E714708F00503FF608AF3D2D7792C448B9E
                                    Function 00408688 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDefaultLCID.KERNEL32(00000000,004088D0,?,?,?,?,00000000,00000000,00000000,?,004098D7,00000000,004098EA), ref: 004086A2
                                      • Part of subcall function 004084D0: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4BC,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE
                                      • Part of subcall function 0040851C: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040871E,?,?,?,00000000,004088D0), ref: 0040852F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: InfoLocale$DefaultSystem
                                    • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                    • API String ID: 1044490935-665933166
                                    • Opcode ID: c356d1d2432903d6a0862a6870e040d7df7d11634a6fb666e0035c8bdf01c377
                                    • Instruction ID: 740c9f851a3e2a4023789dcd9deeee6b22989505671812504193305fbb55ecc7
                                    • Opcode Fuzzy Hash: c356d1d2432903d6a0862a6870e040d7df7d11634a6fb666e0035c8bdf01c377
                                    • Instruction Fuzzy Hash: 47514A25B002486BDB00FBA99A81A9F776ADB94308F50D47FA141BB3C6CA3CDE05975D
                                    Function 0044B5F0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersion.KERNEL32(00000000,0044B7F5), ref: 0044B688
                                    • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0044B746
                                      • Part of subcall function 0044B988: CreatePopupMenu.USER32 ref: 0044B9A2
                                    • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0044B7D2
                                      • Part of subcall function 0044B988: CreateMenu.USER32 ref: 0044B9AC
                                    • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 0044B7B9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Menu$Insert$Create$ItemPopupVersion
                                    • String ID: ,$?
                                    • API String ID: 2359071979-2308483597
                                    • Opcode ID: 06b4bfcfc35118d92c88a89944ffdd0d6692e79d57922f343dc301c58c572f62
                                    • Instruction ID: 00185845f809b838f19f316d07810ab4425933ee578c99622cc2d21138d6d2cd
                                    • Opcode Fuzzy Hash: 06b4bfcfc35118d92c88a89944ffdd0d6692e79d57922f343dc301c58c572f62
                                    • Instruction Fuzzy Hash: C551D3B0A002459BEB10EF7AD8816AA7BF9EB49304B11457EF944E7396D738DD01CB98
                                    Function 00411664 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersion.KERNEL32(00000000,00411869), ref: 004116FC
                                    • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 004117BA
                                      • Part of subcall function 00411A1C: CreatePopupMenu.USER32 ref: 00411A36
                                    • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411846
                                      • Part of subcall function 00411A1C: CreateMenu.USER32 ref: 00411A40
                                    • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 0041182D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Menu$Insert$Create$ItemPopupVersion
                                    • String ID: ,$?
                                    • API String ID: 2359071979-2308483597
                                    • Opcode ID: 711a4921ef91bc7dd79d01c0158ce0a146c811355d05872b955ba550e7c4209e
                                    • Instruction ID: 775ae7a6f8a96a47d6691f1bf2895d89a8ba82bf80b118e8aa39990ec8c265c3
                                    • Opcode Fuzzy Hash: 711a4921ef91bc7dd79d01c0158ce0a146c811355d05872b955ba550e7c4209e
                                    • Instruction Fuzzy Hash: DE510574A00141ABDB10EF6ADC816EA7BF5AF09304B1585BAF904E73A6D738DD41CB58
                                    Function 00456F84 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,DuG,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,004571A0,004571A0,?,004571A0,00000000), ref: 0045712C
                                    • CloseHandle.KERNEL32(?,?,DuG,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,004571A0,004571A0,?,004571A0), ref: 00457139
                                      • Part of subcall function 00456EF0: WaitForInputIdle.USER32(?,00000032), ref: 00456F1C
                                      • Part of subcall function 00456EF0: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00456F3E
                                      • Part of subcall function 00456EF0: GetExitCodeProcess.KERNEL32(?,?), ref: 00456F4D
                                      • Part of subcall function 00456EF0: CloseHandle.KERNEL32(?,00456F7A,00456F73,?,?,?,00000000,?,?,0045714D,?,?,?,DuG,00000000,00000000), ref: 00456F6D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                    • String ID: .bat$.cmd$COMMAND.COM" /C $DuG$cmd.exe" /C "
                                    • API String ID: 854858120-4074245938
                                    • Opcode ID: 92108ea4f261f38341bc7ab110eda2cd6104f53e1ba066d5a89c8ffa602bde02
                                    • Instruction ID: bdea040e93300a4a45758dd4332dd5ace4acf0557892b97f73592bd1a3d72094
                                    • Opcode Fuzzy Hash: 92108ea4f261f38341bc7ab110eda2cd6104f53e1ba066d5a89c8ffa602bde02
                                    • Instruction Fuzzy Hash: 41514870A4431D9BDB10EFA5DC82BDEBBB9AF44705F50403BF904A7382D7789A098B59
                                    Function 0041BD43 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetObjectA.GDI32(?,00000018,?), ref: 0041BE08
                                    • GetObjectA.GDI32(?,00000018,?), ref: 0041BE17
                                    • GetBitmapBits.GDI32(?,?,?), ref: 0041BE68
                                    • GetBitmapBits.GDI32(?,?,?), ref: 0041BE76
                                    • DeleteObject.GDI32(?), ref: 0041BE7F
                                    • DeleteObject.GDI32(?), ref: 0041BE88
                                    • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BEA5
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Object$BitmapBitsDelete$CreateIcon
                                    • String ID:
                                    • API String ID: 1030595962-0
                                    • Opcode ID: 098006c85f499512fca0cec7f378678d673cfd7122cd0c0b0322f39f12f07392
                                    • Instruction ID: 62de620a73628b14e406b48919a807e1f96b372cd100b898e378cd110c814f6b
                                    • Opcode Fuzzy Hash: 098006c85f499512fca0cec7f378678d673cfd7122cd0c0b0322f39f12f07392
                                    • Instruction Fuzzy Hash: 1D511831E00219AFCB14DFA9D8819DEBBF9EF48314B10852AF914E7391D738AD41CB68
                                    Function 0041CDB8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CDDE
                                    • 73EA4620.GDI32(00000000,00000026), ref: 0041CDFD
                                    • 73E98830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CE63
                                    • 73E922A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CE72
                                    • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CEDC
                                    • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041CF1A
                                    • 73E98830.GDI32(?,?,00000001,0041CF4C,00000000,00000026), ref: 0041CF3F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Stretch$E98830$A4620BitsE922Mode
                                    • String ID:
                                    • API String ID: 4209919087-0
                                    • Opcode ID: 42c8774c9cbea7e7dd43adaa732d8d54fb9fadf12cd90e7b2f2638c404326adc
                                    • Instruction ID: 9ffca46cb1d43e54ba0c314b4545676a55af8b1ce3fa9384ead87e0f24ac2f9e
                                    • Opcode Fuzzy Hash: 42c8774c9cbea7e7dd43adaa732d8d54fb9fadf12cd90e7b2f2638c404326adc
                                    • Instruction Fuzzy Hash: F6514C70744200AFEB14DFA8CD85F9BBBE9AB08304F104599B544DB292C778ED91CB68
                                    Function 00457658 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 142registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042DB00: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004816C7,?,00000001,?,?,004816C7,?,00000001,00000000), ref: 0042DB1C
                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004577EF,?,00000000,0045782F), ref: 00457735
                                    Strings
                                    • PendingFileRenameOperations, xrefs: 004576D4
                                    • @5E, xrefs: 00457785
                                    • WININIT.INI, xrefs: 00457764
                                    • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004576B8
                                    • PendingFileRenameOperations2, xrefs: 00457704
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseOpen
                                    • String ID: @5E$PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                    • API String ID: 47109696-2298943763
                                    • Opcode ID: 7d5a326d082565597482284b04ad18867edd3866ec4623081145e130b2063e2c
                                    • Instruction ID: cbf46621e8e0d5d2fbd4845a559bbc5595c90a8f0467999c937318ce8947ff8d
                                    • Opcode Fuzzy Hash: 7d5a326d082565597482284b04ad18867edd3866ec4623081145e130b2063e2c
                                    • Instruction Fuzzy Hash: E251BC30E042089BDB14EF61EC51ADEF7B9EF48305F50857BEC04A7292DB78AE45CA58
                                    Function 00459894 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 126COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042D64C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D65F
                                    • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00459A48,?, /s ",?,regsvr32.exe",?,00459A48), ref: 004599BA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseDirectoryHandleSystem
                                    • String ID: /s "$ /u$0x%x$CreateProcess$D$regsvr32.exe"
                                    • API String ID: 2051275411-4177147385
                                    • Opcode ID: dcf3d3095e2008ad720dbfb4f0c2ed1ffc3d87a5e65e6d432914baa867b09f01
                                    • Instruction ID: 8e73d1629f7131521c77a55b079a65f25e3a1dcee4c1baa68960b2ea4272179e
                                    • Opcode Fuzzy Hash: dcf3d3095e2008ad720dbfb4f0c2ed1ffc3d87a5e65e6d432914baa867b09f01
                                    • Instruction Fuzzy Hash: 1C411970A04348ABDB10EFE5D882BDDB7F9AF45305F50407BA904BB292D7789E09CB59
                                    Function 0046A840 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursor.USER32(00000000,0046A9CA), ref: 0046A947
                                    • LoadCursorA.USER32(00000000,00007F02), ref: 0046A955
                                    • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046A9CA), ref: 0046A95B
                                    • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046A9CA), ref: 0046A965
                                    • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046A9CA), ref: 0046A96B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Cursor$LoadSleep
                                    • String ID: CheckPassword
                                    • API String ID: 4023313301-1302249611
                                    • Opcode ID: 16ea28b9fc483ba33df84c047e57bef31967c733070585c413761512e62bc2dc
                                    • Instruction ID: d9932fae0e55b0710f050a5d52da82b121a2f535e045930b63278c1cc5c80a44
                                    • Opcode Fuzzy Hash: 16ea28b9fc483ba33df84c047e57bef31967c733070585c413761512e62bc2dc
                                    • Instruction Fuzzy Hash: 2F4161746406049FD710EF69C889FDA7BE4AF44304F6580B6F844AB392D738AE45CF5A
                                    Function 00497278 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00424130: SetWindowTextA.USER32(?,00000000), ref: 00424148
                                    • ShowWindow.USER32(?,00000005,00000000,004974DD,?,?,00000000), ref: 004972AE
                                      • Part of subcall function 0042D64C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D65F
                                      • Part of subcall function 00407210: SetCurrentDirectoryA.KERNEL32(00000000,?,004972D6,00000000,004974A9,?,?,00000005,00000000,004974DD,?,?,00000000), ref: 0040721B
                                      • Part of subcall function 0042D1D4: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D262,?,?,00000000,?,?,004972E0,00000000,004974A9,?,?,00000005), ref: 0042D209
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                    • String ID: .dat$.msg$@5E$IMsg$Uninstall
                                    • API String ID: 3312786188-1220582503
                                    • Opcode ID: 95d57f9cd6b6dfabfdc9758aea8493738e1ec50c42828887b1529d6d171d6a82
                                    • Instruction ID: 423f2f3da04eb2616a9733109c9f3939c8874f7b8813d2ef7af9f31502193fb2
                                    • Opcode Fuzzy Hash: 95d57f9cd6b6dfabfdc9758aea8493738e1ec50c42828887b1529d6d171d6a82
                                    • Instruction Fuzzy Hash: AC318030B146149FCB01EFA5DC92D6EBBB5EB99304F50847AF800AB752CB38AD00CB59
                                    Function 0041C028 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041BF28: GetObjectA.GDI32(?,00000018), ref: 0041BF35
                                    • GetFocus.USER32 ref: 0041C048
                                    • 73E9A570.USER32(?), ref: 0041C054
                                    • 73E98830.GDI32(?,?,00000000,00000000,0041C0D3,?,?), ref: 0041C075
                                    • 73E922A0.GDI32(?,?,?,00000000,00000000,0041C0D3,?,?), ref: 0041C081
                                    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C098
                                    • 73E98830.GDI32(?,00000000,00000000,0041C0DA,?,?), ref: 0041C0C0
                                    • 73E9A480.USER32(?,?,0041C0DA,?,?), ref: 0041C0CD
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: E98830$A480A570BitsE922FocusObject
                                    • String ID:
                                    • API String ID: 2688936647-0
                                    • Opcode ID: f96886033a79aed13389ff125195cfbb6d748b25d642f8b7e517d56d72e51c39
                                    • Instruction ID: 882458c93fcbd7e2c13981e042b0644d3ec7300de4ae812ca6520d891bb8ed8c
                                    • Opcode Fuzzy Hash: f96886033a79aed13389ff125195cfbb6d748b25d642f8b7e517d56d72e51c39
                                    • Instruction Fuzzy Hash: 05112971A44604AFDB10DBE9CC85FAFBBFCEB4C700F15486AB514E7281D678AD408B68
                                    Function 00418B44 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMetrics.USER32(0000000E), ref: 00418B60
                                    • GetSystemMetrics.USER32(0000000D), ref: 00418B68
                                    • 6F9A2980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418B6E
                                      • Part of subcall function 00409920: 6F99C400.COMCTL32(0049B624,000000FF,00000000,00418B9C,00000000,00418BF8,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00409924
                                    • 6FA0CB00.COMCTL32(0049B624,00000000,00000000,00000000,00000000,00418BF8,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418BBE
                                    • 6FA0C740.COMCTL32(00000000,?,0049B624,00000000,00000000,00000000,00000000,00418BF8,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418BC9
                                    • 6FA0CB00.COMCTL32(0049B624,00000001,?,?,00000000,?,0049B624,00000000,00000000,00000000,00000000,00418BF8,?,00000000,0000000D,00000000), ref: 00418BDC
                                    • 6F9A0860.COMCTL32(0049B624,00418BFF,?,00000000,?,0049B624,00000000,00000000,00000000,00000000,00418BF8,?,00000000,0000000D,00000000,0000000E), ref: 00418BF2
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: MetricsSystem$A0860A2980C400C740
                                    • String ID:
                                    • API String ID: 1086221473-0
                                    • Opcode ID: ae480b6d9b7f181e20b8d34093088dc9eb11cb49fbc922a092d331743e8bd63e
                                    • Instruction ID: aa83cc944fcdf67eaa961e077a9154aff362f1f519ebcfb20f91ef90c721befa
                                    • Opcode Fuzzy Hash: ae480b6d9b7f181e20b8d34093088dc9eb11cb49fbc922a092d331743e8bd63e
                                    • Instruction Fuzzy Hash: C4113675744204BADB10EBA5DC83F6E73B8DB48B04F50406AB604F72D2DA79AD408758
                                    Function 00481750 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042DB00: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004816C7,?,00000001,?,?,004816C7,?,00000001,00000000), ref: 0042DB1C
                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00481808), ref: 004817ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseOpen
                                    • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                    • API String ID: 47109696-2530820420
                                    • Opcode ID: fe87b658d39beb9295d050a7a0d6f63909083a9b96f843555b71332dcece622f
                                    • Instruction ID: 964902ffada28f41ce6e5d8735493b796952bc09720936b07091f097b9c616f1
                                    • Opcode Fuzzy Hash: fe87b658d39beb9295d050a7a0d6f63909083a9b96f843555b71332dcece622f
                                    • Instruction Fuzzy Hash: C6119074A04204AADB10F7A69C52A5F7AACDB15744F61887BA800D76A1E7389A03D71D
                                    Function 00494B5C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                    Download Yara Rule
                                    APIs
                                    • 73E9A570.USER32(00000000,?,?,00000000), ref: 00494B6D
                                      • Part of subcall function 0041A0D8: CreateFontIndirectA.GDI32(?), ref: 0041A197
                                    • SelectObject.GDI32(00000000,00000000), ref: 00494B8F
                                    • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,004950E9), ref: 00494BA3
                                    • GetTextMetricsA.GDI32(00000000,?), ref: 00494BC5
                                    • 73E9A480.USER32(00000000,00000000,00494BEF,00494BE8,?,00000000,?,?,00000000), ref: 00494BE2
                                    Strings
                                    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00494B9A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                    • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                    • API String ID: 1435929781-222967699
                                    • Opcode ID: 013b24607045e6ee552fbf00cda4cf79a3a3d8fb9a20d9cd00ec4f2653754a91
                                    • Instruction ID: 4b78f91f8e9c9734299f96ec9d8f9db405744ae4c8bf9d99521978ec30b90c5d
                                    • Opcode Fuzzy Hash: 013b24607045e6ee552fbf00cda4cf79a3a3d8fb9a20d9cd00ec4f2653754a91
                                    • Instruction Fuzzy Hash: BB016176A44604AFEB00DBA9CC41F5FB7FCDB48704F510476B604E7281D678BE018B64
                                    Function 0041B342 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SelectObject.GDI32(00000000,?), ref: 0041B350
                                    • SelectObject.GDI32(?,00000000), ref: 0041B35F
                                    • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B38B
                                    • SelectObject.GDI32(00000000,00000000), ref: 0041B399
                                    • SelectObject.GDI32(?,00000000), ref: 0041B3A7
                                    • DeleteDC.GDI32(00000000), ref: 0041B3B0
                                    • DeleteDC.GDI32(?), ref: 0041B3B9
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ObjectSelect$Delete$Stretch
                                    • String ID:
                                    • API String ID: 1458357782-0
                                    • Opcode ID: da42b0249cb53e81fb560672d066769cf753180ab0b44a984c47786dc78ee098
                                    • Instruction ID: 6f962d35ddf88c49cf61b570dbb8c0fd674fa0696e344f228c638823e0d5fafb
                                    • Opcode Fuzzy Hash: da42b0249cb53e81fb560672d066769cf753180ab0b44a984c47786dc78ee098
                                    • Instruction Fuzzy Hash: 8B115072E00619AFDF10DAE9DC85FEFB3BCEB08705F144555BA14FB241C678A9418BA4
                                    Function 00423200 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32 ref: 0042321B
                                    • WindowFromPoint.USER32(?,?), ref: 00423228
                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00423236
                                    • GetCurrentThreadId.KERNEL32 ref: 0042323D
                                    • SendMessageA.USER32(00000000,00000084,?,?), ref: 00423256
                                    • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 0042326D
                                    • SetCursor.USER32(00000000), ref: 0042327F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                    • String ID:
                                    • API String ID: 1770779139-0
                                    • Opcode ID: 2b7259932d71df688bbb805db478febdb896395a8f363f4dedb8e9fba77405dc
                                    • Instruction ID: 77a2d18084f66174ea94b74cea3c192c97eaf9b0e93fdae46b8e3271155d7b73
                                    • Opcode Fuzzy Hash: 2b7259932d71df688bbb805db478febdb896395a8f363f4dedb8e9fba77405dc
                                    • Instruction Fuzzy Hash: A601F722304310BADA20BB755C86E3F72BCDB85B59F10417FB908AB282D93D8D10937D
                                    Function 00494980 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(user32.dll), ref: 00494990
                                    • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0049499D
                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004949AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                    • API String ID: 667068680-2254406584
                                    • Opcode ID: 7cf457127c7cd1dbb6b90e71566e2adc63b18961a18aa806e0ec6a646fb73d9b
                                    • Instruction ID: 8fe0b0650e9ed58d040838661c59d29ffb7cf9a816f18c73468a89bf85f1dc88
                                    • Opcode Fuzzy Hash: 7cf457127c7cd1dbb6b90e71566e2adc63b18961a18aa806e0ec6a646fb73d9b
                                    • Instruction Fuzzy Hash: 49F0C292A41A2826DE1061768C42E6B6ACCCBC1760F150137BD04A7282E96C8C1682FD
                                    Function 0045EB00 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcAddress.KERNEL32(00000000,ISCryptGetVersion), ref: 0045EB09
                                    • GetProcAddress.KERNEL32(00000000,ArcFourInit), ref: 0045EB19
                                    • GetProcAddress.KERNEL32(00000000,ArcFourCrypt), ref: 0045EB29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc
                                    • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                    • API String ID: 190572456-508647305
                                    • Opcode ID: 9c0ecaecc5b10723d9d6a38144b42caa8026a6852e7ed9954574bfd2677a140a
                                    • Instruction ID: 7ddbc4a50238415323a63c637e88282f460363ccbb5c0db26fbfbe6d044fa849
                                    • Opcode Fuzzy Hash: 9c0ecaecc5b10723d9d6a38144b42caa8026a6852e7ed9954574bfd2677a140a
                                    • Instruction Fuzzy Hash: 1FF06DB19406C0DFE708EFB3ACC571637D5A3A2307F14813BA809921A2D77C0458CA6C
                                    Function 0045EFE4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045EFED
                                    • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045EFFD
                                    • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045F00D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc
                                    • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                    • API String ID: 190572456-212574377
                                    • Opcode ID: 7ee26048a81558886d30cfb529d3fb4243f866675a45d14b80914edc5b900c0e
                                    • Instruction ID: 026a6a7779f1902fb04c08c4305fb2ac11e5fc3b38d01319e77e40707fc228fb
                                    • Opcode Fuzzy Hash: 7ee26048a81558886d30cfb529d3fb4243f866675a45d14b80914edc5b900c0e
                                    • Instruction Fuzzy Hash: 42F06D70980600DED718DFB2AC8072733D5A7A5B0AF18823B9C04522E3D778040ECF2D
                                    Function 0044F810 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(oleacc.dll,?,00452099), ref: 0044F81F
                                    • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044F830
                                    • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044F840
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                    • API String ID: 2238633743-1050967733
                                    • Opcode ID: ea130b8824f048da4bfc54a9fe62174ce457f75e42ef4dfba1aa015e0eddeac6
                                    • Instruction ID: b81fe155cac541e2a2298d627fc296d1445de2efc1a9222d1aa86743aab05ef5
                                    • Opcode Fuzzy Hash: ea130b8824f048da4bfc54a9fe62174ce457f75e42ef4dfba1aa015e0eddeac6
                                    • Instruction Fuzzy Hash: 6EF0F8706447659EF710BBB2FEA57263294E360708F10567BE4019E2A2C7BD5888CF9C
                                    Function 0042E5F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 20libraryloaderwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,00495216,QueryCancelAutoPlay,00498005), ref: 0042E606
                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E60C
                                    • InterlockedExchange.KERNEL32(0049B65C,00000001), ref: 0042E61D
                                    • ChangeWindowMessageFilter.USER32(0000C1CC,00000001), ref: 0042E62E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressChangeExchangeFilterHandleInterlockedMessageModuleProcWindow
                                    • String ID: ChangeWindowMessageFilter$user32.dll
                                    • API String ID: 1365377179-2498399450
                                    • Opcode ID: fb1ae785d59619c118581f67e7b029e388f60004ac7fa565a7f22efd5fb5a631
                                    • Instruction ID: e1a62c2b5d45a34a8a07990f926298cf7864f59ebb81b39598c3a77c127407d0
                                    • Opcode Fuzzy Hash: fb1ae785d59619c118581f67e7b029e388f60004ac7fa565a7f22efd5fb5a631
                                    • Instruction Fuzzy Hash: 16E0ECB1751318AADE103B62BD8AF567668E734B09F908437F401651E1C7FC1C94CE6E
                                    Function 00477704 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,00497FFB), ref: 0047770A
                                    • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00477717
                                    • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00477727
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                    • API String ID: 667068680-222143506
                                    • Opcode ID: ceded14bc550ec89915d5256b251724868ec1bad181b91b2feaeb60f0a3ef05b
                                    • Instruction ID: 6803c9b60007aecd74825894cb3907bbeedf59bb8d0dbc9fdcd901d70e2b53e0
                                    • Opcode Fuzzy Hash: ceded14bc550ec89915d5256b251724868ec1bad181b91b2feaeb60f0a3ef05b
                                    • Instruction Fuzzy Hash: 85C012A1A89744BEDA04F7F11CC396A3798C510709370947BB908651D2D57C1C148B3D
                                    Function 0041B54C Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFocus.USER32 ref: 0041B625
                                    • 73E9A570.USER32(?), ref: 0041B631
                                    • 73E98830.GDI32(00000000,?,00000000,00000000,0041B6FC,?,?), ref: 0041B666
                                    • 73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041B6FC,?,?), ref: 0041B672
                                    • 73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B6DA,?,00000000,0041B6FC,?,?), ref: 0041B6A0
                                    • 73E98830.GDI32(00000000,00000000,00000000,0041B6E1,?,?,00000000,00000000,0041B6DA,?,00000000,0041B6FC,?,?), ref: 0041B6D4
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: E98830$A570A6310E922Focus
                                    • String ID:
                                    • API String ID: 184897721-0
                                    • Opcode ID: 5948f7444c770463e90ee5a831fb014da8df8f0e73df39cbed9e1731728c5c03
                                    • Instruction ID: 334c526110b769b94863acd2c7d4d6154a51e2ef6e48f497e5cebd49167078f3
                                    • Opcode Fuzzy Hash: 5948f7444c770463e90ee5a831fb014da8df8f0e73df39cbed9e1731728c5c03
                                    • Instruction Fuzzy Hash: 9F512A70A00208AFDF11DFA9C885AEEBBB9FF49704F10446AF500E7250D7799D81CBA9
                                    Function 0041B81C Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFocus.USER32 ref: 0041B8F7
                                    • 73E9A570.USER32(?), ref: 0041B903
                                    • 73E98830.GDI32(00000000,?,00000000,00000000,0041B9C9,?,?), ref: 0041B93D
                                    • 73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041B9C9,?,?), ref: 0041B949
                                    • 73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B9A7,?,00000000,0041B9C9,?,?), ref: 0041B96D
                                    • 73E98830.GDI32(00000000,00000000,00000000,0041B9AE,?,?,00000000,00000000,0041B9A7,?,00000000,0041B9C9,?,?), ref: 0041B9A1
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: E98830$A570A6310E922Focus
                                    • String ID:
                                    • API String ID: 184897721-0
                                    • Opcode ID: 89621007295a135384ec4b0adbe8274137cf96482bdef83e2fc143f5b90419f8
                                    • Instruction ID: 78b0ba95b323991c9f68e9152caf74dd601f410072d3d7472d9bc660bbd33a5a
                                    • Opcode Fuzzy Hash: 89621007295a135384ec4b0adbe8274137cf96482bdef83e2fc143f5b90419f8
                                    • Instruction Fuzzy Hash: E75129B5A006189FDB11DFA9C841AAEB7F9FF48700F11846AF904EB750D7389D40CBA8
                                    Function 0041B3E8 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFocus.USER32 ref: 0041B45E
                                    • 73E9A570.USER32(?,00000000,0041B538,?,?,?,?), ref: 0041B46A
                                    • 73EA4620.GDI32(?,00000068,00000000,0041B50C,?,?,00000000,0041B538,?,?,?,?), ref: 0041B486
                                    • 73ECE680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B50C,?,?,00000000,0041B538,?,?,?,?), ref: 0041B4A3
                                    • 73ECE680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B50C,?,?,00000000,0041B538), ref: 0041B4BA
                                    • 73E9A480.USER32(?,?,0041B513,?,?), ref: 0041B506
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: E680$A4620A480A570Focus
                                    • String ID:
                                    • API String ID: 2226671993-0
                                    • Opcode ID: 5ca096daa34ba01f5c1ec4da7c6aeb187bd080697d1176ed16cab641111264b1
                                    • Instruction ID: 6792b3640eaa41d52ef71c1272c9074596f60f58e0bb70ebdb4f6019d5a2cd5e
                                    • Opcode Fuzzy Hash: 5ca096daa34ba01f5c1ec4da7c6aeb187bd080697d1176ed16cab641111264b1
                                    • Instruction Fuzzy Hash: DD41C831A04614AFDB10DFA9C895A9FBBB4EF45704F1484AAF504EB352D338AD10CBA5
                                    Function 00495B14 Relevance: 9.1, APIs: 6, Instructions: 90sleepsynchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0045365C: SetEndOfFile.KERNEL32(?,?,0045DCDA,00000000,0045DE65,?,00000000,00000002,00000002), ref: 00453663
                                      • Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,0049B624,00497B6D,00000000,00497BC2,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 00495BA5
                                    • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00495BB9
                                    • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00495BD3
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495BDF
                                    • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495BE5
                                    • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495BF8
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                    • String ID:
                                    • API String ID: 1570157960-0
                                    • Opcode ID: 01317f174ea3a4f18413b85b59505e77abe6be553b765ea6eea9c95c8428a3fe
                                    • Instruction ID: 03674c4c27228cd970c3c66d33a793ac36a7076358a08f0d48fec0e1f825eb6d
                                    • Opcode Fuzzy Hash: 01317f174ea3a4f18413b85b59505e77abe6be553b765ea6eea9c95c8428a3fe
                                    • Instruction Fuzzy Hash: A4219E70344701AEEB12EB76EC92F2B37ACD714718F20443BB504972E2DA78AC048B6D
                                    Function 0045E9C4 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetLastError.KERNEL32(00000057,00000000,0045EA90,?,?,?,?,00000000), ref: 0045EA2F
                                    • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045EAFC,?,00000000,0045EA90,?,?,?,?,00000000), ref: 0045EA6E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                    • API String ID: 1452528299-1580325520
                                    • Opcode ID: 87888cf4ba23ae11d93129dc7caf1c65957163b96ea800b17e0fe087ff1fbdfd
                                    • Instruction ID: cf0a10a74821426e18c94d0604ddbbaf598d3e0de7bf22b0706b61a28fd1539f
                                    • Opcode Fuzzy Hash: 87888cf4ba23ae11d93129dc7caf1c65957163b96ea800b17e0fe087ff1fbdfd
                                    • Instruction Fuzzy Hash: 55119635604208AFEB19DFF78881B5A769CF748306F604477BD0166683D67C5F099A1E
                                    Function 0041BC6C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMetrics.USER32(0000000B), ref: 0041BCB5
                                    • GetSystemMetrics.USER32(0000000C), ref: 0041BCBF
                                    • 73E9A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BCC9
                                    • 73EA4620.GDI32(00000000,0000000E,00000000,0041BD3C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BCF0
                                    • 73EA4620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BD3C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BCFD
                                    • 73E9A480.USER32(00000000,00000000,0041BD43,0000000E,00000000,0041BD3C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD36
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: A4620MetricsSystem$A480A570
                                    • String ID:
                                    • API String ID: 4120540252-0
                                    • Opcode ID: 2c8130a0bd48d7e7c9e86b99b5cc77f41d45e91a476a65f6902f6c94db786565
                                    • Instruction ID: a1d114e0877617c840ced6ef6dd2e4f02bc017c9221bfc9334888c44b767a1c1
                                    • Opcode Fuzzy Hash: 2c8130a0bd48d7e7c9e86b99b5cc77f41d45e91a476a65f6902f6c94db786565
                                    • Instruction Fuzzy Hash: 52213C74E00648AFEB00EFA9C941BEEBBB4EF48714F10842AF414B7781D7795940CBA9
                                    Function 0045A71C Relevance: 9.1, APIs: 6, Instructions: 70sleepsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CloseHandle.KERNEL32(?), ref: 0045A753
                                    • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 0045A76F
                                    • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 0045A77D
                                    • GetExitCodeProcess.KERNEL32(?), ref: 0045A78E
                                    • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045A7D5
                                    • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045A7F1
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                    • String ID:
                                    • API String ID: 3355656108-0
                                    • Opcode ID: 03f67bb683251bc5a9e33c5805ec94ee6b700adc36c70251657f23139292a971
                                    • Instruction ID: f56b2225fffa91562d53f0c9e46cc41b8b0602afd8be2b3098a1f8cadf9d4ffe
                                    • Opcode Fuzzy Hash: 03f67bb683251bc5a9e33c5805ec94ee6b700adc36c70251657f23139292a971
                                    • Instruction Fuzzy Hash: 34213C74604741AAC720E6798445B4B76E49B08305F04CA2FB999C7693D77CE8589B1B
                                    Function 0047C69C Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongA.USER32(?,000000EC), ref: 0047C6AA
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046BEA2), ref: 0047C6D0
                                    • GetWindowLongA.USER32(?,000000EC), ref: 0047C6E0
                                    • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047C701
                                    • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047C715
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047C731
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$Long$Show
                                    • String ID:
                                    • API String ID: 3609083571-0
                                    • Opcode ID: 5c801982fc428271183d8f45ec87bb92cb144bd6bf30a27442f73122994f62f0
                                    • Instruction ID: 22d6de8a617a992caf6ac03a38cdb81eb53f9ff138a923e2288a3c734be84a1c
                                    • Opcode Fuzzy Hash: 5c801982fc428271183d8f45ec87bb92cb144bd6bf30a27442f73122994f62f0
                                    • Instruction Fuzzy Hash: D90100B66402106BD610DB68DE81F6637D8AB2D350F05466ABA55EF2E7C729EC008F49
                                    Function 0041B150 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A5D0: CreateBrushIndirect.GDI32 ref: 0041A63B
                                    • UnrealizeObject.GDI32(00000000), ref: 0041B15C
                                    • SelectObject.GDI32(?,00000000), ref: 0041B16E
                                    • SetBkColor.GDI32(?,00000000), ref: 0041B191
                                    • SetBkMode.GDI32(?,00000002), ref: 0041B19C
                                    • SetBkColor.GDI32(?,00000000), ref: 0041B1B7
                                    • SetBkMode.GDI32(?,00000001), ref: 0041B1C2
                                      • Part of subcall function 00419F48: GetSysColor.USER32(?), ref: 00419F52
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                    • String ID:
                                    • API String ID: 3527656728-0
                                    • Opcode ID: f892fbf6f95076826115e25236ba76b8b69de747abfd9af1a15d8026eb2fda23
                                    • Instruction ID: 9402780d82006876151113d14c9416dcd6f7e417e3267b45a2a318493d7bb92f
                                    • Opcode Fuzzy Hash: f892fbf6f95076826115e25236ba76b8b69de747abfd9af1a15d8026eb2fda23
                                    • Instruction Fuzzy Hash: 2AF0C2B5505200ABDF04FFBADAC6E4B67ACAF043097044096B904DF197C97CDC519B39
                                    Function 00462DE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 273COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadCursorA.USER32(00000000,00007F02), ref: 00462EE4
                                    • SetCursor.USER32(00000000,00000000,00007F02,00000000,00462F79), ref: 00462EEA
                                    • SetCursor.USER32(?,00462F61,00007F02,00000000,00462F79), ref: 00462F54
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Cursor$Load
                                    • String ID: $
                                    • API String ID: 1675784387-227171996
                                    • Opcode ID: 140ed33ab113738f7a1ced28892d7817577b910fdc94a11567810c4508ed1d13
                                    • Instruction ID: a4fc161aefbf843e80fc7af06a3cde0d35cd11b5e9f3a72d2bc379e172b153fc
                                    • Opcode Fuzzy Hash: 140ed33ab113738f7a1ced28892d7817577b910fdc94a11567810c4508ed1d13
                                    • Instruction Fuzzy Hash: E9B1B730600644EFDB10DF29C585B9ABBF4EF05304F1584AEE8459B792DB78EE44CB1A
                                    Function 0047F654 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 170windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000), ref: 0047F7FC
                                    • FreeLibrary.KERNEL32(00000000), ref: 0047F810
                                    • SendNotifyMessageA.USER32(000103BC,00000496,00002710,00000000), ref: 0047F882
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FreeLibrary$MessageNotifySend
                                    • String ID: DeinitializeSetup$GetCustomSetupExitCode
                                    • API String ID: 3817813901-1243468240
                                    • Opcode ID: fe6c06b0dae42c8b20bfff3b3a7010061ca08cee03aa5986186110475e40756b
                                    • Instruction ID: 27e699427b3e8470f70adbdb308053b8d2455e3cda8f2a656dfaa0e1695972ea
                                    • Opcode Fuzzy Hash: fe6c06b0dae42c8b20bfff3b3a7010061ca08cee03aa5986186110475e40756b
                                    • Instruction Fuzzy Hash: DA518C34604200AFD724EFA9E885B9A77A4EB59704F51C07BFC08D72A1DB389C49CB5E
                                    Function 00475B50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00475BA6
                                    • 73EA59E0.USER32(00000000,000000FC,00475B04,00000000,00475D36,?,00000000,00475D5B), ref: 00475BCD
                                    • GetACP.KERNEL32(00000000,00475D36,?,00000000,00475D5B), ref: 00475C0A
                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00475C50
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ClassInfoMessageSend
                                    • String ID: COMBOBOX
                                    • API String ID: 1455646776-1136563877
                                    • Opcode ID: 7b975b0fb02d3516f1f078e7cdb8453a337402e7a96b4b9c769474fffcea29a3
                                    • Instruction ID: 4294d7f6af5a4863727ae348e5e4d4b6354e9f6d2f89c79baadb16ca68be58bb
                                    • Opcode Fuzzy Hash: 7b975b0fb02d3516f1f078e7cdb8453a337402e7a96b4b9c769474fffcea29a3
                                    • Instruction Fuzzy Hash: 74511D34A006049FDB11EF69D885EDAB7F5EB09304F15C1BAE8089F362D778AD41CB58
                                    Function 00455A44 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!dI,_iu,?,00000000,00455B7E), ref: 00455B33
                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!dI,_iu,?,00000000,00455B7E), ref: 00455B43
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseCreateFileHandle
                                    • String ID: !dI$.tmp$_iu
                                    • API String ID: 3498533004-3229431593
                                    • Opcode ID: faa9a2b9e0c9ff1b77feb3e4ee9aeeffaa176ade52c1a3b3bb9266898bac2641
                                    • Instruction ID: c7743a6442f3498a7d8b6190ad8bfcb523b3e3dac9a2cca65b913b7c0d867f93
                                    • Opcode Fuzzy Hash: faa9a2b9e0c9ff1b77feb3e4ee9aeeffaa176ade52c1a3b3bb9266898bac2641
                                    • Instruction Fuzzy Hash: D831C770A40609ABCB11EBE5C892BAEBB75AF44315F10017AF900B73C2D7786E048758
                                    Function 0046FBB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89registrywindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042DB00: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004816C7,?,00000001,?,?,004816C7,?,00000001,00000000), ref: 0042DB1C
                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046FCB5,?,?,?,?,00000000), ref: 0046FC1F
                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046FCB5), ref: 0046FC36
                                    • AddFontResourceA.GDI32(00000000), ref: 0046FC53
                                    • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046FC67
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                    • String ID: AddFontResource
                                    • API String ID: 955540645-2705230933
                                    • Opcode ID: 5dbbe8db30743cb1685f65dbaa0fa3ab6c99fb6ccfbea3af5331457fd8b5468c
                                    • Instruction ID: a1167f47506af32c75b6015121628877d5bba0ba566ff66694286ba57812fa18
                                    • Opcode Fuzzy Hash: 5dbbe8db30743cb1685f65dbaa0fa3ab6c99fb6ccfbea3af5331457fd8b5468c
                                    • Instruction Fuzzy Hash: 5B2186757402086ADB10E7A6AC52F5E776CEB45704F604077BD40EB2C2E67D9D06861E
                                    Function 00404C8E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404D29
                                    • ExitProcess.KERNEL32 ref: 00404D71
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ExitMessageProcess
                                    • String ID: Error$Runtime error at 00000000$h@
                                    • API String ID: 1220098344-4194508115
                                    • Opcode ID: 7211d1fa90b58a88f30587abdd20061382270699c311403c7119cbd17a84818c
                                    • Instruction ID: 8c121fc7dcca831364b701390240323aa5f26009b629ed4d011fc6663e230b5b
                                    • Opcode Fuzzy Hash: 7211d1fa90b58a88f30587abdd20061382270699c311403c7119cbd17a84818c
                                    • Instruction Fuzzy Hash: 9321A460A052418AEB109739BA857163B91D7E9308F04807BD361BB3E2C77C8C49C7EE
                                    Function 0042E66C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042E69E
                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E6A4
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042E6CD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressByteCharHandleModuleMultiProcWide
                                    • String ID: ShutdownBlockReasonCreate$user32.dll
                                    • API String ID: 828529508-2866557904
                                    • Opcode ID: 7431158a8fbc7cfa5174c2b5a208ec601ecf7036ee9a23c6294735aace865b2b
                                    • Instruction ID: db7d3bb4190fb9b7f71e6fb4ebf401b8abc7e049be7694eac751abf5f6cc5938
                                    • Opcode Fuzzy Hash: 7431158a8fbc7cfa5174c2b5a208ec601ecf7036ee9a23c6294735aace865b2b
                                    • Instruction Fuzzy Hash: A4F062A134062237E22066ABAC86F6F65CC8FA4759F540436F508E62D2E96C8915826E
                                    Function 004597C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004597F8
                                    • GetExitCodeProcess.KERNEL32(?,00497BC2), ref: 00459819
                                    • CloseHandle.KERNEL32(?,0045984C,?,?,0045A053,00000000,00000000), ref: 0045983F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                    • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                    • API String ID: 2573145106-3235461205
                                    • Opcode ID: 07e3caaccd488352cefe457a19107fd99362e35c7d9444bf7966644e29705c75
                                    • Instruction ID: f3ac9c943b9981a1928d095828b72e40355497dfaac8381d7d20a9f75499fa81
                                    • Opcode Fuzzy Hash: 07e3caaccd488352cefe457a19107fd99362e35c7d9444bf7966644e29705c75
                                    • Instruction Fuzzy Hash: 5C01AD30A10604EFDB10FBA99912A6E73E8EB4A715F604077F814D72D2DA389D088A6D
                                    Function 0042DB28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegDeleteKeyA.ADVAPI32(00000000,?), ref: 0042DB34
                                    • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DCB7,00000000,0042DCCF,?,?,?,?,00000006,?,00000000,00496E1A), ref: 0042DB4F
                                    • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DB55
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressDeleteHandleModuleProc
                                    • String ID: RegDeleteKeyExA$advapi32.dll
                                    • API String ID: 588496660-1846899949
                                    • Opcode ID: 4c2ffd188e5a7723673ec81f36e5aa28094342a4f71ae1c025835932399b5465
                                    • Instruction ID: c6c7137c4470c9b522d27fd3a3b83fead704d00126080fe7c03be6fa8ed3b442
                                    • Opcode Fuzzy Hash: 4c2ffd188e5a7723673ec81f36e5aa28094342a4f71ae1c025835932399b5465
                                    • Instruction Fuzzy Hash: 88E06571B01270BAD62026A87C99F972F58D724365F614037F105651E282FC2CD0D6AD
                                    Function 00476964 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0047696C
                                    • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00476A57,0049C07C,00000000), ref: 0047697F
                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00476985
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProcProcessThreadWindow
                                    • String ID: AllowSetForegroundWindow$user32.dll
                                    • API String ID: 1782028327-3855017861
                                    • Opcode ID: e968b6dd24c5264397b33d7d8b46da0154f9cdbdc672132b7c4439300537c5ea
                                    • Instruction ID: bea922fc78e21d5a049d894fb0c0d24d69504b333e4812d7ec65dbbe795c6ed6
                                    • Opcode Fuzzy Hash: e968b6dd24c5264397b33d7d8b46da0154f9cdbdc672132b7c4439300537c5ea
                                    • Instruction Fuzzy Hash: E2D0A7D1200B0139DD00B7F24D46E7B339E89C0B08B11C83F7948E21C6DA3CE804853D
                                    Function 00416B2C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                    Download Yara Rule
                                    APIs
                                    • BeginPaint.USER32(00000000,?), ref: 00416B52
                                    • SaveDC.GDI32(?), ref: 00416B83
                                    • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416C45), ref: 00416BE4
                                    • RestoreDC.GDI32(?,?), ref: 00416C0B
                                    • EndPaint.USER32(00000000,?,00416C4C,00000000,00416C45), ref: 00416C3F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Paint$BeginClipExcludeRectRestoreSave
                                    • String ID:
                                    • API String ID: 3808407030-0
                                    • Opcode ID: a55a496da53f3679911a304de405c213189461edfb305d19079d56e0a4809c6c
                                    • Instruction ID: bc03bda09c646cff14731cd8b52d3ad6b1b6ffe6221a6035d890013ed41882fa
                                    • Opcode Fuzzy Hash: a55a496da53f3679911a304de405c213189461edfb305d19079d56e0a4809c6c
                                    • Instruction Fuzzy Hash: 89414C70A042149FCB14DBA9C985FAAB7F8EF48304F1640AEE40597362D738ED45CB58
                                    Function 00458AC0 Relevance: 7.6, APIs: 5, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(00000000,?,?), ref: 00458B12
                                      • Part of subcall function 004240E8: GetWindowTextA.USER32(?,?,00000100), ref: 00424108
                                      • Part of subcall function 0041ED84: GetCurrentThreadId.KERNEL32 ref: 0041EDD3
                                      • Part of subcall function 0041ED84: 73EA5940.USER32(00000000,0041ED34,00000000,00000000,0041EDF0,?,00000000,0041EE27,?,0042E7A4,?,00000001), ref: 0041EDD9
                                      • Part of subcall function 00424130: SetWindowTextA.USER32(?,00000000), ref: 00424148
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00458B79
                                    • TranslateMessage.USER32(?), ref: 00458B97
                                    • DispatchMessageA.USER32(?), ref: 00458BA0
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Message$TextWindow$A5940CurrentDispatchSendThreadTranslate
                                    • String ID:
                                    • API String ID: 1715333840-0
                                    • Opcode ID: fb6d73f723c07f101c5e4dd88f87b31e87b6bd88eb5585df7fcb4e0c16de69db
                                    • Instruction ID: 4c4b6f2fdf575aaad1978c8ee95fe458822368faca8a3d17b9a39d5bb8eebd3f
                                    • Opcode Fuzzy Hash: fb6d73f723c07f101c5e4dd88f87b31e87b6bd88eb5585df7fcb4e0c16de69db
                                    • Instruction Fuzzy Hash: BF319371904248AEDB11DBB5DC41B9E7BB8EB09304F51407BF800B3292DB38A909CB69
                                    Function 00414724 Relevance: 7.6, APIs: 5, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 69d1b7f327654db1e3d30f39848c280b64d3bf3d2837d1fdd57b9ddb32a902df
                                    • Instruction ID: e722a50f5d45418d3a9191343a6446c3c214663dd62229f022add766a27fd440
                                    • Opcode Fuzzy Hash: 69d1b7f327654db1e3d30f39848c280b64d3bf3d2837d1fdd57b9ddb32a902df
                                    • Instruction Fuzzy Hash: 9C3150746047409FC720EB69C984BA7B7E8AF89710F18491EF8D9C7791C778E880CB25
                                    Function 00429628 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429664
                                    • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429693
                                    • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 004296AF
                                    • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 004296DA
                                    • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004296F8
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 1742310189ce8d452d6a009e2606a220af39574c1b7baa6e3e27670bb6453f56
                                    • Instruction ID: 54ce441826565293f0ad8336ffd704327edf2c9e1968bd202223bb9e2f315d48
                                    • Opcode Fuzzy Hash: 1742310189ce8d452d6a009e2606a220af39574c1b7baa6e3e27670bb6453f56
                                    • Instruction Fuzzy Hash: DF216070740705AAE720EF66DC82F5BBAACDB44708F51447EB501A72D2DFB9AD408519
                                    Function 0041BA98 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMetrics.USER32(0000000B), ref: 0041BAAA
                                    • GetSystemMetrics.USER32(0000000C), ref: 0041BAB4
                                    • 73E9A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BAF2
                                    • 73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BC5D,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BB39
                                    • DeleteObject.GDI32(00000000), ref: 0041BB7A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: MetricsSystem$A570A6310DeleteObject
                                    • String ID:
                                    • API String ID: 3435189566-0
                                    • Opcode ID: eba1bee2d013a683c3b3ee36827bcf2798df00484d4875e02bb287f6c0477e73
                                    • Instruction ID: 1bcbe9ad4d64b5fa71d7434d111a0f0f4464723842ea0aff3822cddd0f7a60ce
                                    • Opcode Fuzzy Hash: eba1bee2d013a683c3b3ee36827bcf2798df00484d4875e02bb287f6c0477e73
                                    • Instruction Fuzzy Hash: 54313E74A00608EFDB00DFA5C941AAEB7F5EF48704F1185AAE510AB781D738AE40DB98
                                    Function 00403C70 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CAA
                                    • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CB5
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CC8
                                    • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403CD2
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403CE1
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocString
                                    • String ID:
                                    • API String ID: 262959230-0
                                    • Opcode ID: 17b8fd7d22cd034b56d9d0c3e4552ba2f961ea78a668f8a457549987015b8990
                                    • Instruction ID: 5f2ba9d5fce5f539ab0f437eee85b29109beae1d1af6aafdaf404315bd4a1923
                                    • Opcode Fuzzy Hash: 17b8fd7d22cd034b56d9d0c3e4552ba2f961ea78a668f8a457549987015b8990
                                    • Instruction Fuzzy Hash: 6DF068A53442143AF16035B74C83FA7294CCB41BADF20057FB708FA2D2D8799D1542BD
                                    Function 00414310 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • 73E98830.GDI32(00000000,00000000,00000000), ref: 00414349
                                    • 73E922A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414351
                                    • 73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414365
                                    • 73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041436B
                                    • 73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414376
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: E922E98830$A480
                                    • String ID:
                                    • API String ID: 3692852386-0
                                    • Opcode ID: 2ebeb0578efa195efa34e69332a8495a0d82fa70af5292788a449f93ef4ca623
                                    • Instruction ID: 25fe8b804d192f882ba44e19b6b729912dc0d701bcc6a015c95e582c968e49b4
                                    • Opcode Fuzzy Hash: 2ebeb0578efa195efa34e69332a8495a0d82fa70af5292788a449f93ef4ca623
                                    • Instruction Fuzzy Hash: D801BC7520C3406EE200B63A8C45A9F7BEC9FCA754F05046AF894DB282CA7ACC018775
                                    Function 00401540 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,|Ag,?,?,?,0040189C), ref: 0040155E
                                    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,|Ag,?,?,?,0040189C), ref: 00401583
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,|Ag,?,?,?,0040189C), ref: 004015A9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Virtual$Alloc$Free
                                    • String ID: LBg$|Ag
                                    • API String ID: 3668210933-1061872555
                                    • Opcode ID: 616e315b3cb96cf18f90fa2ba038fa145eb146046b5c836fb49cf02626e21e20
                                    • Instruction ID: 46451cb2da09954ec00fdc2655e1e2d8b7fdf62b7781801251475d08ab628e66
                                    • Opcode Fuzzy Hash: 616e315b3cb96cf18f90fa2ba038fa145eb146046b5c836fb49cf02626e21e20
                                    • Instruction Fuzzy Hash: E7F0C2B27403206BEB31AA295C85F533AD8DB85B54F104176FE08FF3DAD6B89800866C
                                    Function 00424B4C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041EF54: GetActiveWindow.USER32 ref: 0041EF57
                                      • Part of subcall function 0041EF54: GetCurrentThreadId.KERNEL32 ref: 0041EF6C
                                      • Part of subcall function 0041EF54: 73EA5940.USER32(00000000,Function_0001EF30), ref: 0041EF72
                                      • Part of subcall function 00423014: GetSystemMetrics.USER32(00000000), ref: 00423016
                                    • OffsetRect.USER32(?,?,?), ref: 00424C35
                                    • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424CF8
                                    • OffsetRect.USER32(?,?,?), ref: 00424D09
                                      • Part of subcall function 004233D0: GetCurrentThreadId.KERNEL32 ref: 004233E5
                                      • Part of subcall function 004233D0: SetWindowsHookExA.USER32(00000003,0042338C,00000000,00000000), ref: 004233F5
                                      • Part of subcall function 004233D0: CreateThread.KERNEL32(00000000,000003E8,0042333C,00000000,00000000), ref: 00423419
                                      • Part of subcall function 00424998: SetTimer.USER32(00000000,00000001,?,00423320), ref: 004249B3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Thread$CurrentOffsetRect$A5940ActiveCreateDrawHookMetricsSystemTextTimerWindowWindows
                                    • String ID: JB
                                    • API String ID: 1334498448-1987384239
                                    • Opcode ID: 3e5096ff6f48fde8a39abb77a87a83207c1d564ecf26f2eb5edf69445de9891b
                                    • Instruction ID: 5e0d488a81751faa57439400e133c290811288a31d924a348950b42276731944
                                    • Opcode Fuzzy Hash: 3e5096ff6f48fde8a39abb77a87a83207c1d564ecf26f2eb5edf69445de9891b
                                    • Instruction Fuzzy Hash: 3E812575A00318CFDB14DFA9C880ADEBBF5FF48304F5041AAE904AB296DB38AD45CB44
                                    Function 00406F0C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00406F6B
                                    • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00406FE5
                                    • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 0040703D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Enum$NameOpenResourceUniversal
                                    • String ID: Z
                                    • API String ID: 3604996873-1505515367
                                    • Opcode ID: 7439a3351b913e246eb86493344bdf0138d14bcba37333d4428cfaf35f861cbd
                                    • Instruction ID: d64aea1bac19a072cad08f682a93d5e39d66e511736de9146e10f4b1c6dd58c6
                                    • Opcode Fuzzy Hash: 7439a3351b913e246eb86493344bdf0138d14bcba37333d4428cfaf35f861cbd
                                    • Instruction Fuzzy Hash: 22514F70E042199FDB11EF95C941A9EBBB9FB08304F5041BAE540BB3D1C778AE418B5A
                                    Function 0044FFE4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetRectEmpty.USER32(?), ref: 00450072
                                    • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0045009D
                                    • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 00450125
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: DrawText$EmptyRect
                                    • String ID:
                                    • API String ID: 182455014-2867612384
                                    • Opcode ID: afc0ad3860b36608028d4966184209c8c0b6dfdcd00a86d942c2c33dffa52e82
                                    • Instruction ID: 42e9a013bc56bc7d1163b9d5f1d373a3fd0603fb29891b8d963b2f6c37c6b2ae
                                    • Opcode Fuzzy Hash: afc0ad3860b36608028d4966184209c8c0b6dfdcd00a86d942c2c33dffa52e82
                                    • Instruction Fuzzy Hash: C4517375900248AFCB10DFA5C885BDEBBF9BF48305F14447AE805EB292D778A984CF65
                                    Function 0042E868 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                    Download Yara Rule
                                    APIs
                                    • 73E9A570.USER32(00000000,00000000,0042E9BC,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042E892
                                      • Part of subcall function 0041A0D8: CreateFontIndirectA.GDI32(?), ref: 0041A197
                                    • SelectObject.GDI32(?,00000000), ref: 0042E8B5
                                    • 73E9A480.USER32(00000000,?,0042E9A1,00000000,0042E99A,?,00000000,00000000,0042E9BC,?,?,?,?,00000000,00000000,00000000), ref: 0042E994
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: A480A570CreateFontIndirectObjectSelect
                                    • String ID: ...\
                                    • API String ID: 2998766281-983595016
                                    • Opcode ID: 677b33e580ea6a2104e8a1febe6d6c8513ee86369109cce3a412c69c0e02ccb8
                                    • Instruction ID: 24608bd36ca00ad8e0ab7e141a55372955781ce4fc190773ae7d9784d29353a1
                                    • Opcode Fuzzy Hash: 677b33e580ea6a2104e8a1febe6d6c8513ee86369109cce3a412c69c0e02ccb8
                                    • Instruction Fuzzy Hash: CF3164B0B00129AFDF11EF9AD841BAEB7B9EB49308F90447BF410A7291D7785E44CB59
                                    Function 00456D48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00456DF6
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00456EBC), ref: 00456E60
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressByteCharMultiProcWide
                                    • String ID: SfcIsFileProtected$sfc.dll
                                    • API String ID: 2508298434-591603554
                                    • Opcode ID: 3bf4224397b2e89d491a5ea6ea90c24f33a98128f7545f5e5b1e05ce3a047496
                                    • Instruction ID: 36c47c642bcd3c0626fd0fbcf6c14622547a030ef96c6a889ac45531a7636bbd
                                    • Opcode Fuzzy Hash: 3bf4224397b2e89d491a5ea6ea90c24f33a98128f7545f5e5b1e05ce3a047496
                                    • Instruction Fuzzy Hash: 1141A474A05218DAE720EF55DD86B9E77B8EB04305F5140BBE908A3292D7789F88CF5C
                                    Function 00491B38 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 92registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042DB00: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004816C7,?,00000001,?,?,004816C7,?,00000001,00000000), ref: 0042DB1C
                                    • RegCloseKey.ADVAPI32(?,00491C36,?,?,00000001,00000000,00000000,00491C51), ref: 00491C1F
                                    Strings
                                    • Inno Setup CodeFile: , xrefs: 00491BE2
                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00491B92
                                    • %s\%s_is1, xrefs: 00491BB0
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseOpen
                                    • String ID: %s\%s_is1$Inno Setup CodeFile: $Software\Microsoft\Windows\CurrentVersion\Uninstall
                                    • API String ID: 47109696-1837835967
                                    • Opcode ID: 97574f37f672d99defaaea919bcf2db6746af50cbc44a8a83e1579977e82b1fa
                                    • Instruction ID: 13e1616ee7755a97d40ca7d208e4914abefb1666d03fc7f46b19b73e0afd8e5f
                                    • Opcode Fuzzy Hash: 97574f37f672d99defaaea919bcf2db6746af50cbc44a8a83e1579977e82b1fa
                                    • Instruction Fuzzy Hash: F031A474A042195FDF11DFA9CC81A9EBBF8EB48304F90447AE404E7391D778AE01CB59
                                    Function 00416310 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassInfoA.USER32(00400000,?,?), ref: 0041637F
                                    • UnregisterClassA.USER32(?,00400000), ref: 004163AB
                                    • RegisterClassA.USER32(?), ref: 004163CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Class$InfoRegisterUnregister
                                    • String ID: @
                                    • API String ID: 3749476976-2766056989
                                    • Opcode ID: 7916eb7b4d7c65d96644c3f9d3a076dc8505a9ef5ad78d32c1847957e1eadb7e
                                    • Instruction ID: 62eab71bcd824bb5b5d7669dd8144b976349bed46a21bb7e700594c72d29496b
                                    • Opcode Fuzzy Hash: 7916eb7b4d7c65d96644c3f9d3a076dc8505a9ef5ad78d32c1847957e1eadb7e
                                    • Instruction Fuzzy Hash: AA3190706043048BD720EF69C981B9B77E5AB48308F00447FFA45DB392DB39D944CB6A
                                    Function 0045B320 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045B3DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressProc
                                    • String ID: CreateAssemblyCache$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                    • API String ID: 190572456-1920768207
                                    • Opcode ID: 7a406073278e21841584d2aa709d20387a62aff6e745ca73b00339402eca4f44
                                    • Instruction ID: 7400ec865090c46c582bde69ecfa8b5511ee2716ee7a0f286396e9dab08430b6
                                    • Opcode Fuzzy Hash: 7a406073278e21841584d2aa709d20387a62aff6e745ca73b00339402eca4f44
                                    • Instruction Fuzzy Hash: 32316471E00609ABC711EFA5C88169EBBB4EF45315F50857AE814A7383D73899098BD9
                                    Function 0049768C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesA.KERNEL32(00000000,00497F4D,00000000,00497782,?,?,00000000,0049B624), ref: 004976FC
                                    • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00497F4D,00000000,00497782,?,?,00000000,0049B624), ref: 00497725
                                    • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0049773E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: File$Attributes$Move
                                    • String ID: isRS-%.3u.tmp
                                    • API String ID: 3839737484-3657609586
                                    • Opcode ID: e989dd3f9ce4aee783e1b0c3cb845526604490488ef88f474a6edfab5a50f21c
                                    • Instruction ID: fcaeb3cda72ffc9ac812e08be32d1fb9e451da8f703664dd9b75bb4d49c0b901
                                    • Opcode Fuzzy Hash: e989dd3f9ce4aee783e1b0c3cb845526604490488ef88f474a6edfab5a50f21c
                                    • Instruction Fuzzy Hash: 65212471E146199BCF04EFE9C8C1AAFBFB8EB44314F11457AE814B32D1D6786E018B59
                                    Function 004585A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042C58C: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C5B0
                                      • Part of subcall function 00403C70: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CAA
                                      • Part of subcall function 00403C70: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CB5
                                    • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004585FC
                                    • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00458629
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                    • String ID: LoadTypeLib$RegisterTypeLib
                                    • API String ID: 1312246647-2435364021
                                    • Opcode ID: 2a0168ed0eabcac60ef7d1f550a188b57d64bf369e3f98bb9aa2423b6c37040e
                                    • Instruction ID: 763657b25e591b60db776042f6813b1281ec0a09011c730881d437738af60ff3
                                    • Opcode Fuzzy Hash: 2a0168ed0eabcac60ef7d1f550a188b57d64bf369e3f98bb9aa2423b6c37040e
                                    • Instruction Fuzzy Hash: F1119370B00604BFDB11EFA6CD51A5EB7ADEB89705B50847ABC04E3652DE389E54CA28
                                    Function 004771D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00424130: SetWindowTextA.USER32(?,00000000), ref: 00424148
                                    • GetFocus.USER32 ref: 0047723B
                                    • GetKeyState.USER32(0000007A), ref: 0047724D
                                    • WaitMessage.USER32(?,00000000,00477274,?,00000000,0047729B,?,?,00000001,00000000,?,?,?,?,0047E3AF,00000000), ref: 00477257
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FocusMessageStateTextWaitWindow
                                    • String ID: Wnd=$%x
                                    • API String ID: 1381870634-2927251529
                                    • Opcode ID: 5cb33fb9d1b7947a742cf1c384c79c81241ef4912ac8dc5c9ef36107d6306553
                                    • Instruction ID: 4211a758ec32d33d6b918d48d4745538af448e1f46899948238bb85d1e618cc5
                                    • Opcode Fuzzy Hash: 5cb33fb9d1b7947a742cf1c384c79c81241ef4912ac8dc5c9ef36107d6306553
                                    • Instruction Fuzzy Hash: 2111E730608604AFC700EF65DC4299E7BF9EB49304B9184FAF818E3292D7386D008AA9
                                    Function 0046DFBC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046DFC4
                                    • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046DFD3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Time$File$LocalSystem
                                    • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                    • API String ID: 1748579591-1013271723
                                    • Opcode ID: 23da6b5d7eba7ab2ed0a30e2383aff9a89f0298bb0c7ab36e8895c98ddc970fa
                                    • Instruction ID: 55e8afb0f3cc72efb2ce91fb3f61479217193e9034cd776a67465677fd4fd1c0
                                    • Opcode Fuzzy Hash: 23da6b5d7eba7ab2ed0a30e2383aff9a89f0298bb0c7ab36e8895c98ddc970fa
                                    • Instruction Fuzzy Hash: 84110DA440C3919AD340CF2AC44432FBBE4AB89704F04492EF9D8D6381E779C948DB77
                                    Function 00455FDA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00455FE7
                                      • Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,0049B624,00497B6D,00000000,00497BC2,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3
                                    • MoveFileA.KERNEL32(00000000,00000000), ref: 0045600C
                                      • Part of subcall function 00455624: GetLastError.KERNEL32(00000000,00456095,00000005,00000000,004560CA,?,?,00000000,0049B624,00000004,00000000,00000000,00000000,?,00497821,00000000), ref: 00455627
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: File$AttributesDeleteErrorLastMove
                                    • String ID: DeleteFile$MoveFile
                                    • API String ID: 3024442154-139070271
                                    • Opcode ID: 28b5d0d9edc780002879a5f128c8f20a2faac4656396e4916e8bb48b82653a32
                                    • Instruction ID: 2db7b8224894354521df2c31a2c1ffa5663400f0ab423fd6653f671ea1bf13e9
                                    • Opcode Fuzzy Hash: 28b5d0d9edc780002879a5f128c8f20a2faac4656396e4916e8bb48b82653a32
                                    • Instruction Fuzzy Hash: 46F04F702146044ADB00EBA6E89266F67ECEB4431AFA1403BE804A72C3DA3D9D044929
                                    Function 00457990 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042DB00: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004816C7,?,00000001,?,?,004816C7,?,00000001,00000000), ref: 0042DB1C
                                    • RegCloseKey.ADVAPI32(?,004579FB,?,00000001,00000000), ref: 004579EE
                                    Strings
                                    • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 0045799C
                                    • PendingFileRenameOperations, xrefs: 004579C0
                                    • PendingFileRenameOperations2, xrefs: 004579CF
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseOpen
                                    • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                    • API String ID: 47109696-2115312317
                                    • Opcode ID: b99d3feb19611e13adbc4e751731c66df117e40756e6421d78c0c3e58abaf841
                                    • Instruction ID: 98c2beea8fa0fdd78e540fd79a0357284075b02911df00950abc362576172ccc
                                    • Opcode Fuzzy Hash: b99d3feb19611e13adbc4e751731c66df117e40756e6421d78c0c3e58abaf841
                                    • Instruction Fuzzy Hash: 8FF0F6712082047FEB05DA66FC12A1B779CC744715FB044B7F80486682EA39AD04D62C
                                    Function 004816A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042DB00: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004816C7,?,00000001,?,?,004816C7,?,00000001,00000000), ref: 0042DB1C
                                    • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004816E9
                                    • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0048170C
                                    Strings
                                    • CSDVersion, xrefs: 004816E0
                                    • System\CurrentControlSet\Control\Windows, xrefs: 004816B6
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                    • API String ID: 3677997916-1910633163
                                    • Opcode ID: 2a986e05847ac67bbe34c5ab6dbfe13277190f278ad5070b509e118de9070ea1
                                    • Instruction ID: c7d842d7bd98f2207ec5f6dd26f7895ac9e554a6485f6ced65b026534932e6ab
                                    • Opcode Fuzzy Hash: 2a986e05847ac67bbe34c5ab6dbfe13277190f278ad5070b509e118de9070ea1
                                    • Instruction Fuzzy Hash: 2DF04475E40309AAEF10EAE18C45BEFB3FC9B04705F10456BEA11E7290E638AA05CB59
                                    Function 0042D678 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00455CE2,00000000,00455D85,?,?,00000000,00000000,00000000,00000000,00000000,?,00456051,00000000), ref: 0042D692
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D698
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                    • API String ID: 1646373207-4063490227
                                    • Opcode ID: 595352e68a3e9ae5fc7fbc0765368d21a2183c65efa172772130a367d3a60bff
                                    • Instruction ID: abf3cd9a26cf14f69719b90575ad172cde3327b0ffce8ad6aea99a9d39b747b3
                                    • Opcode Fuzzy Hash: 595352e68a3e9ae5fc7fbc0765368d21a2183c65efa172772130a367d3a60bff
                                    • Instruction Fuzzy Hash: D4E0DF61B00B4022DB0075BA6C82A5B218D4B84704FA0443B7848E52E2EDBCC9545A6E
                                    Function 0042E718 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042E694), ref: 0042E726
                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E72C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: ShutdownBlockReasonDestroy$user32.dll
                                    • API String ID: 1646373207-260599015
                                    • Opcode ID: ed06899e010fab2539733e47668712c96247decad5aa72f3df9d8a3c049c66db
                                    • Instruction ID: 5009f34e10a7482a65ab0c2eb9f83c57f5fd775773607ac2436138cf6f74a0e4
                                    • Opcode Fuzzy Hash: ed06899e010fab2539733e47668712c96247decad5aa72f3df9d8a3c049c66db
                                    • Instruction Fuzzy Hash: 5ED0C953751B363A6A1031FB3DD19EB43DCC9A02AA3680077F904E6281EAADCC1116AD
                                    Function 00452750 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00497FCE), ref: 0045278B
                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00452791
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: NotifyWinEvent$user32.dll
                                    • API String ID: 1646373207-597752486
                                    • Opcode ID: c801f135770b4b98eb95e46e0c4faacf31c15d01ac31119328293b7e18c4dd91
                                    • Instruction ID: dec7a9456784a6846a7af7bbfa237ddb8f03227d70b0727c9507e46e28cd2772
                                    • Opcode Fuzzy Hash: c801f135770b4b98eb95e46e0c4faacf31c15d01ac31119328293b7e18c4dd91
                                    • Instruction Fuzzy Hash: 0FE0E6A59013446ACB40FBB66F0671B3A90E759709B10417FF80065153D7BC041C8F5D
                                    Function 00497D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049801F,00000001,00000000,00498043), ref: 00497D9E
                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00497DA4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: DisableProcessWindowsGhosting$user32.dll
                                    • API String ID: 1646373207-834958232
                                    • Opcode ID: bbc36b4c874d66c9906a94b982fad813f4bb0712859aac60617bebeec1f7c759
                                    • Instruction ID: 853af0198b399c6a325763e81afe5810e1bad0777d75b6053cd257899c46bb98
                                    • Opcode Fuzzy Hash: bbc36b4c874d66c9906a94b982fad813f4bb0712859aac60617bebeec1f7c759
                                    • Instruction Fuzzy Hash: 29B09251268700248C8032B20C06B2F1A484C80749B208277BC10B04C6DE6CC410867E
                                    Function 00471920 Relevance: 6.3, APIs: 4, Instructions: 263fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00471AF1,?,00000000,?,00000001,00000000,00471CBF,?,00000000,?,00000000,?,00471E7A), ref: 00471ACD
                                    • FindClose.KERNEL32(000000FF,00471AF8,00471AF1,?,00000000,?,00000001,00000000,00471CBF,?,00000000,?,00000000,?,00471E7A,?), ref: 00471AEB
                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00471C13,?,00000000,?,00000001,00000000,00471CBF,?,00000000,?,00000000,?,00471E7A), ref: 00471BEF
                                    • FindClose.KERNEL32(000000FF,00471C1A,00471C13,?,00000000,?,00000001,00000000,00471CBF,?,00000000,?,00000000,?,00471E7A,?), ref: 00471C0D
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileNext
                                    • String ID:
                                    • API String ID: 2066263336-0
                                    • Opcode ID: ee354c24ae443d9abf9fc13b64eb800509c7a7493de7699b9fedef1f19a8e274
                                    • Instruction ID: c964290a9491cbb8288f9fe0bfd348e3348d814f73e1f1eb80bbbf53be421caa
                                    • Opcode Fuzzy Hash: ee354c24ae443d9abf9fc13b64eb800509c7a7493de7699b9fedef1f19a8e274
                                    • Instruction Fuzzy Hash: 8DB12D7490425D9FCF11DFA9C881ADEBBB9FF49304F5081AAE808B3261D7399A45CF54
                                    Function 00413C28 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDesktopWindow.USER32 ref: 00413C76
                                    • GetDesktopWindow.USER32 ref: 00413D2E
                                      • Part of subcall function 00418DB0: 6FA0C6F0.COMCTL32(?,00000000,00413EF3,00000000,00414003,?,?,0049B624), ref: 00418DCC
                                      • Part of subcall function 00418DB0: ShowCursor.USER32(00000001,?,00000000,00413EF3,00000000,00414003,?,?,0049B624), ref: 00418DE9
                                    • SetCursor.USER32(00000000,?,?,?,?,00413A3B,00000000,00413A4E), ref: 00413D6C
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CursorDesktopWindow$Show
                                    • String ID:
                                    • API String ID: 2074268717-0
                                    • Opcode ID: ca56d7e5a9803324f74dba06e8e4ac67fdb83811c459431f044c429fc4ca66f9
                                    • Instruction ID: 307f65edfe197d82fa5af0846d75f81ad2788f8fe0a3295c5408aca0e7b3e730
                                    • Opcode Fuzzy Hash: ca56d7e5a9803324f74dba06e8e4ac67fdb83811c459431f044c429fc4ca66f9
                                    • Instruction Fuzzy Hash: 4A414F31600150EFCB00DF2AFA85B5677E1EB65329B06807BE504CB365DB38ED81CB98
                                    Function 004089BC Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 004089DD
                                    • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408A4C
                                    • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408AE7
                                    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408B26
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: LoadString$FileMessageModuleName
                                    • String ID:
                                    • API String ID: 704749118-0
                                    • Opcode ID: 5fb44734a27338a9b7af9014a992f78e6c4ae4cba260487f04bdc8c774a82c50
                                    • Instruction ID: 092321d68bcb89a7fe0c1fbeec76571fe9983af5f0d50e9e44cdd8293f216879
                                    • Opcode Fuzzy Hash: 5fb44734a27338a9b7af9014a992f78e6c4ae4cba260487f04bdc8c774a82c50
                                    • Instruction Fuzzy Hash: 9D3150706083859BD330EB65CA45B9B77D8AB86304F40483FB6C8E72C2DB7899058B67
                                    Function 00476A30 Relevance: 6.1, APIs: 4, Instructions: 92windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00476964: GetWindowThreadProcessId.USER32(00000000), ref: 0047696C
                                      • Part of subcall function 00476964: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00476A57,0049C07C,00000000), ref: 0047697F
                                      • Part of subcall function 00476964: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00476985
                                    • SendMessageA.USER32(00000000,0000004A,00000000,00476DD6), ref: 00476A65
                                    • GetTickCount.KERNEL32 ref: 00476AAA
                                    • GetTickCount.KERNEL32 ref: 00476AB4
                                    • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00476B09
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                    • String ID:
                                    • API String ID: 613034392-0
                                    • Opcode ID: 609b0b20e6bcad874f915cfc7e2a9f9eb27f497e86b6b6c7754d9db98d87015e
                                    • Instruction ID: 3765e9f58f5973515bc39b85a4dd9a93a24dac4aa3ee439b586efef33c4c2525
                                    • Opcode Fuzzy Hash: 609b0b20e6bcad874f915cfc7e2a9f9eb27f497e86b6b6c7754d9db98d87015e
                                    • Instruction Fuzzy Hash: FD31C2B4B006159ACB10EBB988827EE76E69F09304F51C43BB148EB382D67D8D058B9D
                                    Function 004518DC Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 00451925
                                      • Part of subcall function 0044FF74: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044FFA6
                                    • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 004519A9
                                      • Part of subcall function 0042B9D4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042B9E8
                                    • IsRectEmpty.USER32(?), ref: 0045196B
                                    • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0045198E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                    • String ID:
                                    • API String ID: 855768636-0
                                    • Opcode ID: 64254fef9f7b865e765d08191f28142937380868c7131a82a1fc1bf4155a2f95
                                    • Instruction ID: a61ef6966b65cbf073cad502b0975179273eff14294956d3f7d8193f0acb6edb
                                    • Opcode Fuzzy Hash: 64254fef9f7b865e765d08191f28142937380868c7131a82a1fc1bf4155a2f95
                                    • Instruction Fuzzy Hash: 14115C7170030067D620BA7A8C86F5B66C99BC8709F15583FB905DB383EE7DDD09839A
                                    Function 00494F7C Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                    Download Yara Rule
                                    APIs
                                    • OffsetRect.USER32(?,?,00000000), ref: 00494FE0
                                    • OffsetRect.USER32(?,00000000,?), ref: 00494FFB
                                    • OffsetRect.USER32(?,?,00000000), ref: 00495015
                                    • OffsetRect.USER32(?,00000000,?), ref: 00495030
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: OffsetRect
                                    • String ID:
                                    • API String ID: 177026234-0
                                    • Opcode ID: 384438f36fff9ece283c383661dbc486b5552fe00e7f19d4825a25ffadc3a716
                                    • Instruction ID: 7d2142b2e23ccf5d8ea180402d88b60860f5db1b68017c2fd3e2f72139bb7c9e
                                    • Opcode Fuzzy Hash: 384438f36fff9ece283c383661dbc486b5552fe00e7f19d4825a25ffadc3a716
                                    • Instruction Fuzzy Hash: 5221AEB6704201AFD700DE6DCC85E5BB7EEEBC4344F548A2AF584C3389D634E9058795
                                    Function 00417114 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32 ref: 0041715C
                                    • SetCursor.USER32(00000000), ref: 0041719F
                                    • GetLastActivePopup.USER32(?), ref: 004171C9
                                    • GetForegroundWindow.USER32(?), ref: 004171D0
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Cursor$ActiveForegroundLastPopupWindow
                                    • String ID:
                                    • API String ID: 1959210111-0
                                    • Opcode ID: 27d4d3038b141cc9cfc6b6a33a39ee166648bc1b218350f4f11b8a52acffdf7b
                                    • Instruction ID: 94ca8ab0ca568c4d69e6e303751762c0e60b42704b130a17198443fbce0b0920
                                    • Opcode Fuzzy Hash: 27d4d3038b141cc9cfc6b6a33a39ee166648bc1b218350f4f11b8a52acffdf7b
                                    • Instruction Fuzzy Hash: E6219D31308610AADB10AF29DD45AA732F1AF18754B11446BE4448B392DF3DDD80CB89
                                    Function 00494C30 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                    Download Yara Rule
                                    APIs
                                    • MulDiv.KERNEL32(8B500000,00000008,00000000), ref: 00494C49
                                    • MulDiv.KERNEL32(5514246C,00000008,?), ref: 00494C5C
                                    • MulDiv.KERNEL32(F7088FE8,00000008,00000000), ref: 00494C73
                                    • MulDiv.KERNEL32(2C538BFF,00000008,?), ref: 00494C91
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7398330f21c2c72e833f69efd629e9f7f932f3aa4acf065170ec81abe1d9d342
                                    • Instruction ID: ccc35326054cdaa237b2e484ff461e880eaf0b2e4f117e9ce7839cfd8d0d1a40
                                    • Opcode Fuzzy Hash: 7398330f21c2c72e833f69efd629e9f7f932f3aa4acf065170ec81abe1d9d342
                                    • Instruction Fuzzy Hash: 0C111CB2604104AFCF40DEADC8C4D9B7BECEF4D360B2141A6F908DB242D674ED418B64
                                    Function 0041F360 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassInfoA.USER32(00400000,0041F350,?), ref: 0041F381
                                    • UnregisterClassA.USER32(0041F350,00400000), ref: 0041F3AA
                                    • RegisterClassA.USER32(00499598), ref: 0041F3B4
                                    • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F3EF
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Class$InfoLongRegisterUnregisterWindow
                                    • String ID:
                                    • API String ID: 4025006896-0
                                    • Opcode ID: 75f31d16fedfda10ae07604e0890ddb843787fb407f7d185239856941f68ac05
                                    • Instruction ID: b276649fbdd951df39a7da8b778f0c63f704330a15e4eccad985576a6eb3f740
                                    • Opcode Fuzzy Hash: 75f31d16fedfda10ae07604e0890ddb843787fb407f7d185239856941f68ac05
                                    • Instruction Fuzzy Hash: 18012D722001046BCA10EB6DED81E9B3398E719314F51423FBA15E73E1C7369C158BAC
                                    Function 00456EF0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForInputIdle.USER32(?,00000032), ref: 00456F1C
                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00456F3E
                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00456F4D
                                    • CloseHandle.KERNEL32(?,00456F7A,00456F73,?,?,?,00000000,?,?,0045714D,?,?,?,DuG,00000000,00000000), ref: 00456F6D
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                    • String ID:
                                    • API String ID: 4071923889-0
                                    • Opcode ID: 527f13b92597cb00ea8c803c7c004ff9ae5eac5ab4bb81b9da133db39ce17da4
                                    • Instruction ID: 04fcb8020e1d34aca98966d616cfc0307fb09957b863f0cd2980e79fea0d95d7
                                    • Opcode Fuzzy Hash: 527f13b92597cb00ea8c803c7c004ff9ae5eac5ab4bb81b9da133db39ce17da4
                                    • Instruction Fuzzy Hash: B001F972E006087AEB1097A9DC02F6F7EACDB44760F920167B904D32C2C9789D008A68
                                    Function 0047FBA4 Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMenu.USER32(?,00000000,00000000,0047FC50), ref: 0047FBD9
                                    • GetMenuStringA.USER32(00000000,00000008,?,00000101,00000400), ref: 0047FBF4
                                    • DeleteMenu.USER32(00000000,00000008,00000400,00000000,00000008,?,00000101,00000400,?,00000000,00000000,0047FC50), ref: 0047FC25
                                    • DeleteMenu.USER32(00000000,00000007,00000400,00000000,00000008,00000400,00000000,00000008,?,00000101,00000400,?,00000000,00000000,0047FC50), ref: 0047FC32
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Menu$Delete$StringSystem
                                    • String ID:
                                    • API String ID: 1572062458-0
                                    • Opcode ID: 77d35ef9b6ad3d3ee69814fde173d7a7f4f1313949cb5545cb3b2259e11d35be
                                    • Instruction ID: 0ed10d56c7a5eb4a673e7847f0ec7cf4623c4fe9100ccae628d58cc7f8f44705
                                    • Opcode Fuzzy Hash: 77d35ef9b6ad3d3ee69814fde173d7a7f4f1313949cb5545cb3b2259e11d35be
                                    • Instruction Fuzzy Hash: 4E01C470648708AEEB61DB22CC86F97776CEBA0708F10807BB684751D1DBFC6985CA1C
                                    Function 00457D1C Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042DB00: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004816C7,?,00000001,?,?,004816C7,?,00000001,00000000), ref: 0042DB1C
                                    • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045D19A,?,?,?,?,?,00000000,0045D1C1), ref: 00457D58
                                    • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045D19A,?,?,?,?,?,00000000), ref: 00457D61
                                    • RemoveFontResourceA.GDI32(00000000), ref: 00457D6E
                                    • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00457D82
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                    • String ID:
                                    • API String ID: 4283692357-0
                                    • Opcode ID: ebc8ee9524ac1c1cbcc2ec3d4ead9e9af530dfc9cc34c25a39be08fbbee909ce
                                    • Instruction ID: 6b4e54c60ff3eb3271b0c413f1cc7a96da7763f75eeac4f9cfb47a107e23a2fe
                                    • Opcode Fuzzy Hash: ebc8ee9524ac1c1cbcc2ec3d4ead9e9af530dfc9cc34c25a39be08fbbee909ce
                                    • Instruction Fuzzy Hash: 10F0B4B174430066EA20B7B69C87F2B669C8F44759F10483BB604EB2C3D97CDC04862C
                                    Function 0047B220 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CountSleepTick
                                    • String ID:
                                    • API String ID: 2227064392-0
                                    • Opcode ID: faac9fb72727c5d8f4f4c2725d1c0676415261d2f00cbd479e3905c083835ea1
                                    • Instruction ID: 7b6dcffe2420e922c79dc9c2e3b47a4f398a03681964fd3b90fd33af8b330c27
                                    • Opcode Fuzzy Hash: faac9fb72727c5d8f4f4c2725d1c0676415261d2f00cbd479e3905c083835ea1
                                    • Instruction Fuzzy Hash: 42E02B2230E50005C62131FE28CA6FF5644CAC6368B1895BFF489D7263C91C4C0545FE
                                    Function 00476FB4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000008,?,0047E94C,?,?,00000001,00000000,00000002,00000000,0047F1F9,?,?,?,?,?,004980A8), ref: 00476FBD
                                    • OpenProcessToken.ADVAPI32(00000000,00000008,?,0047E94C,?,?,00000001,00000000,00000002,00000000,0047F1F9), ref: 00476FC3
                                    • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,0047E94C,?,?,00000001,00000000,00000002,00000000,0047F1F9), ref: 00476FE5
                                    • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,0047E94C,?,?,00000001,00000000,00000002,00000000), ref: 00476FF6
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                    • String ID:
                                    • API String ID: 215268677-0
                                    • Opcode ID: 2ff3e4bd3b54f43f005e6acf04996b7736b5b710d63061f88a4690d94de88289
                                    • Instruction ID: 31e98f5c81e77cad8937d48a30beb37514985eb11932c932f288111ee1ec5ab7
                                    • Opcode Fuzzy Hash: 2ff3e4bd3b54f43f005e6acf04996b7736b5b710d63061f88a4690d94de88289
                                    • Instruction Fuzzy Hash: A2F030A16047006BD600EAB58C82E9B76DCEB44314F00893EBE98C72D1DA39DC089B66
                                    Function 004240AC Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastActivePopup.USER32(?), ref: 004240B8
                                    • IsWindowVisible.USER32(?), ref: 004240C9
                                    • IsWindowEnabled.USER32(?), ref: 004240D3
                                    • SetForegroundWindow.USER32(?), ref: 004240DD
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                    • String ID:
                                    • API String ID: 2280970139-0
                                    • Opcode ID: 78dbdbea32568a9f7af5a73017657d5b9e4d0be9d540b597aa154e903440c98b
                                    • Instruction ID: f660df8284c7b7ed8b6bb93e0cc08f70b24f6022508c4e80735fab2cd19761fe
                                    • Opcode Fuzzy Hash: 78dbdbea32568a9f7af5a73017657d5b9e4d0be9d540b597aa154e903440c98b
                                    • Instruction Fuzzy Hash: DEE04F55701A32238E316635188199B218CCD483443A9803BAF40FF282DA2CCE90C5EC
                                    Function 0040620C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GlobalHandle.KERNEL32 ref: 0040620F
                                    • GlobalUnlock.KERNEL32(00000000), ref: 00406216
                                    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040621B
                                    • GlobalLock.KERNEL32(00000000), ref: 00406221
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Global$AllocHandleLockUnlock
                                    • String ID:
                                    • API String ID: 2167344118-0
                                    • Opcode ID: ce3d7e98eb083abff9625d8cb9893dc6388229aa378701f4c8ed04985a1b0bf0
                                    • Instruction ID: b3e54847029d21a42a3033ff9c5f336f79fb2b9e909d9c34e2666d276069dca4
                                    • Opcode Fuzzy Hash: ce3d7e98eb083abff9625d8cb9893dc6388229aa378701f4c8ed04985a1b0bf0
                                    • Instruction Fuzzy Hash: 62B009C4850B06B8EC0473F24C4BE3F481CD88072C7884A6F3489BA0C3987C9C18893A
                                    Function 0046A250 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 0046A43D
                                    • EnableMenuItem.USER32(00000000,00000000,00000000), ref: 0046A443
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Menu$EnableItemSystem
                                    • String ID: CurPageChanged
                                    • API String ID: 3692539535-2490978513
                                    • Opcode ID: 8bf76764aeef47fc28394dafea6c7a8dcf940498d2c7e48c0a271ebb0c9ff70c
                                    • Instruction ID: 9f3178025475d7adfec319ae252d80234dce5e9dc333dba147822fa834df3623
                                    • Opcode Fuzzy Hash: 8bf76764aeef47fc28394dafea6c7a8dcf940498d2c7e48c0a271ebb0c9ff70c
                                    • Instruction Fuzzy Hash: A3A14934610504DFD710DB69D985AAA73F4EF48304F2540FAE804AB362EB38AE51DF4A
                                    Function 00480D1C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetActiveWindow.USER32(?,?,00000000,00481031,?,?,00000001,?), ref: 00480E2D
                                    • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00480EA2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ActiveChangeNotifyWindow
                                    • String ID:
                                    • API String ID: 1160245247-2344752452
                                    • Opcode ID: 8814701ef046cbaf7bfbc3133b4905ffc50376f83f422d434abae9c32330327d
                                    • Instruction ID: 1a3034b3c5cb6cc6745bd447210b6a450cdcf5d890387cd9cb26368610201c16
                                    • Opcode Fuzzy Hash: 8814701ef046cbaf7bfbc3133b4905ffc50376f83f422d434abae9c32330327d
                                    • Instruction Fuzzy Hash: BF9191346102449FDB10EB69D8C5B9E77E4EF55308F1084BBE9009B362DB78AD49CB5A
                                    Function 00402070 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021E4), ref: 004020B3
                                      • Part of subcall function 004019B4: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A6A,?,?,00402216,0049B460,00000000,00000000,?,?,00401C31,00401C46,00401D8A), ref: 004019CA
                                      • Part of subcall function 004019B4: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A6A,?,?,00402216,0049B460,00000000,00000000,?,?,00401C31,00401C46,00401D8A), ref: 004019DD
                                      • Part of subcall function 004019B4: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A6A,?,?,00402216,0049B460,00000000,00000000,?,?,00401C31,00401C46,00401D8A), ref: 00401A07
                                      • Part of subcall function 004019B4: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A71,00000000,00401A6A,?,?,00402216,0049B460,00000000,00000000,?,?,00401C31,00401C46,00401D8A), ref: 00401A64
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                    • String ID: HJg
                                    • API String ID: 296031713-1485329950
                                    • Opcode ID: 666c9597d2e1cd7659a315a73dbd7f073f9f2ba181461a4a97fd53defdbcf0df
                                    • Instruction ID: 81f40b821b6a2e9b0683faa3f29297bf018916ad44d2733250f8598a409a49e3
                                    • Opcode Fuzzy Hash: 666c9597d2e1cd7659a315a73dbd7f073f9f2ba181461a4a97fd53defdbcf0df
                                    • Instruction Fuzzy Hash: A741D8B2A04704DFEB10CF69EE85259B7A0FB64318F15427BD940A73D2D7786901DB88
                                    Function 004755E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004756DF,?,00000000,004756F0,?,00000000,00475739), ref: 004756B0
                                    • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004756DF,?,00000000,004756F0,?,00000000,00475739), ref: 004756C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: FileTime$Local
                                    • String ID: @5E
                                    • API String ID: 791338737-727458683
                                    • Opcode ID: 4c961c4675feb1d4c7e4246a7e8fb1a7303b5a6ed7b9d311c300fc9f0f572d1b
                                    • Instruction ID: 5528f7cabe70c0c33358bc940c5f1fb2e863f839fbae34c1991089bd525356c5
                                    • Opcode Fuzzy Hash: 4c961c4675feb1d4c7e4246a7e8fb1a7303b5a6ed7b9d311c300fc9f0f572d1b
                                    • Instruction Fuzzy Hash: 5E31A970A00644AFCB11DFA5CC92FAFBBB8EB49704F51447AF904EB391D6799900CB58
                                    Function 00453058 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004530ED
                                    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045311E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ExecuteMessageSendShell
                                    • String ID: open
                                    • API String ID: 812272486-2758837156
                                    • Opcode ID: 4a67996288e50dfd4acfa3f9d517d06ea94da0d200cdc24dc74c68386916826f
                                    • Instruction ID: 8b801b7ac24d21daf863bd50ecca1434b314e89a6d50d4998fcc99ac134add7e
                                    • Opcode Fuzzy Hash: 4a67996288e50dfd4acfa3f9d517d06ea94da0d200cdc24dc74c68386916826f
                                    • Instruction Fuzzy Hash: 69216270E00604AFDB10DFB6C881B9EBBF8EB44745F10857AF401E7292D778DB448A58
                                    Function 00457204 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00457298
                                    • GetLastError.KERNEL32(0000003C,00000000,004572E1,?,?,?), ref: 004572A9
                                      • Part of subcall function 00456EF0: WaitForInputIdle.USER32(?,00000032), ref: 00456F1C
                                      • Part of subcall function 00456EF0: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00456F3E
                                      • Part of subcall function 00456EF0: GetExitCodeProcess.KERNEL32(?,?), ref: 00456F4D
                                      • Part of subcall function 00456EF0: CloseHandle.KERNEL32(?,00456F7A,00456F73,?,?,?,00000000,?,?,0045714D,?,?,?,DuG,00000000,00000000), ref: 00456F6D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Wait$CloseCodeErrorExecuteExitHandleIdleInputLastMultipleObjectsProcessShell
                                    • String ID: <
                                    • API String ID: 35504260-4251816714
                                    • Opcode ID: 9c6826682c5c4aaa713ca81565663aca39ce86533e174d6dcb17df3cbbb5993b
                                    • Instruction ID: b97741f9fba736d0d8216dd46282be4d3badc5eb1d6294b0682def368c807f1a
                                    • Opcode Fuzzy Hash: 9c6826682c5c4aaa713ca81565663aca39ce86533e174d6dcb17df3cbbb5993b
                                    • Instruction Fuzzy Hash: 852141B0A042099BDB10DFA6D88269EBBE8AF08345F50447BFC44E7381DB789D55CB98
                                    Function 0040256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025AF
                                    • RtlLeaveCriticalSection.KERNEL32(0049B420,00402625), ref: 00402618
                                      • Part of subcall function 004019B4: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A6A,?,?,00402216,0049B460,00000000,00000000,?,?,00401C31,00401C46,00401D8A), ref: 004019CA
                                      • Part of subcall function 004019B4: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A6A,?,?,00402216,0049B460,00000000,00000000,?,?,00401C31,00401C46,00401D8A), ref: 004019DD
                                      • Part of subcall function 004019B4: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A6A,?,?,00402216,0049B460,00000000,00000000,?,?,00401C31,00401C46,00401D8A), ref: 00401A07
                                      • Part of subcall function 004019B4: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A71,00000000,00401A6A,?,?,00402216,0049B460,00000000,00000000,?,?,00401C31,00401C46,00401D8A), ref: 00401A64
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                    • String ID: )
                                    • API String ID: 2227675388-1084416617
                                    • Opcode ID: f88fe7b2c370c72fb4a578a56b329c3bbc201a528fb190316610510a1581c80e
                                    • Instruction ID: e2116c7c8a715ce1e87d7aa5e4caf4c30efd94caacd286403e31044566b3f27a
                                    • Opcode Fuzzy Hash: f88fe7b2c370c72fb4a578a56b329c3bbc201a528fb190316610510a1581c80e
                                    • Instruction Fuzzy Hash: 55113131B04204AEEB25AB7A6F5976A6BD5D789758F20047BE400F33D2D6BD8C01A25C
                                    Function 0041AA28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00419F48: GetSysColor.USER32(?), ref: 00419F52
                                    • SetBkColor.GDI32(?,00000000), ref: 0041AA74
                                    • SetTextColor.GDI32(?,00000000), ref: 0041AA89
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Color$Text
                                    • String ID: []G
                                    • API String ID: 657580467-2013654889
                                    • Opcode ID: b9398cc5cf3e7575d633f2862a2454c3d595f0dd83ea28f47653d677ea290321
                                    • Instruction ID: 624daffb8aa1b390b7379c8330454b0e6cba8d3e7178995f2b1c0c083a5e8fa7
                                    • Opcode Fuzzy Hash: b9398cc5cf3e7575d633f2862a2454c3d595f0dd83ea28f47653d677ea290321
                                    • Instruction Fuzzy Hash: 911149757002059FCB04EF6DC88489AF7E9FF4931071481AAF809EB326CA34ED45CBA6
                                    Function 0049612E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496167
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Window
                                    • String ID: /INITPROCWND=$%x $@
                                    • API String ID: 2353593579-4169826103
                                    • Opcode ID: def1cefba96da906a2eeb2fcbcca3ca77cda4f4210104841f0fb1cccd9352608
                                    • Instruction ID: 108a49d071d5f0a290d49216d07dc1adcb2a554cab5f5cd1123dda5d6ec9485b
                                    • Opcode Fuzzy Hash: def1cefba96da906a2eeb2fcbcca3ca77cda4f4210104841f0fb1cccd9352608
                                    • Instruction Fuzzy Hash: 5011B431A083498FDB01EFA4E852BAE7BE8EB09304F51447BE504E7292D77D9905C759
                                    Function 004473DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00403C70: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CAA
                                      • Part of subcall function 00403C70: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CB5
                                    • SysFreeString.OLEAUT32(?), ref: 0044748E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: String$AllocByteCharFreeMultiWide
                                    • String ID: NIL Interface Exception$Unknown Method
                                    • API String ID: 3952431833-1023667238
                                    • Opcode ID: 4de27ec79b034963490293dcf4006e129efdbdc7124ee52bd4e6230e191c6c4a
                                    • Instruction ID: adbaf937b258f0be3f91096c6230fc863fe66fd5c3df048c8695640fcf1b7de4
                                    • Opcode Fuzzy Hash: 4de27ec79b034963490293dcf4006e129efdbdc7124ee52bd4e6230e191c6c4a
                                    • Instruction Fuzzy Hash: 9F119370604204AFE710EFA58992A7FBBACEB09704F91447FF500E7281DB789D00CB69
                                    Function 004959C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495A88,?,00495A7C,00000000,00495A63), ref: 00495A2E
                                    • CloseHandle.KERNEL32(00495AC8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495A88,?,00495A7C,00000000), ref: 00495A45
                                      • Part of subcall function 00495918: GetLastError.KERNEL32(00000000,004959B0,?,?,?,?), ref: 0049593C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseCreateErrorHandleLastProcess
                                    • String ID: 0dI
                                    • API String ID: 3798668922-3585829653
                                    • Opcode ID: 8a32f8ecd5331e608a98c805ba9572e7f5771895ffd2dbda713fabe56f5ff556
                                    • Instruction ID: a03e426ba43573488a969de93da09f6695d5a314edc854a943082d61facaae28
                                    • Opcode Fuzzy Hash: 8a32f8ecd5331e608a98c805ba9572e7f5771895ffd2dbda713fabe56f5ff556
                                    • Instruction Fuzzy Hash: FA015EB1644608AFDB01DBE2DC82FAE7BACDB48714F60013AF604E7281D6785E008B6C
                                    Function 0042DA48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DA5C
                                    • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DA9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: Value$EnumQuery
                                    • String ID: Inno Setup: No Icons
                                    • API String ID: 1576479698-2016326496
                                    • Opcode ID: d03bbb571b59bc8455be47b2c383caae147a66b1026f546ba3da26d70e660e85
                                    • Instruction ID: 6c50a91b54334fdb0440530b403ef18d8f882b2e1d144d5a0da0eb07cbaf88c1
                                    • Opcode Fuzzy Hash: d03bbb571b59bc8455be47b2c383caae147a66b1026f546ba3da26d70e660e85
                                    • Instruction Fuzzy Hash: AA012B31B8D33069FB3045156C42F7B6688CF91B60F64013BF981EA2C0D3989C0642AE
                                    Function 0044C28C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000010), ref: 0044C2AE
                                    • GetKeyState.USER32(00000011), ref: 0044C2C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: State
                                    • String ID:
                                    • API String ID: 1649606143-3916222277
                                    • Opcode ID: f3ae18e853c4219e8883135192065133698dd12b05521574f27255f16b9bea01
                                    • Instruction ID: b7308681fb1a3f1aa9286563efb066fef46aec30a82ea87dbb69110b0cdfb720
                                    • Opcode Fuzzy Hash: f3ae18e853c4219e8883135192065133698dd12b05521574f27255f16b9bea01
                                    • Instruction Fuzzy Hash: BB018435E052089BFB90DFE6D5863DDB3F2AF04314F1881EA9D5466282E7B84E40D658
                                    Function 00474B88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,0049B624,00497B6D,00000000,00497BC2,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3
                                    • MoveFileA.KERNEL32(00000000,00000000), ref: 00474BE6
                                      • Part of subcall function 00474A4C: GetLastError.KERNEL32(00000000,00474B38,?,?,?,0049C184,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00474BAB,00000001), ref: 00474A6D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: File$DeleteErrorLastMove
                                    • String ID: DeleteFile$MoveFile
                                    • API String ID: 3195829115-139070271
                                    • Opcode ID: d9df842f2c6b8515ca65fade71296256873005edfd93268b63ceb32132f35af7
                                    • Instruction ID: edf5a770dcc71f762c30ab8ec839c0b34fa7024f711f7bf335f9861e1738aee5
                                    • Opcode Fuzzy Hash: d9df842f2c6b8515ca65fade71296256873005edfd93268b63ceb32132f35af7
                                    • Instruction Fuzzy Hash: 90F044A010411096DE10BAAA85427FA679C5F8135C711907BB95C7B387CF3DEC018BAE
                                    Function 0045AFC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042DB00: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004816C7,?,00000001,?,?,004816C7,?,00000001,00000000), ref: 0042DB1C
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,0045B0EE,00000000,0045B23B,?,00000000,00000000,00000000), ref: 0045B00D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseOpen
                                    • String ID: InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                    • API String ID: 47109696-2121887819
                                    • Opcode ID: a4ad940c3766d3cfd4e39af5c72795c60b6390e9eb68c04c72f6a2b2f27093e3
                                    • Instruction ID: 9be2c1f21961f2ca7e85e8a6711172993384fa6d41b8625eacd8a40cd9b47c77
                                    • Opcode Fuzzy Hash: a4ad940c3766d3cfd4e39af5c72795c60b6390e9eb68c04c72f6a2b2f27093e3
                                    • Instruction Fuzzy Hash: A4F0C8317002149BC7109F59DC81B5FA698CB95726F90403BB955C7292D739CC09879D
                                    Function 00474724 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047495B), ref: 00474749
                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047495B), ref: 00474760
                                      • Part of subcall function 00455624: GetLastError.KERNEL32(00000000,00456095,00000005,00000000,004560CA,?,?,00000000,0049B624,00000004,00000000,00000000,00000000,?,00497821,00000000), ref: 00455627
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CloseCreateErrorFileHandleLast
                                    • String ID: CreateFile
                                    • API String ID: 2528220319-823142352
                                    • Opcode ID: fa3cf278a28d4eaa493ac8b5e25b376141e086f6d7cc2bcc8586b9281a37e5ce
                                    • Instruction ID: 72bca0fec5157707605b57a6204e533cd40520528e290f76804c710502579716
                                    • Opcode Fuzzy Hash: fa3cf278a28d4eaa493ac8b5e25b376141e086f6d7cc2bcc8586b9281a37e5ce
                                    • Instruction Fuzzy Hash: D5E01274340304AFE610A769DCC6F59779C9B09778F108155F658AF3E2C7B9EC404A5C
                                    Function 0040332C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000,00497F92), ref: 00403333
                                    • GetCommandLineA.KERNEL32(00000000,00497F92), ref: 0040333E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: CommandHandleLineModule
                                    • String ID: 7e
                                    • API String ID: 2123368496-1792256529
                                    • Opcode ID: 5246334ac40905527a62f2b2bb97c8448c82f8815d6b89e71b3235ab39e8f0bb
                                    • Instruction ID: f0cef1143c04e1ab3c88c689d7364087333e993dfd2bd2ef377706b432c18692
                                    • Opcode Fuzzy Hash: 5246334ac40905527a62f2b2bb97c8448c82f8815d6b89e71b3235ab39e8f0bb
                                    • Instruction Fuzzy Hash: 37C0126050034046C714BF626A42B052950D710309F4040BFE114FA3E1C77C42009FDD
                                    Function 004575F4 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.3353975688.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.3353940457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354111696.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354133173.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354157647.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000001.00000002.3354180995.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_400000_AMS_Client_SSO.jbxd
                                    Similarity
                                    • API ID: ErrorLastSleep
                                    • String ID:
                                    • API String ID: 1458359878-0
                                    • Opcode ID: 8d3f30945230a874a47017b6e637f5aba5a28272bdca924975df1e973e69ecad
                                    • Instruction ID: b6d83723ea67eb09df7db49b35cd2aa79d50d198201af21e434f7deb34131ebc
                                    • Opcode Fuzzy Hash: 8d3f30945230a874a47017b6e637f5aba5a28272bdca924975df1e973e69ecad
                                    • Instruction Fuzzy Hash: B9F09632A0DA14664620A5AEACC6D5FA289DA81376720553BFD04D7203D839CC494AAD